您现在访问的是微软AZURE全球版技术文档网站,若需要访问由世纪互联运营的MICROSOFT AZURE中国区技术文档网站,请访问 https://docs.azure.cn.

将应用与 Azure 虚拟网络进行集成Integrate your app with an Azure Virtual Network

本文档介绍 Azure App Service 虚拟网络集成功能,以及如何在Azure App Service中对应用进行设置。This document describes the Azure App Service virtual network integration feature and how to set it up with apps in the Azure App Service. 使用Azure 虚拟网络(vnet)可以将多个 Azure 资源置于非 internet 可路由网络中。Azure Virtual Networks (VNets) allow you to place many of your Azure resources in a non-internet routable network.

Azure App Service 有两种变体。The Azure App Service has two variations.

  1. 支持除独立定价计划以外的全部定价计划的多租户系统The multi-tenant systems that support the full range of pricing plans except Isolated
  2. 应用服务环境(ASE),它部署到 VNet 中并支持隔离的定价计划应用The App Service Environment (ASE), which deploys into your VNet and supports Isolated pricing plan apps

本文档将介绍两个 VNet 集成功能,这些功能在多租户应用服务中使用。This document goes through the two VNet Integration features, which is for use in the multi-tenant App Service. 如果你的应用处于应用服务环境中,则它已在 vnet 中,无需使用 VNet 集成功能来访问同一 VNet 中的资源。If your app is in App Service Environment, then it's already in a VNet and doesn't require use of the VNet Integration feature to reach resources in the same VNet. 有关所有应用服务网络功能的详细信息,请参阅应用服务网络功能For details on all of the App Service networking features, read App Service networking features

VNet 集成功能提供了两种形式There are two forms to the VNet Integration feature

  1. 一个版本可在同一区域中实现与 Vnet 的集成。One version enables integration with VNets in the same region. 此功能的这种形式需要在同一区域中的 VNet 中有一个子网。This form of the feature requires a subnet in a VNet in the same region. 此功能仍处于预览阶段,但 Windows 应用生产工作负荷支持此功能,但有一些注意事项。This feature is still in preview but is supported for Windows app production workloads with some caveats noted below.
  2. 另一种版本允许与其他区域中的 Vnet 或通过经典 Vnet 进行集成。The other version enables integration with VNets in other regions or with Classic VNets. 此版本的功能要求在 VNet 中部署虚拟网络网关。This version of the feature requires deployment of a Virtual Network Gateway into your VNet. 这是基于点到站点 VPN 的功能,仅在 Windows 应用中受支持。This is the point-to-site VPN-based feature and is only supported with Windows apps.

应用一次只能使用一种形式的 VNet 集成功能。An app can only use one form of the VNet Integration feature at a time. 问题就是应该使用哪种功能。The question then is which feature should you use. 您可以使用任何一种方法。You can use either for many things. 不过,清楚的区别在于:The clear differentiators though are:

问题Problem 解决方案Solution
希望在同一区域中访问 RFC 1918 地址(10.0.0.0/8、172.16.0.0/12、192.168.0.0/16)Want to reach an RFC 1918 address (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) in the same region 区域 VNet 集成regional VNet Integration
想要在经典 VNet 中或另一个区域中的 VNet 中访问资源Want to reach resources in a Classic VNet or a VNet in another region 网关所需的 VNet 集成gateway required VNet Integration
想要跨 ExpressRoute 访问 RFC 1918 终结点Want to reach RFC 1918 endpoints across ExpressRoute 区域 VNet 集成regional VNet Integration
希望跨服务终结点实现资源Want to reach resources across service endpoints 区域 VNet 集成regional VNet Integration

这两项功能都不允许跨 ExpressRoute 访问非 RFC 1918 地址。Neither feature will enable you to reach non-RFC 1918 addresses across ExpressRoute. 为此,你现在需要使用 ASE。To do that you need to use an ASE for now.

使用区域 VNet 集成不会将 VNet 连接到本地或配置服务终结点。Using the regional VNet Integration does not connect your VNet to on-premises or configure service endpoints. 这是单独的网络配置。That is separate networking configuration. 区域 VNet 集成只是使应用程序能够在这些连接类型上进行调用。The regional VNet Integration simply enables your app to make calls across those connection types.

无论使用何种版本,VNet 集成都允许 web 应用访问虚拟网络中的资源,但不会向虚拟网络授予对 web 应用程序的入站私有访问权限。Regardless of the version used, VNet Integration gives your web app access to resources in your virtual network but doesn't grant inbound private access to your web app from the virtual network. 专用站点访问指的是仅可从专用网络(例如 Azure 虚拟网络内)对应用进行访问。Private site access refers to making your app only accessible from a private network such as from within an Azure virtual network. VNet 集成仅适用于从应用到 VNet 的出站调用。VNet Integration is only for making outbound calls from your app into your VNet.

VNet 集成功能:The VNet Integration feature:

  • 需要“标准”、“高级”或“高级 V2”定价计划requires a Standard, Premium, or PremiumV2 pricing plan
  • 支持 TCP 和 UDPsupports TCP and UDP
  • 适用于应用服务应用和函数应用works with App Service apps, and Function apps

VNet 集成不支持某些功能,其中包括:There are some things that VNet Integration doesn't support including:

  • 装载驱动器mounting a drive
  • AD 集成AD integration
  • NetBiosNetBios

区域 VNet 集成Regional VNet Integration

备注

对等互连对于基于 Linux 的应用服务尚不可用。Peering is not yet available for Linux based App Service.

