您现在访问的是微软AZURE全球版技术文档网站,若需要访问由世纪互联运营的MICROSOFT AZURE中国区技术文档网站,请访问 https://docs.azure.cn.

应用服务环境简介Introduction to the App Service Environments

 

概述Overview

Azure 应用服务环境是一项 Azure 应用服务功能,可提供完全隔离和专用的环境,以便高度安全地运行应用服务应用。The Azure App Service Environment is an Azure App Service feature that provides a fully isolated and dedicated environment for securely running App Service apps at high scale. 此功能可以托管:This capability can host your:

  • Windows Web 应用Windows web apps
  • Linux Web 应用Linux web apps
  • Docker 容器Docker containers
  • 移动应用Mobile apps
  • 函数Functions

应用服务环境 (ASE) 适用于有以下要求的应用程序工作负荷:App Service environments (ASEs) are appropriate for application workloads that require:

  • 极高的缩放性。Very high scale.
  • 隔离和安全网络访问。Isolation and secure network access.
  • 高内存利用率。High memory utilization.

客户可以在单个 Azure 区域或多个 Azure 区域创建多个 ASE。Customers can create multiple ASEs within a single Azure region or across multiple Azure regions. 这种灵活性使得 ASE 非常适合用于水平缩放无状态应用程序层,以支持高 RPS 工作负荷。This flexibility makes ASEs ideal for horizontally scaling stateless application tiers in support of high RPS workloads.

ASE 可在隔离后只运行单个客户的应用程序,并可始终部署到虚拟网络中。ASEs are isolated to running only a single customer's applications and are always deployed into a virtual network. 客户可以对入站和出站应用程序网络流量进行精细控制。Customers have fine-grained control over inbound and outbound application network traffic. 应用程序可以通过 VPN 建立到本地公司资源的高速安全连接。Applications can establish high-speed secure connections over VPNs to on-premises corporate resources.

  • ASE 附带自己的定价层,了解隔离套餐如何有助于驱动超大规模和安全性。ASE comes with its own pricing tier, learn how the Isolated offering helps drive hyper-scale and security.
  • 应用服务环境 v2 提供了一个环境来保护网络子网中的应用,并提供你自己的 Azure 应用服务专用部署。App Service Environments v2 provide a surrounding to safeguard your apps in a subnet of your network and provides your own private deployment of Azure App Service.
  • 可使用多个 ASE 进行水平缩放。Multiple ASEs can be used to scale horizontally. 有关详细信息,请参阅如何设置异地分布式应用布局For more information, see how to set up a geo-distributed app footprint.
  • 可使用 ASE 配置安全体系结构,如“AzureCon 深入探讨”中所示。ASEs can be used to configure security architecture, as shown in the AzureCon Deep Dive. 若要查看“AzureCon 深入探讨”中所示的安全体系结构的配置方式,请参阅有关如何使用应用服务环境实现分层安全体系结构的文章。To see how the security architecture shown in the AzureCon Deep Dive was configured, see the article on how to implement a layered security architecture with App Service environments.
  • 在 ASE 中运行的应用的访问权限可能受到 Web 应用程序防火墙 (WAF) 等上游设备的管制。Apps running on ASEs can have their access gated by upstream devices, such as web application firewalls (WAFs). 有关详细信息,请参阅 Web 应用程序防火墙 (WAF)For more information, see Web application firewall (WAF).

专用环境Dedicated environment

ASE 专用于单个订阅,可托管 100 个应用服务计划实例。An ASE is dedicated exclusively to a single subscription and can host 100 App Service Plan instances. 其范围可涵盖单个应用服务计划中的 100 个实例,也可以是 100 个单实例应用服务计划,或者两者之间的任何实例。The range can span 100 instances in a single App Service plan to 100 single-instance App Service plans, and everything in between.

ASE 由前端和辅助角色组成。An ASE is composed of front ends and workers. 前端负责处理 HTTP/HTTPS 终止以及 ASE 中应用请求的自动负载均衡。Front ends are responsible for HTTP/HTTPS termination and automatic load balancing of app requests within an ASE. 前端作为应用服务计划自动添加在 ASE 中,并且可以扩展。Front ends are automatically added as the App Service plans in the ASE are scaled out.

辅助角色是托管客户应用的角色。Workers are roles that host customer apps. 辅助角色有 3 种固定大小:Workers are available in three fixed sizes:

  • 一个 vCPU/3.5 GB RAMOne vCPU/3.5 GB RAM
  • 两个 vCPU/7 GB RAMTwo vCPU/7 GB RAM
  • 四个 vCPU/14 GB RAMFour vCPU/14 GB RAM

客户无需管理前端和辅助角色。Customers do not need to manage front ends and workers. 客户扩展其应用服务计划时,会自动添加所有基础结构。All infrastructure is automatically added as customers scale out their App Service plans. 在 ASE 中创建或缩放应用服务计划时,将在适当的情况下添加或删除所需的基础结构。As App Service plans are created or scaled in an ASE, the required infrastructure is added or removed as appropriate.

