您现在访问的是微软AZURE全球版技术文档网站,若需要访问由世纪互联运营的MICROSOFT AZURE中国区技术文档网站,请访问 https://docs.azure.cn.

N 层体系结构样式N-tier architecture style

N 层体系结构将应用程序分成逻辑层和物理层。An N-tier architecture divides an application into logical layers and physical tiers.

N 层体系结构样式的逻辑图

层是分离职责和管理依赖关系的方式。Layers are a way to separate responsibilities and manage dependencies. 每个层都有特定的责任。Each layer has a specific responsibility. 较高层可使用较低层中的服务,反之则不行。A higher layer can use services in a lower layer, but not the other way around.

层在物理上是分隔开的,在不同的计算机上运行。Tiers are physically separated, running on separate machines. 一个层可直接调用另一个层,或使用异步消息传递(消息队列)。A tier can call to another tier directly, or use asynchronous messaging (message queue). 虽然每个层可能托管在自己的层中,但这并不是必需的。Although each layer might be hosted in its own tier, that's not required. 多个层可能托管在同一层上。Several layers might be hosted on the same tier. 在物理上分隔层可以提高可伸缩性和复原能力,但因额外的网络通信也增加了延迟。Physically separating the tiers improves scalability and resiliency, but also adds latency from the additional network communication.

传统的三层应用程序有表示层、中间层和数据库层。A traditional three-tier application has a presentation tier, a middle tier, and a database tier. 中间层是可选的。The middle tier is optional. 更复杂的应用程序可以多于三层。More complex applications can have more than three tiers. 上图显示具有两个中间层,且封装了不同功能区域的应用程序。The diagram above shows an application with two middle tiers, encapsulating different areas of functionality.

N 层应用程序可以有封闭的层体系结构或开放的层体系结构:An N-tier application can have a closed layer architecture or an open layer architecture:

  • 在封闭的层体系结构中,层只能调用紧邻的下一层。In a closed layer architecture, a layer can only call the next layer immediately down.
  • 在开放的层体系结构中,层可以调用它下面的任何层。In an open layer architecture, a layer can call any of the layers below it.

封闭的层体系结构限制层之间的依赖关系。A closed layer architecture limits the dependencies between layers. 但是,如果一个层仅将请求传递到下一层,可能会产生不必要的流量。However, it might create unnecessary network traffic, if one layer simply passes requests along to the next layer.

何时使用此架构When to use this architecture

N 层体系结构通常作为服务架构 (IaaS) 应用程序实现,每个层都在独立的 VM 集中运行。N-tier architectures are typically implemented as infrastructure-as-service (IaaS) applications, with each tier running on a separate set of VMs. 然而,N 层应用程序不需要只是 IaaS。However, an N-tier application doesn't need to be pure IaaS. 通常,对体系结构的某些部分使用托管服务是有利的,特别是缓存、消息传递和数据存储。Often, it's advantageous to use managed services for some parts of the architecture, particularly caching, messaging, and data storage.

请考虑将 N 层体系结构用于:Consider an N-tier architecture for:

  • 简单的 Web 应用程序。Simple web applications.
  • 将本地应用程序迁移到 Azure 并进行最小的重构。Migrating an on-premises application to Azure with minimal refactoring.
  • 统一开发本地和云应用程序。Unified development of on-premises and cloud applications.

N 层体系结构在传统的本地应用程序中很常见,因此将现有工作负载迁移到 Azure 是很适合的。N-tier architectures are very common in traditional on-premises applications, so it's a natural fit for migrating existing workloads to Azure.


  • 云与本地之间,云平台之间具有可移植性。Portability between cloud and on-premises, and between cloud platforms.
  • 对于大多数开发者来说,学习曲线较少。Less learning curve for most developers.
  • 从传统应用程序模型自然演变。Natural evolution from the traditional application model.
  • 对异构环境 (Windows/Linux) 开放Open to heterogeneous environment (Windows/Linux)


  • 很容易最终得到一个只在数据库上执行CRUD操作的中间层,在不做任何有用工作的情况下增加额外的延迟。It's easy to end up with a middle tier that just does CRUD operations on the database, adding extra latency without doing any useful work.
  • 单一式设计阻止了独立部署各项功能。Monolithic design prevents independent deployment of features.
  • 管理 IaaS 应用程序的工作量要大于管理只使用托管服务的应用程序。Managing an IaaS application is more work than an application that uses only managed services.
  • 管理大型系统中的网络安全比较困难。It can be difficult to manage network security in a large system.

最佳做法Best practices

  • 使用自动缩放处理负载中的更改。Use autoscaling to handle changes in load. 请参阅自动缩放的最佳做法See Autoscaling best practices.
  • 使用异步消息传递来分离层。Use asynchronous messaging to decouple tiers.
  • 缓存 semistatic 数据。Cache semistatic data. 请参阅缓存的最佳做法See Caching best practices.
  • 配置高可用性,如使用的解决方案的数据库层SQL Server Always On 可用性组Configure the database tier for high availability, using a solution such as SQL Server Always On availability groups.
  • 在前端和 Internet 之间放置 Web 应用程序防火墙 (WAF)。Place a web application firewall (WAF) between the front end and the Internet.
  • 将每个层放置在自己的子网中,并将子网用作安全边界。Place each tier in its own subnet, and use subnets as a security boundary.
  • 通过仅允许来自中间层的请求,限制对数据层的访问。Restrict access to the data tier, by allowing requests only from the middle tier(s).