在应用的同一区域中与 Vnet 一起使用 VNet 集成时,它要求使用至少包含32地址的委托子网。When VNet Integration is used with VNets in the same region as your app, it requires the use of a delegated subnet with at least 32 addresses in it. 子网不能用于其他任何内容。The subnet cannot be used for anything else. 从你的应用程序发出的出站调用将从委托子网中的地址进行。Outbound calls made from your app will be made from the addresses in the delegated subnet. 当你使用此版本的 VNet 集成时,将从 VNet 中的地址进行调用。When you use this version of VNet Integration, the calls are made from addresses in your VNet. 使用 VNet 中的地址,你的应用可以:Using addresses in your VNet enables your app to:

  • 调用服务终结点保护服务Make calls to service endpoint secured services
  • 跨 ExpressRoute 连接访问资源Access resources across ExpressRoute connections
  • 访问连接到的 VNet 中的资源Access resources in the VNet you are connected to
  • 跨对等互连连接(包括 ExpressRoute 连接)访问资源Access resources across peered connections including ExpressRoute connections

此功能处于预览阶段,但 Windows 应用生产工作负荷支持此功能,但具有以下限制:This feature is in preview but, it is supported for Windows app production workloads with the following limitations:

  • 只能访问 RFC 1918 范围内的地址。You can only reach addresses that are in the RFC 1918 range. 它们是 10.0.0.0/8、172.16.0.0/12、192.168.0.0/16 地址块中的地址。Those are addresses in the 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16 address blocks.
  • 不能跨全局对等连接访问资源You cannot reach resources across global peering connections
  • 不能将来自应用的流量的路由设置到 VNet 中You cannot set routes on the traffic coming from your app into your VNet
  • 此功能仅适用于支持 PremiumV2 应用服务计划的更新的应用服务缩放单位。The feature is only available from newer App Service scale units that support PremiumV2 App Service plans.
  • 集成子网仅可由一个应用服务计划使用The integration subnet can only be used by only one App Service plan
  • 此功能不能由处于应用服务环境中的独立计划应用使用The feature cannot be used by Isolated plan apps that are in an App Service Environment
  • 此功能要求使用的子网为/27,其中包含32地址或更大的资源管理器 VNet 中The feature requires an unused subnet that is a /27 with 32 addresses or larger in your Resource Manager VNet
  • 应用和 VNet 必须位于同一区域中The app and the VNet must be in the same region
  • 不能删除带有集成应用的 VNet。You cannot delete a VNet with an integrated app. 必须先删除集成You must remove the integration first
  • 对于每个应用服务计划,只能有一个区域 VNet 集成。You can have only one regional VNet Integration per App Service plan. 同一应用服务计划中的多个应用可以使用相同的 VNet。Multiple apps in the same App Service plan can use the same VNet.
  • 当存在使用区域 VNet 集成的应用时,不能更改应用或应用服务计划的订阅You cannot change the subscription of an app or an App Service plan while there is an app that is using Regional VNet Integration

为每个应用服务计划实例使用一个地址。One address is used for each App Service plan instance. 如果将应用扩展到5个实例,则使用5个地址。If you scaled your app to 5 instances, then 5 addresses are used. 由于在分配后无法更改子网大小,因此你必须使用足够大的子网来容纳你的应用程序可能会达到的任何规模。Since subnet size cannot be changed after assignment, you must use a subnet that is large enough to accommodate whatever scale your app may reach. 建议大小为/26,其中包含64地址。A /26 with 64 addresses is the recommended size. 如果未更改应用服务计划的大小,则包含32地址的/27 将提供高级应用服务计划20个实例。A /27 with 32 addresses would accommodate a Premium App Service plan 20 instances if you didn't change the size of the App Service plan. 当你向上或向下缩放应用服务计划时,你需要在短时间内使用两个地址。When you scale an App Service plan up or down, you need twice as many addresses for a short period of time.

如果希望其他应用服务计划中的应用连接到已由其他应用服务计划中的应用程序连接的 VNet,则需要选择与预先存在的 VNet 集成所使用的子网不同的子网。If you want your apps in another App Service plan to reach a VNet that is connected to already by apps in another App Service plan, you need to select a different subnet than the one being used by the pre-existing VNet Integration.

此功能也适用于 Linux。The feature is in preview also for Linux. 若要在同一区域中将 VNet 集成功能与资源管理器 VNet 一起使用:To use the VNet Integration feature with a Resource Manager VNet in the same region:

  1. 转至门户中的“网络 UI”。Go to the Networking UI in the portal. 如果你的应用程序能够使用新功能,则会看到一个用于添加 VNet (预览版)的选项。If your app is able to use the new feature, then you will see an option to Add VNet (preview).

    选择 VNet 集成

  2. 选择“添加 VNet (预览)”。Select Add VNet (preview).

