在 Azure Stack Hub 上部署应用服务的先决条件Prerequisites for deploying App Service on Azure Stack Hub

重要

在部署或更新应用服务资源提供程序 (RP) 之前,如有必要,请将 Azure Stack Hub 更新到支持的版本(或部署最新的 Azure Stack 开发工具包)。Update Azure Stack Hub to a supported version (or deploy the latest Azure Stack Development Kit) if necessary, before deploying or updating the App Service resource provider (RP). 请务必阅读 RP 发行说明,了解新功能、修补程序以及可能影响部署的任何已知问题。Be sure to read the RP release notes to learn about new functionality, fixes, and any known issues that could affect your deployment.

支持的 Azure Stack Hub 版本Supported Azure Stack Hub version 应用服务 RP 版本App Service RP version
20052005 2020.Q2(发行说明2020.Q2 (release notes)
20022002 2020.Q2(发行说明2020.Q2 (release notes)
19101910 1.8(发行说明1.8 (release notes)

在 Azure Stack Hub 上部署 Azure 应用服务之前,必须完成本文中的先决条件步骤。Before you deploy Azure App Service on Azure Stack Hub, you must complete the prerequisite steps in this article.

准备工作Before you get started

本部分列出了集成系统部署和 Azure Stack 开发工具包 (ASDK) 部署的先决条件。This section lists the prerequisites for both integrated system and Azure Stack Development Kit (ASDK) deployments.

资源提供程序先决条件Resource provider prerequisites

如果已安装资源提供程序,则可能已完成以下先决条件,可跳过此部分。If you've already installed a resource provider, you've likely completed the following prerequisites, and can skip this section. 否则,请在继续下一步之前完成以下步骤:Otherwise, complete these before continuing:

  1. 向 Azure 注册 Azure Stack Hub 实例(如果尚未这样做)。Register your Azure Stack Hub instance with Azure, if you haven't done so. 此步骤是必需的,因为需要连接到 Azure 并将项目从 Azure 下载到市场。This step is required as you'll be connecting to and downloading items to marketplace from Azure.

  2. 如果不熟悉 Azure Stack Hub 管理员门户的“市场管理”功能,请参阅从 Azure 下载市场项并将其发布到 Azure Stack HubIf you're not familiar with the Marketplace Management feature of the Azure Stack Hub administrator portal, review Download marketplace items from Azure and publish to Azure Stack Hub. 此文逐步讲解如何将项目从 Azure 下载到 Azure Stack Hub 市场。The article walks you through the process of downloading items from Azure to the Azure Stack Hub marketplace. 它涵盖了联网场景和离线场景。It covers both connected and disconnected scenarios. 如果 Azure Stack Hub 实例已断开连接或部分连接,则在准备安装时还需要完成其他先决条件操作。If your Azure Stack Hub instance is disconnected or partially connected, there are additional prerequisites to complete in preparation for installation.

  3. 更新 Azure Active Directory (Azure AD) 主目录。Update your Azure Active Directory (Azure AD) home directory. 从内部版本 1910 开始,必须使用新的部署资源提供程序 (DRP) 应用程序注册主目录租户。Starting with build 1910, the new Deployment Resource Provider (DRP) application must be used to register your home directory tenant. 此应用可以让 DRP 成功创建和注册资源提供程序。This app will enable DRP to successfully create and register Resource Providers. 如果此步骤未完成,则资源提供程序安装会失败。If this step isn't completed, your Resource Provider installation will fail.

安装程序和帮助器脚本Installer and helper scripts

  1. 下载 Azure Stack Hub 上的应用服务部署帮助器脚本Download the App Service on Azure Stack Hub deployment helper scripts.

  2. 下载 Azure Stack Hub 上的应用服务安装程序Download the App Service on Azure Stack Hub installer.

  3. 提取帮助器脚本 .zip 文件中的文件。Extract the files from the helper scripts .zip file. 会提取以下文件和文件夹:The following files and folders are extracted:

    • Common.ps1Common.ps1
    • Create-AADIdentityApp.ps1Create-AADIdentityApp.ps1
    • Create-ADFSIdentityApp.ps1Create-ADFSIdentityApp.ps1
    • Create-AppServiceCerts.ps1Create-AppServiceCerts.ps1
    • Get-AzureStackRootCert.ps1Get-AzureStackRootCert.ps1
    • 模块文件夹Modules folder
      • GraphAPI.psm1GraphAPI.psm1

证书和服务器配置(集成系统)Certificates and server configuration (Integrated Systems)

本部分列出了集成系统部署的先决条件。This section lists the prerequisites for integrated system deployments.

证书要求Certificate requirements

若要在生产环境中运行资源提供程序,必须提供以下证书:To run the resource provider in production, you must provide the following certificates:

  • 默认域证书Default domain certificate
  • API 证书API certificate
  • 发布证书Publishing certificate
  • 标识证书Identity certificate

默认域证书Default domain certificate

默认域证书放在前端角色上。The default domain certificate is placed on the front-end role. 对 Azure 应用服务发出通配符或默认域请求的用户应用使用此证书。User apps for wildcard or default domain request to Azure App Service use this certificate. 该证书还用于源代码管理操作 (Kudu)。The certificate is also used for source control operations (Kudu).