虚拟机上的 N 层体系结构N-tier architecture on virtual machines

本部分介绍在 VM 上运行的建议的 N 层体系结构。This section describes a recommended N-tier architecture running on VMs.

N 层体系结构的物理图

每个层包含两个或多个 Vm,放入可用性集或虚拟机规模集。Each tier consists of two or more VMs, placed in an availability set or virtual machine scale set. 如果一个 VM 失败,多个 VM 可以提供复原能力。Multiple VMs provide resiliency in case one VM fails. 负载均衡器用于将请求分布到一个层中的 VM 上。Load balancers are used to distribute requests across the VMs in a tier. 通过向池添加更多 VM 可以水平缩放层。A tier can be scaled horizontally by adding more VMs to the pool.

每个层也放置在自己的子网中,这意味着它们的内部 IP 地址在同一个地址范围内。Each tier is also placed inside its own subnet, meaning their internal IP addresses fall within the same address range. 可轻松应用网络安全组规则和路由到各个层的表。That makes it easy to apply network security group rules and route tables to individual tiers.

Web 和业务层是无状态的。The web and business tiers are stateless. 任何 VM 都可以处理该层的任何请求。Any VM can handle any request for that tier. 数据层应该包含复制的数据库。The data tier should consist of a replicated database. 对于 Windows,我们建议使用以实现高可用性的 Always On 可用性组的 SQL Server。For Windows, we recommend SQL Server, using Always On availability groups for high availability. 对于 Linux,请选择支持复制的数据库,例如 Apache Cassandra。For Linux, choose a database that supports replication, such as Apache Cassandra.

网络安全组限制对每个层的访问权限。Network security groups restrict access to each tier. 例如,数据库层仅允许来自业务层的访问。For example, the database tier only allows access from the business tier.

有关在 Azure 上运行 N 层应用程序的详细信息,请参阅:For more information about running N-tier applications on Azure:

其他注意事项Additional considerations

  • N 层体系结构不限于三层。N-tier architectures are not restricted to three tiers. 对于更复杂的应用程序,通常会有更多层。For more complex applications, it is common to have more tiers. 在这种情况下,请考虑使用第 7 层路由将请求路由到特定的层。In that case, consider using layer-7 routing to route requests to a particular tier.

  • 层是可伸缩性、可靠性和安全性的边界。Tiers are the boundary of scalability, reliability, and security. 请考虑为这些区域中有不同需求的服务提供单独的层。Consider having separate tiers for services with different requirements in those areas.

  • 使用虚拟机规模集进行自动缩放。Use virtual machine scale sets for autoscaling.

  • 在体系结构中寻找可以使用托管服务而无需进行大量重构的位置。Look for places in the architecture where you can use a managed service without significant refactoring. 具体来说,就是缓存、消息传递、存储和数据库。In particular, look at caching, messaging, storage, and databases.

  • 为了提高安全性,请在应用程序前放置网络 DMZ。For higher security, place a network DMZ in front of the application. DMZ 包括防火墙和数据包检查等实现安全功能的网络虚拟设备 (NVA)。The DMZ includes network virtual appliances (NVAs) that implement security functionality such as firewalls and packet inspection. 有关详细信息,请参阅网络 DMZ 参考体系结构For more information, see Network DMZ reference architecture.

  • 为实现高可用性,请在可用性集中放置两个或多个 NVA,并使用外部负载均衡器在实例间分布 Internet 请求。For high availability, place two or more NVAs in an availability set, with an external load balancer to distribute Internet requests across the instances. 有关详细信息,请参阅部署高可用性网络虚拟设备For more information, see Deploy highly available network virtual appliances.

  • 不允许将 RDP 或 SSH 访问定向到正在运行应用程序代码的 VM。Do not allow direct RDP or SSH access to VMs that are running application code. 相反,运算符应登录到 jumpbox,也称为壁垒主机。Instead, operators should log into a jumpbox, also called a bastion host. 这是管理员在网络上用来连接其他 VM 的 VM。This is a VM on the network that administrators use to connect to the other VMs. Jumpbox 中的 RDP 或 SSH 仅允许来自已批准的公共 IP 地址的网络安全组。The jumpbox has a network security group that allows RDP or SSH only from approved public IP addresses.

  • 可使用站点到站点虚拟专用网络 (VPN) 或 Azure ExpressRoute,将 Azure 虚拟网络扩展到本地网络。You can extend the Azure virtual network to your on-premises network using a site-to-site virtual private network (VPN) or Azure ExpressRoute. 有关详细信息,请参阅混合网络参考体系结构For more information, see Hybrid network reference architecture.

  • 如果组织使用 Active Directory 管理标识,建议将 Active Directory 环境扩展到 Azure VNet。If your organization uses Active Directory to manage identity, you may want to extend your Active Directory environment to the Azure VNet. 有关详细信息,请参阅标识管理参考体系结构For more information, see Identity management reference architecture.

  • 如果需要比 VM 提供的 Azure SLA 更高的可用性,可以跨两个区域复制应用程序,并使用 Azure 流量管理器进行故障转移。If you need higher availability than the Azure SLA for VMs provides, replicate the application across two regions and use Azure Traffic Manager for failover. 有关详细信息,请参阅在多个区域中运行 Windows VM在多个区域中运行 Linux VMFor more information, see Run Windows VMs in multiple regions or Run Linux VMs in multiple regions.