  3. 选择希望与之集成的资源管理器 VNet,然后新建一个子网或从预先存在的空子网中选择一个。Select the Resource Manager VNet that you want to integrate with and then either create a new subnet or pick an empty pre-existing subnet. 集成只需不到一分钟即可完成。The integration takes less than a minute to complete. 在集成期间,应用会重启。During the integration, your app is restarted. 集成完成后,将能查看所集成的子网的详细信息,同时顶部会出现显示该功能处于预览状态的横幅。When integration is completed, you will see details on the VNet you are integrated with and a banner at the top that tells you the feature is in preview.

    选择 VNet 和子网

当你的应用与 VNet 集成后,它将使用你的 VNet 配置的 DNS 服务器。Once your app is integrated with your VNet, it will use the same DNS server that your VNet is configured with.

区域 VNet 集成要求将集成子网委托给 Microsoft。Regional VNet Integration requires your integration subnet to be delegated to Microsoft.Web. VNet 集成 UI 会自动将子网委托给 Microsoft。The VNet Integration UI will delegate the subnet to Microsoft.Web automatically. 如果你的帐户没有足够的网络权限来进行设置,则你将需要可设置集成子网上属性的人员来委派子网。If your account does not have sufficient networking permissions to set this, you will need someone who can set attributes on your integration subnet to do delegate the subnet. 若要手动委派集成子网,请参阅 Azure 虚拟网络子网 UI,并设置 Microsoft 的委派。To manually delegate the integration subnet, go to the Azure Virtual Network subnet UI and set delegation for Microsoft.Web.

若要从 VNet 断开应用,请选择“断开连接”。To disconnect your app from the VNet, select Disconnect. 该操作将重启 Web 应用。This will restart your web app.

容器的 Web 应用Web App for Containers

如果在 Linux 上使用带有内置映像的应用服务,则区域 VNet 集成功能无需进行其他更改即可工作。If you use App Service on Linux with the built-in images, the regional VNet Integration feature works without additional changes. 如果使用用于容器的 Web 应用,则需要修改 docker 映像才能使用 VNet 集成。If you use Web App for Containers, you need to modify your docker image in order to use VNet Integration. 在 docker 映像中,使用端口环境变量作为主 web 服务器的侦听端口,而不是使用硬编码的端口号。In your docker image, use the PORT environment variable as the main web server’s listening port, instead of using a hardcoded port number. 在容器启动时,应用服务平台会自动设置端口环境变量。The PORT environment variable is automatically set by App Service platform at the container startup time. 如果你使用的是 SSH,则必须将 SSH 守护程序配置为侦听 SSH_PORT 环境变量在使用区域 VNet 集成时指定的端口号。If you are using SSH, then the SSH daemon must be configured to listen on the port number specified by the SSH_PORT environment variable when using regional VNet integration.

服务终结点Service Endpoints

通过新的 VNet 集成功能可以使用服务终结点。The new VNet Integration feature enables you to use service endpoints. 若要将服务终结点和应用配合使用,请使用新的 VNet 集成连接至所选 VNet,然后在用于集成的子网上配置服务终结点。To use service endpoints with your app, use the new VNet Integration to connect to a selected VNet and then configure service endpoints on the subnet you used for the integration.

VNet 集成的工作原理How VNet Integration works

应用服务中的应用托管在辅助角色上。Apps in the App Service are hosted on worker roles. 基本和更高的定价计划是专用的托管计划,其中不存在其他客户工作负荷在同一辅助角色上运行。The Basic and higher pricing plans are dedicated hosting plans where there are no other customers workloads running on the same workers. VNet 集成的工作方式是使用委托子网中的地址装载虚拟接口。VNet Integration works by mounting virtual interfaces with addresses in the delegated subnet. 由于 "发件人" 地址在 VNet 中,因此它可以访问或通过 VNet 中的大部分功能,就像 VNet 中的 VM 一样。Because the from address is in your VNet, it has access to most things in or through your VNet just like a VM in your VNet would. 网络实现不同于在 VNet 中运行 VM,这就是在使用此功能时某些网络功能尚不可用的原因。The networking implementation is different than running a VM in your VNet and that is why some networking features are not yet available while using this feature.

VNet 集成

启用 VNet 集成后,应用仍将通过与普通通道相同的通道对 internet 进行出站调用。When VNet Integration is enabled, your app will still make outbound calls to the internet through the same channels as normal. 应用属性门户中列出的出站地址仍是应用使用的地址。The outbound addresses that are listed in the app properties portal are still the addresses used by your app. 应用的更改是:对服务终结点保护的服务或 RFC 1918 地址的调用将进入 VNet。What changes for your app are, calls to service endpoint secured services or RFC 1918 addresses goes into your VNet.

此功能仅支持每个辅助角色一个虚拟接口。The feature only supports one virtual interface per worker. 每个辅助角色一个虚拟接口意味着每个应用服务计划一个区域 VNet 集成。One virtual interface per worker means one regional VNet Integration per App Service plan. 同一应用服务计划中的所有应用都可使用相同的 VNet 集成,但如果需要一个应用来连接到其他 VNet,则需要创建另一个应用服务计划。All of the apps in the same App Service plan can use the same VNet Integration but if you need an app to connect to an additional VNet, you will need to create another App Service plan. 使用的虚拟接口不是客户可直接访问的资源。The virtual interface used is not a resource that customers have direct access to.