该证书必须采用 .pfx 格式,并且应该是包含三个使用者的通配符证书。The certificate must be in .pfx format and should be a three-subject wildcard certificate. 此要求允许一个证书同时涵盖用于源代码管理操作的默认域和 SCM 终结点。This requirement allows one certificate to cover both the default domain and the SCM endpoint for source control operations.

格式Format 示例Example
*.appservice.<region>.<DomainName>.<extension> *.appservice.redmond.azurestack.external
*.scm.appservice.<region>.<DomainName>.<extension> *.scm.appservice.redmond.azurestack.external
*.sso.appservice.<region>.<DomainName>.<extension> *.sso.appservice.redmond.azurestack.external

API 证书API certificate

API 证书放在“管理”角色上。The API certificate is placed on the Management role. 资源提供程序使用它来帮助保护 API 调用。The resource provider uses it to help secure API calls. 用于发布的证书必须包含匹配 API DNS 条目的使用者。The certificate for publishing must contain a subject that matches the API DNS entry.

格式Format 示例Example
api.appservice.<region>.<DomainName>.<extension>api.appservice.<region>.<DomainName>.<extension> api.appservice.redmond.azurestack.externalapi.appservice.redmond.azurestack.external

发布证书Publishing certificate

“发布者”角色的证书在应用所有者上传内容时保护其 FTPS 流量。The certificate for the Publisher role secures the FTPS traffic for app owners when they upload content. 用于发布的证书必须包含匹配 FTPS DNS 条目的使用者。The certificate for publishing must contain a subject that matches the FTPS DNS entry.

格式Format 示例Example
ftp.appservice.<region>.<DomainName>.<extension>ftp.appservice.<region>.<DomainName>.<extension> ftp.appservice.redmond.azurestack.externalftp.appservice.redmond.azurestack.external

标识证书Identity certificate

标识应用的证书可以实现:The certificate for the identity app enables:

  • Azure Active Directory (Azure AD) 或 Active Directory 联合身份身份验证服务 (AD FS) 目录、Azure Stack Hub 与应用服务 之间的集成,以支持与计算资源提供程序的集成。Integration between the Azure Active Directory (Azure AD) or Active Directory Federation Services (AD FS) directory, Azure Stack Hub, and App Service to support integration with the compute resource provider.
  • Azure Stack Hub 上的 Azure 应用服务中的高级开发人员工具的单一登录方案。Single sign-on scenarios for advanced developer tools within Azure App Service on Azure Stack Hub.

用于标识的证书必须包含匹配以下格式的使用者。The certificate for identity must contain a subject that matches the following format.

格式Format 示例Example
sso.appservice.<region>.<DomainName>.<extension>sso.appservice.<region>.<DomainName>.<extension> sso.appservice.redmond.azurestack.externalsso.appservice.redmond.azurestack.external

验证证书Validate certificates

在部署应用服务资源提供程序之前,应使用 PowerShell 库中提供的 Azure Stack Hub 准备情况检查器工具来验证要使用的证书Before deploying the App Service resource provider, you should validate the certificates to be used by using the Azure Stack Hub Readiness Checker tool available from the PowerShell Gallery. Azure Stack Hub 准备情况检查器工具验证生成的 PKI 证书是否适用于应用服务部署。The Azure Stack Hub Readiness Checker Tool validates that the generated PKI certificates are suitable for App Service deployment.

作为最佳做法,当使用任何所需的 Azure Stack Hub PKI 证书时,如果需要,应当计划留出足够的时间来测试和重新颁发证书。As a best practice, when working with any of the necessary Azure Stack Hub PKI certificates, you should plan enough time to test and reissue certificates if necessary.

准备文件服务器Prepare the file server

Azure 应用服务需要使用文件服务器。Azure App Service requires the use of a file server. 在生产部署中,必须将文件服务器配置为高度可用,且能够应对故障。For production deployments, the file server must be configured to be highly available and capable of handling failures.

高可用性文件服务器和 SQL Server 的快速入门模板Quickstart template for Highly Available file server and SQL Server

我们现在提供了一个参考体系结构快速入门模板,用于部署文件服务器和 SQL Server。A reference architecture quickstart template is now available that will deploy a file server and SQL Server. 此模板在配置为支持 Azure Stack Hub 上的 Azure 应用服务高可用性部署的虚拟网络中支持 Active Directory 基础结构。This template supports Active Directory infrastructure in a virtual network configured to support a highly available deployment of Azure App Service on Azure Stack Hub.

备注

若要完成部署,集成系统实例必须能够从 GitHub 下载资源。The integrated system instance must be able to download resources from GitHub in order to complete the deployment.

部署自定义文件服务器的步骤Steps to deploy a custom file server

重要

如果选择在现有虚拟网络中部署应用服务,应将文件服务器部署到独立于应用服务的子网中。If you choose to deploy App Service in an existing virtual network, the file server should be deployed into a separate Subnet from App Service.