ASE 每月会产生统一的基础结构使用费,该费率不会随 ASE 的大小变化而改变。There is a flat monthly rate for an ASE that pays for the infrastructure and doesn't change with the size of the ASE. 此外,每个应用服务计划 vCPU 也会产生费用。In addition, there is a cost per App Service plan vCPU. ASE 中托管的所有应用都在“隔离”定价 SKU 中。All apps hosted in an ASE are in the Isolated pricing SKU. 有关 ASE 定价的信息,请参阅应用服务定价页并查看 ASE 的可用选项。For information on pricing for an ASE, see the App Service pricing page and review the available options for ASEs.

虚拟网络支持Virtual network support

ASE 功能直接将 Azure 应用服务部署到客户的 Azure 资源管理器虚拟网络。The ASE feature is a deployment of the Azure App Service directly into a customer's Azure Resource Manager virtual network. 若要了解有关 Azure 虚拟网络的详细信息,请参阅 Azure 虚拟网络常见问题解答To learn more about Azure virtual networks, see the Azure virtual networks FAQ. ASE 始终存在于虚拟网络之中,更准确地说,是在虚拟网络的子网内。An ASE always exists in a virtual network, and more precisely, within a subnet of a virtual network. 可使用虚拟网络的安全功能为应用控制入站和出站网络通信。You can use the security features of virtual networks to control inbound and outbound network communications for your apps.

ASE 既可以是面向 Internet 的(使用公共 IP 地址),也可以是面向内部的(只使用 Azure 内部负载均衡器 (ILB) 地址)。An ASE can be either internet-facing with a public IP address or internal-facing with only an Azure internal load balancer (ILB) address.

网络安全组将入站网络通信限制为 ASE 所在的子网。Network Security Groups restrict inbound network communications to the subnet where an ASE resides. 可以在上游设备和服务(例如 WAF 和网络 SaaS 提供程序)后使用 NSG 来运行应用。You can use NSGs to run apps behind upstream devices and services such as WAFs and network SaaS providers.

应用还经常需要访问公司资源,例如内部数据库和 Web 服务。Apps also frequently need to access corporate resources such as internal databases and web services. 如果在包含本地网络的 VPN 连接的虚拟网络中部署 ASE,ASE 中的应用可以访问本地资源。If you deploy the ASE in a virtual network that has a VPN connection to the on-premises network, the apps in the ASE can access the on-premises resources. 无论 VPN 是站点到站点 VPN,还是 Azure ExpressRoute VPN,都可以使用此功能。This capability is true regardless of whether the VPN is a site-to-site or Azure ExpressRoute VPN.

有关如何在虚拟网络和本地网络中使用 ASE 的详细信息,请参阅应用服务环境网络注意事项For more information on how ASEs work with virtual networks and on-premises networks, see App Service Environment network considerations.

应用服务环境 v1App Service Environment v1

应用服务环境有两个版本:ASEv1 和 ASEv2。App Service Environment has two versions: ASEv1 and ASEv2. 上述信息基于 ASEv2。The preceding information was based on ASEv2. 本部分说明 ASEv1 和 ASEv2 之间的差异。This section shows you the differences between ASEv1 and ASEv2.

在 ASEv1 中,需手动管理所有资源。In ASEv1, you need to manage all of the resources manually. 它们包括基于 IP 的 SSL 所用的前端、辅助角色和 IP 地址。That includes the front ends, workers, and IP addresses used for IP-based SSL. 扩大应用服务计划之前,需要先扩大要托管该计划的辅助角色池。Before you can scale out your App Service plan, you need to first scale out the worker pool where you want to host it.

ASEv1 使用与 ASEv2 不同的定价模型。ASEv1 uses a different pricing model from ASEv2. 在 ASEv1 中,需要为分配的每个 vCPU 付费。In ASEv1, you pay for each vCPU allocated. 包括未托管任何工作负荷的前端或辅助角色所使用的 vCPU。That includes vCPUs used for front ends or workers that aren't hosting any workloads. 在 ASEv1 中,ASE 的默认最大规模为 55 个主机总数。In ASEv1, the default maximum-scale size of an ASE is 55 total hosts. 其中包括辅助角色和前端。That includes workers and front ends. ASEv1 的一项优势是可在经典虚拟网络和资源管理器虚拟网络中进行部署。One advantage to ASEv1 is that it can be deployed in a classic virtual network and a Resource Manager virtual network. 若要深入了解 ASEv1,请参阅应用服务环境 v1 简介To learn more about ASEv1, see App Service Environment v1 introduction.