由于此技术的工作原理,与 VNet 集成一起使用的流量不会在网络观察程序或 NSG 流日志中显示。Due to the nature of how this technology operates, the traffic that is used with VNet Integration does not show up in Network Watcher or NSG flow logs.

网关所需的 VNet 集成Gateway required VNet Integration

网关所需的 VNet 集成功能:The Gateway required VNet Integration feature:

  • 可用于连接到任何区域中的 Vnet (资源管理器或经典 Vnet)Can be used to connect to VNets in any region be they Resource Manager or Classic VNets
  • 允许应用一次只连接到1个 VNetEnables an app to connect to only 1 VNet at a time
  • 在应用服务计划中,最多支持五个 Vnet 的集成Enables up to five VNets to be integrated with in an App Service Plan
  • 允许应用服务计划中的多个应用使用同一个 VNet,而不会影响应用服务计划可以使用的总数。Allows the same VNet to be used by multiple apps in an App Service Plan without impacting the total number that can be used by an App Service plan. 如果在同一应用服务计划中有6个使用同一 VNet 的应用,则会将其计为使用1个 VNet。If you have 6 apps using the same VNet in the same App Service plan, that counts as 1 VNet being used.
  • 需要使用点到站点 VPN 配置的虚拟网络网关Requires a Virtual Network Gateway that is configured with Point to Site VPN
  • 由于网关上的 SLA,支持99.9% 的 SLASupports a 99.9% SLA due to the SLA on the gateway

此功能不支持:This feature does not support:

  • 用于 Linux 应用Use with Linux apps
  • 跨 ExpressRoute 访问资源Accessing resources across ExpressRoute
  • 跨服务终结点访问资源Accessing resources across Service Endpoints

入门Getting started

将 Web 应用连接到虚拟网络之前,需要牢记以下几点:Here are some things to keep in mind before connecting your web app to a virtual network:

  • 在将目标虚拟网络连接到应用之前,必须借助基于路由的网关启用点到站点 VPN。A target virtual network must have point-to-site VPN enabled with a route-based gateway before it can be connected to app.
  • VNet 所在的订阅必须与应用服务计划 (ASP) 所在的订阅相同。The VNet must be in the same subscription as your App Service Plan(ASP).
  • 与 VNet 集成的应用使用为该 VNet 指定的 DNS。The apps that integrate with a VNet use the DNS that is specified for that VNet.

在 VNet 中设置网关Set up a gateway in your VNet

如果已使用点到站点地址配置网关,则可以跳至“配置 VNet 与应用的集成”这一步。If you already have a gateway configured with point-to-site addresses, you can skip to configuring VNet Integration with your app.
若要创建网关,请执行以下操作:To create a gateway:

  1. 在 VNet 中创建网关子网Create a gateway subnet in your VNet.

  2. 创建 VPN 网关Create the VPN gateway. 选择基于路由的 VPN 类型。Select a route-based VPN type.

  3. 设置 "点到站点地址"Set the point to site addresses. 如果网关不在基本 SKU 中,则必须在点到站点配置中禁用 IKEV2 并选择 SSTP。If the gateway isn't in the basic SKU, then IKEV2 must be disabled in the point-to-site configuration and SSTP must be selected. 地址空间必须在 RFC 1918 地址块中,10.0.0.0/8、172.16.0.0/12、192.168.0.0/16The address space must be in the RFC 1918 address blocks, 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16

如果只是创建用于应用服务 VNet 集成的网关,则无需上载证书。If you are just creating the gateway for use with App Service VNet Integration, then you do not need to upload a certificate. 创建网关可能需要 30 分钟。Creating the gateway can take 30 minutes. 若要将应用与 VNet 集成,必须先预配网关。You will not be able to integrate your app with your VNet until the gateway is provisioned.

使用应用配置 VNet 集成Configure VNet Integration with your app

要在应用上启用 VNet 集成,请执行以下步骤:To enable VNet Integration on your app:

  1. 在 Azure 门户中转到该应用并打开应用设置,然后选择“网络”>“VNet 集成”。Go to your app in the Azure portal and open app settings and select Networking > VNet Integration. ASP 必须位于标准 SKU 中,或更好地使用 VNet 集成功能。Your ASP must be in a Standard SKU or better to use either VNet Integration feature. VNet 集成 UIVNet Integration UI

  2. 选择“添加 VNet”。Select Add VNet. 添加 VNet 集成Add VNet Integration

  3. 选择 VNet。Select your VNet. 选择 VNetSelect your VNet

完成最后一步后,应用将会重启。Your app will be restarted after this last step.

网关所需的 VNet 集成功能的工作原理How the gateway required VNet Integration feature works

网关所需的 VNet 集成功能构建于点到站点 VPN 技术之上。The gateway required VNet Integration feature is built on top of point-to-site VPN technology. 点到站点技术将网络访问限制于托管应用的虚拟机。The point-to-site technology limits network access to just the virtual machine hosting the app. 应用受到限制,只能通过混合连接或 VNet 集成向外发送流量至 Internet。Apps are restricted to only send traffic out to the internet, through Hybrid Connections or through VNet Integration.