备注

如果已选择使用上述任一快速入门模板部署文件服务器,则可以跳过此部分,因为在部署模板的过程中已配置文件服务器。If you have chosen to deploy a file server using either of the Quickstart templates mentioned above, you can skip this section as the file servers are configured as part of the template deployment.

在 Active Directory 中预配组和帐户Provision groups and accounts in Active Directory
  1. 创建以下 Active Directory 全局安全组:Create the following Active Directory global security groups:

    • FileShareOwnersFileShareOwners
    • FileShareUsersFileShareUsers
  2. 创建以下 Active Directory 帐户作为服务帐户:Create the following Active Directory accounts as service accounts:

    • FileShareOwnerFileShareOwner
    • FileShareUserFileShareUser

    根据安全最佳做法,这些帐户(以及所有 Web 角色)的用户应该各不相同,并采用强用户名和密码。As a security best practice, the users for these accounts (and for all web roles) should be unique and have strong usernames and passwords. 根据以下条件设置密码:Set the passwords with the following conditions:

    • 启用“密码永不过期”。Enable Password never expires.
    • 启用“用户不能更改密码”。Enable User cannot change password.
    • 禁用“用户在下次登录时必须更改密码”。Disable User must change password at next logon.
  3. 如下所述将帐户添加到组成员身份:Add the accounts to the group memberships as follows:

    • FileShareOwner 添加到 FileShareOwners 组。Add FileShareOwner to the FileShareOwners group.
    • FileShareUser 添加到 FileShareUsers 组。Add FileShareUser to the FileShareUsers group.
在工作组中预配组和帐户Provision groups and accounts in a workgroup

备注

配置文件服务器时,请通过管理员命令提示符运行以下所有命令。When you're configuring a file server, run all the following commands from an Administrator Command Prompt.
请勿使用 PowerShell。Don't use PowerShell.

使用 Azure 资源管理器模板时已创建用户。When you use the Azure Resource Manager template, the users are already created.

  1. 运行以下命令创建 FileShareOwner 和 FileShareUser 帐户。Run the following commands to create the FileShareOwner and FileShareUser accounts. <password> 替换为自己的值。Replace <password> with your own values.

    net user FileShareOwner <password> /add /expires:never /passwordchg:no
    net user FileShareUser <password> /add /expires:never /passwordchg:no
    
  2. 运行以下 WMIC 命令,将帐户密码设为永不过期:Set the passwords for the accounts to never expire by running the following WMIC commands:

    WMIC USERACCOUNT WHERE "Name='FileShareOwner'" SET PasswordExpires=FALSE
    WMIC USERACCOUNT WHERE "Name='FileShareUser'" SET PasswordExpires=FALSE
    
  3. 创建本地组 FileShareUsers 和 FileShareOwners,并将第一个步骤中创建的帐户添加到其中:Create the local groups FileShareUsers and FileShareOwners, and add the accounts in the first step to them:

    net localgroup FileShareUsers /add
    net localgroup FileShareUsers FileShareUser /add
    net localgroup FileShareOwners /add
    net localgroup FileShareOwners FileShareOwner /add
    

预配内容共享Provision the content share

内容共享包含租户网站内容。The content share contains tenant website content. 在单个文件服务器上预配内容共享的过程与在 Active Directory 和工作组环境中相同。The procedure to provision the content share on a single file server is the same for both Active Directory and workgroup environments. 但是对于 Active Directory 中的故障转移群集则不同。But it's different for a failover cluster in Active Directory.

在单个文件服务器上(Active Directory 或工作组)预配内容共享Provision the content share on a single file server (Active Directory or workgroup)

在单个文件服务器上,在权限提升的命令提示符下运行以下命令。On a single file server, run the following commands at an elevated command prompt. C:\WebSites 的值替换为环境中的相应路径。Replace the value for C:\WebSites with the corresponding paths in your environment.

set WEBSITES_SHARE=WebSites
set WEBSITES_FOLDER=C:\WebSites
md %WEBSITES_FOLDER%
net share %WEBSITES_SHARE% /delete
net share %WEBSITES_SHARE%=%WEBSITES_FOLDER% /grant:Everyone,full

配置共享访问控制Configure access control to the shares

在文件服务器上或故障转移群集节点(当前的群集资源所有者)上,在权限提升的命令提示符下运行以下命令。Run the following commands at an elevated command prompt on the file server or on the failover cluster node, which is the current cluster resource owner. 将斜体显示的值替换为环境特定的值。Replace values in italics with values that are specific to your environment.