VNet 集成的工作原理

管理 VNet 集成Managing VNet Integration

连接到 VNet 以及断开其连接的功能在应用级别执行。The ability to connect and disconnect to a VNet is at an app level. 可能影响多个应用的 VNet 集成的操作在应用服务计划级别执行。Operations that can affect the VNet Integration across multiple apps are at the App Service plan level. 从应用 > 网络 > VNet 集成门户,你可以获取有关 VNet 的详细信息。From the app > Networking > VNet Integration portal, you can get details on your VNet. 你可以在 ASP > 网络 > VNet 集成门户中的 ASP 级别查看类似信息,其中包括该应用服务计划中使用给定集成的应用。You can see similar information at the ASP level in the ASP > Networking > VNet Integration portal including what apps in that App Service plan are using a given integration.

VNet 详细信息

在 VNet 集成 UI 中提供的信息在应用程序与 ASP 门户之间是相同的。The information you have available to you in the VNet Integration UI is the same between the app and ASP portals.

  • VNet 名称 - 链接至虚拟网络 UIVNet Name - links to the virtual network UI
  • 位置 - 反映 VNet 的位置。Location - reflects the location of your VNet. 与其他位置的 VNet 集成可能会导致应用出现延迟。Integrating with a VNet in another location can cause latency issues for your app.
  • 证书状态 - 反映证书在应用服务计划和 VNet 之间的同步状态。Certificate Status - reflects if your certificates are in sync between your App Service plan and your VNet.
  • 网关状态-如果你使用网关所需的 VNet 集成,你可以查看网关状态。Gateway Status - Should you be using the gateway required VNet Integration, you can see the gateway status.
  • VNet 地址空间 - 显示 VNet 的 IP 地址空间。VNet address space - shows the IP address space for your VNet.
  • 点到站点地址空间 - 显示 VNet 的点到站点 IP 地址空间。Point-to-site address space - shows the point to site IP address space for your VNet. 当使用 "需要网关" 功能在 VNet 中进行调用时,你的应用程序的地址将是这些地址之一。When making calls into your VNet while using the gateway required feature, your app FROM address will be one of these addresses.
  • 站点到站点地址空间 - 可以使用站点到站点 VPN 将 VNet 连接到本地资源或其他 VNet。Site-to-site address space - You can use site-to-site VPNs to connect your VNet to your on-premises resources or to other VNet. 使用该 VPN 连接定义的 IP 范围如下所示。The IP ranges defined with that VPN connection are shown here.
  • DNS 服务器 - 显示配置了 VNet 的 DNS 服务器。DNS Servers - shows the DNS Servers configured with your VNet.
  • 路由到 VNet 的 IP 地址 - 显示路由的地址块,这些地址块用于驱动流量进入 VNetIP addresses routed to the VNet - shows the address blocks routed used to drive traffic into your VNet

在 VNet 集成的应用视图中,能够执行的唯一操作是断开应用与当前所连接到的 VNet 的连接。The only operation you can take in the app view of your VNet Integration is to disconnect your app from the VNet it is currently connected to. 若要断开应用与 VNet 的连接,请选择“断开连接”。To disconnect your app from a VNet, select Disconnect. 在从 VNet 断开连接时,应用将会重启。Your app will be restarted when you disconnect from a VNet. 断开连接操作不会更改 VNet。Disconnecting doesn't change your VNet. 子网或网关未删除。The subnet or gateway is not removed. 如果随后想要删除 VNet,需要先将应用从 VNet 断开连接,并删除其中的资源,例如网关。If you then want to delete your VNet, you need to first disconnect your app from the VNet and delete the resources in it such as gateways.

若要访问 ASP VNet 集成 UI,请打开 ASP UI 并选择“网络”。To reach the ASP VNet Integration UI, open your ASP UI and select Networking. 在 VNet 集成下,选择“单击此处可配置”以打开网络功能状态 UI。Under VNet Integration, select Click here to configure to open the Network Feature Status UI.

ASP VNet 集成信息

ASP VNet 集成 UI 会显示 ASP 中的应用使用的所有 VNet。The ASP VNet Integration UI will show you all of the VNets that are used by the apps in your ASP. 要查看每个 VNet 的详细信息,请单击感兴趣的 VNet。To see details on each VNet, click on the VNet you are interested in. 此处有两种操作可以执行。There are two actions you can perform here.

  • 同步网络Sync network. 同步网络操作仅适用于与网关相关的 VNet 集成功能。The sync network operation is only for the gateway-dependent VNet Integration feature. 执行同步网络操作可确保证书和网络信息同步。如果添加或更改 VNet 的 DNS,则需要执行同步网络操作。Performing a sync network operation ensures that your certificates and network information are in sync. If you add or change the DNS of your VNet, you need to perform a Sync network operation. 此操作会重启所有使用此 VNet 的应用。This operation will restart any apps using this VNet.
  • 添加路由 添加路由会驱动出站流量进入 VNet。Add routes Adding routes will drive outbound traffic into your VNet.

路由 在 VNet 中定义的路由,用于将流量从应用导入 VNet。Routing The routes that are defined in your VNet are used to direct traffic into your VNet from your app. 如果需要将其他出站流量发送到 VNet 中,则可以在此处添加地址块。If you need to send additional outbound traffic into the VNet, then you can add those address blocks here. 此功能仅适用于网关所需的 VNet 集成。This capability only works with gateway required VNet Integration.

证书当网关需要启用 VNet 集成时,需要使用证书交换以确保连接的安全性。Certificates When the gateway required VNet Integration enabled, there is a required exchange of certificates to ensure the security of the connection. 除了证书,还有 DNS 配置、路由以及其他类似的用于描述网络的内容。Along with the certificates are the DNS configuration, routes, and other similar things that describe the network. 如果更改了证书或网络信息,则需单击“同步网络”。If certificates or network information is changed, you need to click "Sync Network". 单击“同步网络”会导致应用与 VNet 之间的连接出现短暂的中断。When you click "Sync Network", you cause a brief outage in connectivity between your app and your VNet. 虽然应用不会重启,但失去连接会导致站点功能失常。While your app isn't restarted, the loss of connectivity could cause your site to not function properly.

访问本地资源Accessing on-premises resources

应用可以通过与具备站点到站点连接的 VNet 集成来访问本地资源。Apps can access on-premises resources by integrating with VNets that have site-to-site connections. 如果使用网关所需的 VNet 集成,则需要使用点到站点地址块来更新本地 VPN 网关路由。If you are using the gateway required VNet Integration, you need to update your on-premises VPN gateway routes with your point-to-site address blocks. 先设置站点到站点 VPN,接着应通过用于配置该 VPN 的脚本来正确地设置路由。When the site-to-site VPN is first set up, the scripts used to configure it should set up routes properly. 如果在创建站点到站点地址后才添加点到站点 VPN,则需手动更新路由。If you add the point-to-site addresses after you create your site-to-site VPN, you need to update the routes manually. 具体操作信息取决于每个网关,在此不作说明。Details on how to do that vary per gateway and are not described here. 不能为 BGP 配置站点到站点 VPN 连接。You cannot have BGP configured with a site-to-site VPN connection.

区域 VNet 集成功能无需其他配置即可通过 VNet 和本地访问。There is no additional configuration required for the regional VNet Integration feature to reach through your VNet, and to on-premises. 只需使用 ExpressRoute 或站点到站点 VPN 将 VNet 连接到本地。You simply need to connect your VNet to on-premises using ExpressRoute or a site-to-site VPN.

备注

网关所需的 VNet 集成功能不会将应用与具有 ExpressRoute 网关的 VNet 集成。The gateway required VNet Integration feature doesn't integrate an app with a VNet that has an ExpressRoute Gateway. 即使 ExpressRoute 网关配置为共存模式,VNet 集成也不起作用。Even if the ExpressRoute Gateway is configured in coexistence mode the VNet Integration doesn't work. 如果需要通过 ExpressRoute 连接访问资源,可以使用区域 VNet 集成功能或在 VNet 中运行的应用服务环境If you need to access resources through an ExpressRoute connection, then you can use the regional VNet Integration feature or an App Service Environment, which runs in your VNet.

对等互连Peering

如果使用与区域 VNet 集成的对等互连,则无需进行任何其他配置。If you are using peering with the regional VNet Integration, you do not need to do any additional configuration.

如果你使用的是网关,则需要配置其他一些项。If you are using the gateway required VNet Integration with peering, you need to configure a few additional items. 若要配置对等互连以使用应用,请执行以下操作:To configure peering to work with your app:

  1. 在应用所连接的 VNet 上添加对等互连连接。Add a peering connection on the VNet your app connects to. 在添加对等互连连接时,启用“允许虚拟网络访问”并单击“允许转发流量”和“允许网关传输”。When adding the peering connection, enable Allow virtual network access and check Allow forwarded traffic and Allow gateway transit.
  2. 在与所连接的 VNet 对等互连的 VNet 上添加对等互连连接。Add a peering connection on the VNet that is being peered to the VNet you are connected to. 在目标 VNet 上添加对等互连连接时,启用“允许虚拟网络访问”并单击“允许转发流量”和“允许远程网关”。When adding the peering connection on the destination VNet, enable Allow virtual network access and check Allow forwarded traffic and Allow remote gateways.
  3. 转到门户中的“应用服务计划”>“网络”>“VNet 集成 UI”。Go to the App Service plan > Networking > VNet Integration UI in the portal. 选择应用连接的 VNet。Select the VNet your app connects to. 在路由部分下,添加与应用所连接的 VNet 对等互连的 VNet 的地址范围。Under the routing section, add the address range of the VNet that is peered with the VNet your app is connected to.

定价详细信息Pricing details

除了 ASP 定价层收费以外,区域 VNet 集成功能不收取额外费用。The regional VNet Integration feature has no additional charge for use beyond the ASP pricing tier charges.

使用网关所需的 VNet 集成功能有三个相关费用:There are three related charges to the use of the gateway required VNet Integration feature:

  • ASP 定价层费用-应用需要位于标准、高级或 PremiumV2 应用服务计划中。ASP pricing tier charges - Your apps need to be in a Standard, Premium, or PremiumV2 App Service Plan. 可在此处查看有关这些成本的更多详细信息:应用服务定价You can see more details on those costs here: App Service Pricing.
  • 数据传输成本-即使 VNet 位于同一数据中心,也会对数据传出收费。Data transfer costs - There is a charge for data egress, even if the VNet is in the same data center. 数据传输定价详细信息中介绍了这些费用。Those charges are described in Data Transfer Pricing Details.
  • VPN 网关成本-对于点到站点 VPN,VNet 网关需要付费。VPN Gateway costs - There is a cost to the VNet gateway that is required for the point-to-site VPN. 详细信息位于VPN 网关定价页。The details are on the VPN Gateway Pricing page.