Active DirectoryActive Directory

set DOMAIN=<DOMAIN>
set WEBSITES_FOLDER=C:\WebSites
icacls %WEBSITES_FOLDER% /reset
icacls %WEBSITES_FOLDER% /grant Administrators:(OI)(CI)(F)
icacls %WEBSITES_FOLDER% /grant %DOMAIN%\FileShareOwners:(OI)(CI)(M)
icacls %WEBSITES_FOLDER% /inheritance:r
icacls %WEBSITES_FOLDER% /grant %DOMAIN%\FileShareUsers:(CI)(S,X,RA)
icacls %WEBSITES_FOLDER% /grant *S-1-1-0:(OI)(CI)(IO)(RA,REA,RD)

工作组Workgroup

set WEBSITES_FOLDER=C:\WebSites
icacls %WEBSITES_FOLDER% /reset
icacls %WEBSITES_FOLDER% /grant Administrators:(OI)(CI)(F)
icacls %WEBSITES_FOLDER% /grant FileShareOwners:(OI)(CI)(M)
icacls %WEBSITES_FOLDER% /inheritance:r
icacls %WEBSITES_FOLDER% /grant FileShareUsers:(CI)(S,X,RA)
icacls %WEBSITES_FOLDER% /grant *S-1-1-0:(OI)(CI)(IO)(RA,REA,RD)

准备 SQL Server 实例Prepare the SQL Server instance

备注

如果已选择为高度可用的文件服务器和 SQL Server 部署快速入门模板,则可以跳过本部分,因为模板会在 HA 配置中部署和配置 SQL Server。If you've chosen to deploy the Quickstart template for Highly Available File Server and SQL Server, you can skip this section as the template deploys and configures SQL Server in a HA configuration.

对于 Azure Stack Hub 上的 Azure 应用服务托管和计量数据库,必须准备 SQL Server 实例,用于存放应用服务数据库。For the Azure App Service on Azure Stack Hub hosting and metering databases, you must prepare a SQL Server instance to hold the App Service databases.

对于生产和高可用性目的,应使用完整版本的 SQL Server 2014 SP2 或更高版本,启用混合模式身份验证,并在高可用性配置中部署。For production and high-availability purposes, you should use a full version of SQL Server 2014 SP2 or later, enable mixed-mode authentication, and deploy in a highly available configuration.

必须能够从所有“应用服务”角色访问 Azure Stack Hub 上的 Azure 应用服务的 SQL Server 实例。The SQL Server instance for Azure App Service on Azure Stack Hub must be accessible from all App Service roles. 可以在 Azure Stack Hub 中的默认提供程序订阅中部署 SQL Server。You can deploy SQL Server within the Default Provider Subscription in Azure Stack Hub. 或者,可以使用组织中现有的基础结构(前提是与 Azure Stack Hub 建立了连接)。Or you can make use of the existing infrastructure within your organization (as long as there's connectivity to Azure Stack Hub). 如果使用 Azure 市场映像,请记得相应地配置防火墙。If you're using an Azure Marketplace image, remember to configure the firewall accordingly.

备注

可通过市场管理功能获取 SQL IaaS VM 映像数。A number of SQL IaaS VM images are available through the Marketplace Management feature. 在使用市场项部署 VM 之前,请确保下载最新版本的 SQL IaaS 扩展。Make sure you always download the latest version of the SQL IaaS Extension before you deploy a VM using a Marketplace item. SQL 映像与 Azure 中提供的 SQL VM 相同。The SQL images are the same as the SQL VMs that are available in Azure. 对于从这些映像创建的 SQL VM,IaaS 扩展和相应的门户增强功能可提供自动修补和备份等功能。For SQL VMs created from these images, the IaaS extension and corresponding portal enhancements provide features such as automatic patching and backup capabilities.

对于任何 SQL Server 角色,可以使用默认实例或命名实例。For any of the SQL Server roles, you can use a default instance or a named instance. 如果使用命名实例,请务必手动启动 SQL Server Browser 服务并打开端口 1434。If you use a named instance, be sure to manually start the SQL Server Browser service and open port 1434.

应用服务安装程序将检查以确保 SQL Server 已启用数据库包含。The App Service installer will check to ensure the SQL Server has database containment enabled. 若要在将托管应用服务数据库的 SQL Server 上启用数据库包含,请运行以下 SQL 命令:To enable database containment on the SQL Server that will host the App Service databases, run these SQL commands:

sp_configure 'contained database authentication', 1;
GO
RECONFIGURE;
GO

证书和服务器配置 (ASDK)Certificates and server configuration (ASDK)

本部分列出了 ASDK 部署的先决条件。This section lists the prerequisites for ASDK deployments.

Azure 应用服务的 ASDK 部署所需的证书Certificates required for ASDK deployment of Azure App Service

Create-AppServiceCerts.ps1 脚本配合 Azure Stack Hub 证书颁发机构运行,创建应用服务所需的四个证书。The Create-AppServiceCerts.ps1 script works with the Azure Stack Hub certificate authority to create the four certificates that App Service needs.