故障排除Troubleshooting

虽然此功能容易设置,但这并不意味着你就不会遇到问题。While the feature is easy to set up, that doesn't mean that your experience will be problem free. 如果在访问所需终结点时遇到问题,可以使用某些实用程序来测试从应用控制台发出的连接。Should you encounter problems accessing your desired endpoint there are some utilities you can use to test connectivity from the app console. 可以使用两种控制台。There are two consoles that you can use. 一种是 Kudu 控制台,另一种是 Azure 门户中的控制台。One is the Kudu console and the other is the console in the Azure portal. 若要访问应用中的 Kudu 控制台,请转到“工具”->“Kudu”。To reach the Kudu console from your app, go to Tools -> Kudu. 你还可以在 [sitename] appname>.azurewebsites.net 上访问 Kudo 控制台。You can also reach the Kudo console at [sitename].scm.azurewebsites.net. 网站加载后,请切换到 "调试控制台" 选项卡。若要转到 Azure 门户托管的控制台,请转到 "工具"-"> 控制台"。Once the website loads, go to the Debug console tab. To get to the Azure portal hosted console then from your app go to Tools -> Console.

工具Tools

由于存在安全约束,pingnslookuptracert 工具无法通过控制台来使用。The tools ping, nslookup and tracert won’t work through the console due to security constraints. 为了填补这方面的空白,我们添加了两种单独的工具。To fill the void, two separate tools added. 为了测试 DNS 功能,我们添加了名为 nameresolver.exe 的工具。In order to test DNS functionality, we added a tool named nameresolver.exe. 语法为:The syntax is:

nameresolver.exe hostname [optional: DNS Server]

可以使用 nameresolver 来检查应用所依赖的主机名。You can use nameresolver to check the hostnames that your app depends on. 可以通过这种方式来测试 DNS 是否配置错误,或者测试你是否无权访问 DNS 服务器。This way you can test if you have anything mis-configured with your DNS or perhaps don't have access to your DNS server. 您可以通过查看环境变量 WEBSITE_DNS_SERVER 和 WEBSITE_DNS_ALT_SERVER,查看应用程序在控制台中将使用的 DNS 服务器。You can see the DNS server that your app will use in the console by looking at the environmental variables WEBSITE_DNS_SERVER and WEBSITE_DNS_ALT_SERVER.

下一工具适用于测试与主机的 TCP 连接情况,以及端口组合情况。The next tool allows you to test for TCP connectivity to a host and port combination. 该工具名为 tcpping,语法为:This tool is called tcpping and the syntax is:

tcpping.exe hostname [optional: port]

tcpping 实用程序会告知是否可访问特定主机和端口。The tcpping utility tells you if you can reach a specific host and port. 仅满足以下条件才会显示成功:存在侦听主机和端口组合的应用程序,且可从应用对指定主机和端口进行网络访问。It only can show success if: there is an application listening at the host and port combination, and there is network access from your app to the specified host and port.

针对 VNet 托管的资源进行访问权限调试Debugging access to VNet hosted resources

许多因素会阻止应用访问特定的主机和端口。There are a number of things that can prevent your app from reaching a specific host and port. 大多数情况下为以下三种情况:Most of the time it is one of three things:

  • 存在防火墙。A firewall is in the way. 如果存在防火墙,则会发生 TCP 超时。If you have a firewall in the way, you will hit the TCP timeout. 本例中的 TCP 超时为 21 秒。The TCP timeout is 21 seconds in this case. 使用 tcpping 工具测试连接性。Use the tcpping tool to test connectivity. 除了防火墙外,还有多种原因可能导致 TCP 超时。TCP timeouts can be due to many things beyond firewalls but start there.
  • DNS 不可访问。DNS isn't accessible. DNS 超时时间为每个 DNS 服务器 3 秒。The DNS timeout is three seconds per DNS server. 如果具有 2 个 DNS 服务器,则超时为 6 秒。If you have two DNS servers, the timeout is 6 seconds. 使用 nameresolver 查看 DNS 是否正常工作。Use nameresolver to see if DNS is working. 请记住,不能使用 nslookup,因其没有使用为 VNet 配置的 DNS。Remember you can't use nslookup as that doesn't use the DNS your VNet is configured with. 如果无法访问,则可能是防火墙或 NSG 阻止对 DNS 的访问,或者它可能已关闭。If inaccessible, you could have a firewall or NSG blocking access to DNS or it could be down.

如果这些项不能回答您的问题,请先查看以下内容:If those items don't answer your problems, look first for things like:

区域 VNet 集成regional VNet Integration

  • 你的目标是 RFC 1918 地址is your destination an RFC 1918 address
  • 你的集成子网是否有 NSG 阻止出口is there an NSG blocking egress from your integration subnet
  • 如果要跨越 ExpressRoute 或 VPN,是否配置了本地网关,以将流量备份到 Azure?if going across ExpressRoute or a VPN, is your on-premises gateway configured to route traffic back up to Azure? 如果可以在 VNet 中访问终结点,但不能访问本地终结点,则需要进行检查。If you can reach endpoints in your VNet but not on-premises, this is good to check.