文件名File name 用途Use
.appservice.local.azurestack.external.pfx.appservice.local.azurestack.external.pfx 应用服务默认 SSL 证书App Service default SSL certificate
api.appservice.local.azurestack.external.pfxapi.appservice.local.azurestack.external.pfx 应用服务 API SSL 证书App Service API SSL certificate
ftp.appservice.local.azurestack.external.pfxftp.appservice.local.azurestack.external.pfx 应用服务发布者 SSL 证书App Service publisher SSL certificate
sso.appservice.local.azurestack.external.pfxsso.appservice.local.azurestack.external.pfx 应用服务标识应用程序证书App Service identity application certificate

若要创建证书,请执行以下步骤:To create the certificates, follow these steps:

  1. 使用 AzureStack\AzureStackAdmin 帐户登录到 ASDK 主机。Sign in to the ASDK host using the AzureStack\AzureStackAdmin account.
  2. 打开提升的 PowerShell 会话。Open an elevated PowerShell session.
  3. 从帮助器脚本提取到的文件夹运行 Create-AppServiceCerts.ps1 脚本。Run the Create-AppServiceCerts.ps1 script from the folder where you extracted the helper scripts. 此脚本在应用服务所需的、用于创建证书的脚本所在的同一文件夹中创建四个证书。This script creates four certificates in the same folder as the script that App Service needs for creating certificates.
  4. 输入密码来保护 .pfx 文件,并记下该密码。Enter a password to secure the .pfx files, and make a note of it. 稍后,必须在基于 Azure Stack Hub 的应用服务安装程序中输入该密码。You must enter it later, in the App Service on Azure Stack Hub installer.

Create-AppServiceCerts.ps1 脚本参数Create-AppServiceCerts.ps1 script parameters

参数Parameter 必需还是可选Required or optional 默认值Default value 说明Description
pfxPasswordpfxPassword 必须Required NullNull 帮助保护证书私钥的密码Password that helps protect the certificate private key
DomainNameDomainName 必须Required local.azurestack.externallocal.azurestack.external Azure Stack Hub 区域和域后缀Azure Stack Hub region and domain suffix

用于部署 ASDK 上的 Azure应用服务的文件服务器快速入门模板。Quickstart template for file server for deployments of Azure App Service on ASDK.

如果只部署 ASDK,则可以使用示例 Azure 资源管理器部署模板来部署已配置的单节点文件服务器。For ASDK deployments only, you can use the example Azure Resource Manager deployment template to deploy a configured single-node file server. 单节点文件服务器位于工作组中。The single-node file server will be in a workgroup.

备注

若要完成部署,ASDK 实例必须能够从 GitHub 下载资源。The ASDK instance must be able to download resources from GitHub in order to complete the deployment.

SQL Server 实例SQL Server instance

对于 Azure Stack Hub 上的 Azure 应用服务托管和计量数据库,必须准备 SQL Server 实例,用于存放应用服务数据库。For the Azure App Service on Azure Stack Hub hosting and metering databases, you must prepare a SQL Server instance to hold the App Service databases.

对于 ASDK 部署,可以使用 SQL Server Express 2014 SP2 或更高版本。For ASDK deployments, you can use SQL Server Express 2014 SP2 or later. SQL Server 必须配置为支持混合模式身份验证,因为 Azure Stack Hub 上的应用服务不支持 Windows 身份验证。SQL Server must be configured to support Mixed Mode authentication because App Service on Azure Stack Hub DOES NOT support Windows Authentication.

必须能够从所有“应用服务”角色访问 Azure Stack Hub 上的 Azure 应用服务的 SQL Server 实例。The SQL Server instance for Azure App Service on Azure Stack Hub must be accessible from all App Service roles. 可以在 Azure Stack Hub 中的默认提供程序订阅中部署 SQL Server。You can deploy SQL Server within the Default Provider Subscription in Azure Stack Hub. 或者,可以使用组织中现有的基础结构(前提是与 Azure Stack Hub 建立了连接)。Or you can make use of the existing infrastructure within your organization (as long as there's connectivity to Azure Stack Hub). 如果使用 Azure 市场映像,请记得相应地配置防火墙。If you're using an Azure Marketplace image, remember to configure the firewall accordingly.

备注

可通过市场管理功能获取 SQL IaaS VM 映像数。A number of SQL IaaS VM images are available through the Marketplace Management feature. 在使用市场项部署 VM 之前,请确保下载最新版本的 SQL IaaS 扩展。Make sure you always download the latest version of the SQL IaaS Extension before you deploy a VM using a Marketplace item. SQL 映像与 Azure 中提供的 SQL VM 相同。The SQL images are the same as the SQL VMs that are available in Azure. 对于从这些映像创建的 SQL VM,IaaS 扩展和相应的门户增强功能可提供自动修补和备份等功能。For SQL VMs created from these images, the IaaS extension and corresponding portal enhancements provide features such as automatic patching and backup capabilities.

对于任何 SQL Server 角色,可以使用默认实例或命名实例。For any of the SQL Server roles, you can use a default instance or a named instance. 如果使用命名实例,请务必手动启动 SQL Server Browser 服务并打开端口 1434。If you use a named instance, be sure to manually start the SQL Server Browser service and open port 1434.

应用服务安装程序将检查以确保 SQL Server 已启用数据库包含。The App Service installer will check to ensure the SQL Server has database containment enabled. 若要在将托管应用服务数据库的 SQL Server 上启用数据库包含,请运行以下 SQL 命令:To enable database containment on the SQL Server that will host the App Service databases, run these SQL commands:

sp_configure 'contained database authentication', 1;
GO
RECONFIGURE;
GO

所需文件服务器和 SQL Server 的许可问题Licensing concerns for required file server and SQL Server

Azure Stack Hub 上的 Azure 应用服务需要文件服务器和 SQL Server 才能运行。Azure App Service on Azure Stack Hub requires a file server and SQL Server to operate. 可以使用 Azure Stack Hub 部署外部预先存在的资源,也可以将资源部署在其 Azure Stack Hub 默认提供程序订阅的内部。You're free to use pre-existing resources located outside of your Azure Stack Hub deployment or deploy resources within their Azure Stack Hub Default Provider Subscription.

如果选择将资源部署在 Azure Stack Hub 默认提供程序订阅内部,则这些资源的许可证(Windows Server 许可证和 SQL Server 许可证)会包括在 Azure Stack Hub 上的 Azure 应用服务的成本中,但会受到以下约束:If you choose to deploy the resources within your Azure Stack Hub Default Provider Subscription, the licenses for those resources (Windows Server Licenses and SQL Server Licenses) are included in the cost of Azure App Service on Azure Stack Hub subject to the following constraints:

  • 基础结构将部署到“默认提供程序订阅”中;the infrastructure is deployed into the Default Provider Subscription;
  • 基础结构由 Azure Stack Hub 资源提供程序上的 Azure 应用服务独占使用。the infrastructure is exclusively used by the Azure App Service on Azure Stack Hub resource provider. 不允许其他管理工作负荷(其他资源提供程序,例如 SQL-RP)或租户工作负荷(例如需要数据库的租户应用)使用此基础结构。No other workloads, administrative (other resource providers, for example: SQL-RP) or tenant (for example: tenant apps, which require a database), are permitted to make use of this infrastructure.

对文件服务器和 SQL Server 的操作责任Operational responsibility of file and sql servers

云操作员负责文件服务器和 SQL Server 的维护和操作。Cloud operators are responsible for the maintenance and operation of the File Server and SQL Server. 资源提供程序不管理这些资源。The resource provider does not manage these resources. 云操作员负责备份应用服务数据库和租户内容文件共享。The cloud operator is responsible for backing up the App Service databases and tenant content file share.

检索 Azure Stack Hub 的 Azure 资源管理器根证书Retrieve the Azure Resource Manager root certificate for Azure Stack Hub

在计算机上打开一个提升的 PowerShell 会话,该计算机可以访问 Azure Stack Hub 集成系统或 ASDK 主机上的特权终结点。Open an elevated PowerShell session on a computer that can reach the privileged endpoint on the Azure Stack Hub Integrated System or ASDK Host.

从帮助器脚本提取到的文件夹运行 Get-AzureStackRootCert.ps1 脚本。Run the Get-AzureStackRootCert.ps1 script from the folder where you extracted the helper scripts. 此脚本在应用服务所需的、用于创建证书的脚本所在的同一文件夹中创建一个根证书。The script creates a root certificate in the same folder as the script that App Service needs for creating certificates.

运行以下 PowerShell 命令时,必须为 AzureStack\CloudAdmin 提供特权终结点和凭据。When you run the following PowerShell command, you have to provide the privileged endpoint and the credentials for the AzureStack\CloudAdmin.

    Get-AzureStackRootCert.ps1

Get-AzureStackRootCert.ps1 脚本参数Get-AzureStackRootCert.ps1 script parameters

参数Parameter 必需还是可选Required or optional 默认值Default value 说明Description
PrivilegedEndpointPrivilegedEndpoint 必须Required AzS-ERCS01AzS-ERCS01 特权终结点Privileged endpoint
CloudAdminCredentialCloudAdminCredential 必须Required AzureStack\CloudAdminAzureStack\CloudAdmin Azure Stack Hub 云管理员的域帐户凭据。Domain account credential for Azure Stack Hub cloud admins

网络和标识配置Network and identity configuration

虚拟网络Virtual network

备注

预先创建自定义虚拟网络是可选操作,因为 Azure Stack Hub 上的 Azure 应用服务可以创建所需的虚拟网络,但之后需要通过公共 IP 地址来与 SQL 和文件服务器通信。The precreation of a custom virtual network is optional as the Azure App Service on Azure Stack Hub can create the required virtual network but will then need to communicate with SQL and File Server via public IP addresses. 如果使用应用服务 HA 文件服务器和 SQL Server 快速启动模板来部署必备的 SQL Server 和文件服务器资源,则该模板还会部署虚拟网络。Should you use the App Service HA File Server and SQL Server Quickstart template to deploy the pre-requisite SQL and File Server resources, the template will also deploy a virtual network.