网关所需的 VNet 集成gateway required VNet Integration

  • RFC 1918 范围内的点到站点地址范围(10.0.0.0-10.255.255.255/172.16.0.0-172.31.255.255/192.168.0.0-192.168.255.255)?is the point-to-site address range in the RFC 1918 ranges (10.0.0.0-10.255.255.255 / 172.16.0.0-172.31.255.255 / 192.168.0.0-192.168.255.255)?
  • 网关在门户中是否显示为已启动?Does the Gateway show as being up in the portal? 如果网关处于关闭状态,则将其重新启动。If your gateway is down, then bring it back up.
  • 证书是否显示为同步或是否怀疑网络配置已更改?Do certificates show as being in sync or do you suspect that the network configuration was changed? 如果你的证书不同步或者你怀疑已对 VNet 配置进行了不同步的更改,则会命中 "同步网络"。If your certificates are out of sync or you suspect that there has been a change made to your VNet configuration that wasn't synced with your ASPs, then hit "Sync Network".
  • 如果要跨越 ExpressRoute 或 VPN,是否配置了本地网关,以将流量备份到 Azure?if going across ExpressRoute or a VPN, is your on-premises gateway configured to route traffic back up to Azure? 如果可以在 VNet 中访问终结点,但不能访问本地终结点,则需要进行检查。If you can reach endpoints in your VNet but not on-premises, this is good to check.

调试网络问题是一项挑战,因为看不到阻止访问特定主机的操作:端口组合。Debugging networking issues is a challenge because there you cannot see what is blocking access to a specific host:port combination. 部分原因包括:Some of the causes include:

  • 在主机上开启了防火墙,导致无法从点到站点 IP 范围访问应用程序端口。you have a firewall up on your host preventing access to the application port from your point to site IP range. 跨子网通常需要公共访问权限。Crossing subnets often requires Public access.
  • 目标主机已关闭your target host is down
  • 应用程序已关闭your application is down
  • IP 或主机名错误you had the wrong IP or hostname
  • 应用程序所侦听的端口不同于所期望的端口。your application is listening on a different port than what you expected. 可以使用终结点主机上的“netstat -aon”匹配进程 ID 和侦听端口。You can match your process ID with the listening port by using "netstat -aon" on the endpoint host.
  • 网络安全组的配置方式导致无法从点到站点 IP 范围访问应用程序主机和端口your network security groups are configured in such a manner that they prevent access to your application host and port from your point to site IP range

请记住,您不知道您的应用程序将实际使用的地址。Remember that you don't know what address your app will actually use. 它可以是集成子网或点到站点地址范围中的任何地址,因此需要允许从整个地址范围进行访问。It could be any address in the integration subnet or point-to-site address range, so you need to allow access from the entire address range.

其他调试步骤包括:Additional debug steps include:

  • 连接到 VNet 中的某个 VM,尝试在该处访问资源主机:端口。connect to a VM in your VNet and attempt to reach your resource host:port from there. 若要针对 TCP 访问权限进行测试,请使用 PowerShell 命令 test-netconnection。To test for TCP access, use the PowerShell command test-netconnection. 语法为:The syntax is:

    test-netconnection hostname [optional: -Port]
    
  • 使用tcpping启动 VM 上的应用程序,并从应用程序中的控制台测试对该主机和端口的访问权限bring up an application on a VM and test access to that host and port from the console from your app using tcpping

本地资源On-premises resources

如果应用无法访问本地资源,则请检查是否能够通过 VNet 访问该资源。If your app cannot reach a resource on-premises, then check if you can reach the resource from your VNet. 请使用 test-netconnection PowerShell 命令来针对 TCP 访问权限进行测试。Use the test-netconnection PowerShell command to check for TCP access. 如果 VM 无法访问本地资源,则 VPN 或 ExpressRoute 连接可能配置不正确。If your VM can't reach your on-premises resource, your VPN or ExpressRoute connection may not be configured properly.

如果 VNet 托管的 VM 能够访问本地系统但应用无法访问,则可能是由于以下某个原因:If your VNet hosted VM can reach your on-premises system but your app can't, then the cause is likely one of the following reasons:

  • 你的路由未配置为你的子网或指向本地网关中的站点地址范围your routes are not configured with your subnet or point to site address ranges in your on-premises gateway
  • 网络安全组阻止点到站点 IP 范围中的 IP 进行访问your network security groups are blocking access for your Point-to-Site IP range
  • 本地防火墙阻止来自点到站点 IP 范围的流量your on-premises firewalls are blocking traffic from your Point-to-Site IP range
  • 正在尝试使用区域 VNet 集成功能访问非 RFC 1918 地址you are trying to reach a non-RFC 1918 address using the regional VNet Integration feature

PowerShell 自动化PowerShell automation

可以使用 PowerShell 将应用服务与 Azure 虚拟网络集成。You can integrate App Service with an Azure Virtual Network using PowerShell. 对于准备好运行的脚本,请参阅将 Azure 应用服务中的应用连接到 Azure 虚拟网络For a ready-to-run script, see Connect an app in Azure App Service to an Azure Virtual Network.