Azure Stack Hub 上的 Azure 应用服务允许将资源提供程序部署到现有的虚拟网络,或者允许在部署时创建虚拟网络。Azure App Service on Azure Stack Hub lets you deploy the resource provider to an existing virtual network or lets you create a virtual network as part of the deployment. 使用现有虚拟网络可以通过内部 IP 连接到 Azure Stack Hub 上的 Azure 应用服务所需的文件服务器和 SQL Server。Using an existing virtual network enables the use of internal IPs to connect to the file server and SQL Server required by Azure App Service on Azure Stack Hub. 在 Azure Stack Hub 上安装 Azure 应用服务之前,必须为虚拟网络配置以下地址范围和子网:The virtual network must be configured with the following address range and subnets before installing Azure App Service on Azure Stack Hub:

虚拟网络 - /16Virtual network - /16

子网Subnets

  • ControllersSubnet /24ControllersSubnet /24
  • ManagementServersSubnet /24ManagementServersSubnet /24
  • FrontEndsSubnet /24FrontEndsSubnet /24
  • PublishersSubnet /24PublishersSubnet /24
  • WorkersSubnet /21WorkersSubnet /21

重要

如果选择在现有虚拟网络中部署应用服务,应将 SQL Server 部署到独立于应用服务和文件服务器的子网中。If you choose to deploy App Service in an existing virtual network the SQL Server should be deployed into a separate Subnet from App Service and the File Server.

创建标识应用程序以启用 SSO 方案Create an Identity Application to Enable SSO Scenarios

Azure 应用服务使用标识应用程序(服务主体)支持以下操作:Azure App Service uses an Identity Application (Service Principal) to support the following operations:

  • 辅助角色层上的虚拟机规模集集成。Virtual machine scale set integration on worker tiers.
  • Azure Functions 门户和高级开发人员工具 (Kudu) 的 SSO。SSO for the Azure Functions portal and advanced developer tools (Kudu).

根据 Azure Stack Hub 所使用的标识提供者、Azure Active Directory (Azure AD) 或 Active Directory 联合身份验证服务 (ADFS),必须按照以下相应步骤创建服务主体,供 Azure Stack Hub 资源提供程序上的 Azure 应用服务使用。Depending on which identity provider the Azure Stack Hub is using, Azure Active Directory (Azure AD) or Active Directory Federation Services (ADFS) you must follow the appropriate steps below to create the service principal for use by the Azure App Service on Azure Stack Hub resource provider.

创建 Azure AD 应用Create an Azure AD App

遵循以下步骤在 Azure AD 租户中创建服务主体:Follow these steps to create the service principal in your Azure AD tenant:

  1. 以 azurestack\AzureStackAdmin 身份打开 PowerShell 实例。Open a PowerShell instance as azurestack\AzureStackAdmin.
  2. 转到在先决条件步骤中下载并提取的脚本所在的位置。Go to the location of the scripts that you downloaded and extracted in the prerequisite step.
  3. 安装适用于 Azure Stack Hub 的 PowerShellInstall PowerShell for Azure Stack Hub.
  4. 运行 Create-AADIdentityApp.ps1 脚本。Run the Create-AADIdentityApp.ps1 script. 根据提示输入部署 Azure Stack Hub 时使用的 Azure AD 租户 ID。When you're prompted, enter the Azure AD tenant ID that you're using for your Azure Stack Hub deployment. 例如,输入 myazurestack.partner.onmschina.cnFor example, enter myazurestack.partner.onmschina.cn.
  5. 在“凭据”窗口中,输入 Azure AD 服务管理帐户和密码。In the Credential window, enter your Azure AD service admin account and password. 选择“确定” 。Select OK.
  6. 输入前面创建的证书的证书文件路径和证书密码。Enter the certificate file path and certificate password for the certificate created earlier. 默认情况下值,为此步骤创建的证书是 sso.appservice.local.azurestack.external.pfxThe certificate created for this step by default is sso.appservice.local.azurestack.external.pfx.
  7. 请记下 PowerShell 输出中返回的应用程序 ID。Make note of the application ID that's returned in the PowerShell output. 使用以下步骤中的 ID 来为应用程序的权限提供许可,以及在安装过程中提供许可。You use the ID in the following steps to provide consent for the application's permissions, and during installation.
  8. 打开新的浏览器窗口,以 Azure Active Directory 服务管理员的身份登录到 Azure 门户Open a new browser window, and sign in to the Azure portal as the Azure Active Directory service admin.
  9. 打开“Azure Active Directory”服务。Open the Azure Active Directory service.
  10. 在左侧窗格中选择“应用注册”。Select App Registrations in the left pane.
  11. 搜索在步骤 7 中记下的应用程序 ID。Search for the application ID you noted in step 7.
  12. 从列表中选择“应用服务应用程序注册”。Select the App Service application registration from the list.
  13. 在左侧窗格中选择“API 权限”。Select API permissions in the left pane.
  14. 选择“代表 <tenant> 授予管理员许可”,其中 <tenant> 是 Azure AD 租户的名称。Select Grant admin consent for <tenant>, where <tenant> is the name of your Azure AD tenant. 选择“是”确认授予许可。Confirm the consent grant by selecting Yes.
    Create-AADIdentityApp.ps1
参数Parameter 必需还是可选Required or optional 默认值Default value 说明Description
DirectoryTenantNameDirectoryTenantName 必须Required NullNull Azure AD 租户 ID。Azure AD tenant ID. 提供 GUID 或字符串。Provide the GUID or string. 例如 myazureaaddirectory.partner.onmschina.cn。An example is myazureaaddirectory.partner.onmschina.cn.
AdminArmEndpointAdminArmEndpoint 必须Required NullNull Azure 资源管理器管理终结点。Admin Azure Resource Manager endpoint. 例如 adminmanagement.local.azurestack.external。An example is adminmanagement.local.azurestack.external.
TenantARMEndpointTenantARMEndpoint 必须Required NullNull Azure 资源管理器租户终结点。Tenant Azure Resource Manager endpoint. 例如 management.local.azurestack.external。An example is management.local.azurestack.external.
AzureStackAdminCredentialAzureStackAdminCredential 必须Required NullNull Azure AD 服务管理员凭据。Azure AD service admin credential.
CertificateFilePathCertificateFilePath 必须Required NullNull 前面生成的标识应用程序证书文件的完整路径Full path to the identity application certificate file generated earlier.
CertificatePasswordCertificatePassword 必须Required NullNull 帮助保护证书私钥的密码。Password that helps protect the certificate private key.
环境Environment 可选Optional AzureCloudAzureCloud 其中目标 Azure Active Directory Graph 服务可用的受支持云环境的名称。The name of the supported Cloud Environment in which the target Azure Active Directory Graph Service is available. 允许的值:'AzureChinaCloud'。Allowed values: 'AzureChinaCloud'.

创建 ADFS 应用Create an ADFS app

  1. 以 azurestack\AzureStackAdmin 身份打开 PowerShell 实例。Open a PowerShell instance as azurestack\AzureStackAdmin.
  2. 转到在先决条件步骤中下载并提取的脚本所在的位置。Go to the location of the scripts that you downloaded and extracted in the prerequisite step.
  3. 安装适用于 Azure Stack Hub 的 PowerShellInstall PowerShell for Azure Stack Hub.
  4. 运行 Create-ADFSIdentityApp.ps1 脚本。Run the Create-ADFSIdentityApp.ps1 script.
  5. 在“凭据”窗口中,输入 AD FS 云管理帐户和密码。In the Credential window, enter your AD FS cloud admin account and password. 选择“确定” 。Select OK.
  6. 提供前面创建的证书的证书文件路径和证书密码。Provide the certificate file path and certificate password for the certificate created earlier. 默认情况下值,为此步骤创建的证书是 sso.appservice.local.azurestack.external.pfxThe certificate created for this step by default is sso.appservice.local.azurestack.external.pfx.
    Create-ADFSIdentityApp.ps1
参数Parameter 必需还是可选Required or optional 默认值Default value 说明Description
AdminArmEndpointAdminArmEndpoint 必须Required NullNull Azure 资源管理器管理终结点。Admin Azure Resource Manager endpoint. 例如 adminmanagement.local.azurestack.external。An example is adminmanagement.local.azurestack.external.
PrivilegedEndpointPrivilegedEndpoint 必须Required NullNull 特权终结点。Privileged endpoint. 例如 AzS-ERCS01。An example is AzS-ERCS01.
CloudAdminCredentialCloudAdminCredential 必须Required NullNull Azure Stack Hub 云管理员的域帐户凭据。Domain account credential for Azure Stack Hub cloud admins. 例如 Azurestack\CloudAdmin。An example is Azurestack\CloudAdmin.
CertificateFilePathCertificateFilePath 必须Required NullNull 标识应用程序的证书 PFX 文件的完整路径Full path to the identity application's certificate PFX file.
CertificatePasswordCertificatePassword 必须Required NullNull 帮助保护证书私钥的密码。Password that helps protect the certificate private key.

从 Azure 市场下载项Download items from the Azure Marketplace

Azure Stack Hub 上的应用服务需要从 Azure 市场下载项,以便在 Azure Stack Hub 市场中提供这些项。Azure App Service on Azure Stack Hub requires items to be downloaded from the Azure Marketplace, making them available in the Azure Stack Hub Marketplace. 必须先下载这些项,然后才能开始部署或升级 Azure Stack Hub 上的 Azure 应用服务:These items must be downloaded before you start the deployment or upgrade of Azure App Service on Azure Stack Hub:

重要

不支持将 Windows Server Core 平台映像与基于 Azure Stack Hub 的 Azure 应用服务配合使用。Windows Server Core is not a supported platform image for use with Azure App Service on Azure Stack Hub.

请勿将评估映像用于生产部署。Do not use evaluation images for production deployments.

  1. 最新版本的 Windows Server 2016 Datacenter VM 映像。The latest version of Windows Server 2016 Datacenter VM image.
  1. 自定义脚本扩展 v1.9.1 或更高版本。Custom Script Extension v1.9.1 or greater. 此项为 VM 扩展。This item is a VM extension.

后续步骤Next steps

安装应用服务资源提供程序Install the App Service resource provider