您现在访问的是微软AZURE全球版技术文档网站,若需要访问由世纪互联运营的MICROSOFT AZURE中国区技术文档网站,请访问 https://docs.azure.cn.

使用 Azure PowerShell 部署云服务(外延支持)Deploy a Cloud Service (extended support) using Azure PowerShell

本文介绍如何使用 Az.CloudService PowerShell 模块在具有多个角色(WebRole 和 WorkerRole)和远程桌面扩展的 Azure中部署云服务(外延支持)。This article shows how to use the Az.CloudService PowerShell module to deploy Cloud Services (extended support) in Azure that has multiple roles (WebRole and WorkerRole) and remote desktop extension.

在开始之前Before you begin

查看云服务(外延支持)的部署先决条件,并创建关联的资源。Review the deployment prerequisites for Cloud Services (extended support) and create the associated resources.

部署云服务(外延支持)Deploy a Cloud Services (extended support)

  1. 安装 Az.CloudService PowerShell 模块Install Az.CloudService PowerShell module

    Install-Module -Name Az.CloudService 
    
  2. 创建新的资源组。Create a new resource group. 如果使用现有资源组,则可选择性地执行此步骤。This step is optional if using an existing resource group.

    New-AzResourceGroup -ResourceGroupName “ContosOrg” -Location “East US” 
    
  3. 创建一个存储帐户和容器,这将用于存储云服务包文件 (.cspkg) 和服务配置文件 (.cscfg)。Create a storage account and container which will be used to store the Cloud Service package (.cspkg) and Service Configuration (.cscfg) files. 必须对存储帐户名使用唯一的名称。You must use a unique name for storage account name.

    $storageAccount = New-AzStorageAccount -ResourceGroupName “ContosOrg” -Name “contosostorageaccount” -Location “East US” -SkuName “Standard_RAGRS” -Kind “StorageV2” 
    $container = New-AzStorageContainer -Name “contosocontainer” -Context $storageAccount.Context -Permission Blob 
    
  4. 将云服务包 (.cspkg) 上传到存储帐户。Upload your Cloud Service package (cspkg) to the storage account.

    $tokenStartTime = Get-Date 
    $tokenEndTime = $tokenStartTime.AddYears(1) 
    $cspkgBlob = Set-AzStorageBlobContent -File “./ContosoApp/ContosoApp.cspkg” -Container “contosocontainer” -Blob “ContosoApp.cspkg” -Context $storageAccount.Context 
    $cspkgToken = New-AzStorageBlobSASToken -Container “contosocontainer” -Blob $cspkgBlob.Name -Permission rwd -StartTime $tokenStartTime -ExpiryTime $tokenEndTime -Context $storageAccount.Context 
    $cspkgUrl = $cspkgBlob.ICloudBlob.Uri.AbsoluteUri + $cspkgToken 
    
  5. 将云服务配置 (cscfg) 上传到存储帐户。Upload your cloud service configuration (cscfg) to the storage account.

    $cscfgBlob = Set-AzStorageBlobContent -File “./ContosoApp/ContosoApp.cscfg” -Container contosocontainer -Blob “ContosoApp.cscfg” -Context $storageAccount.Context 
    $cscfgToken = New-AzStorageBlobSASToken -Container “contosocontainer” -Blob $cscfgBlob.Name -Permission rwd -StartTime $tokenStartTime -ExpiryTime $tokenEndTime -Context $storageAccount.Context 
    $cscfgUrl = $cscfgBlob.ICloudBlob.Uri.AbsoluteUri + $cscfgToken 
    
  6. 创建虚拟网络和子网。Create a virtual network and subnet. 如果使用现有网络和子网,则可选择性地执行此步骤。This step is optional if using an existing network and subnet. 此示例将单个虚拟网络和子网用于两个云服务角色(WebRole 和 WorkerRole)。This example uses a single virtual network and subnet for both cloud service roles (WebRole and WorkerRole).

    $subnet = New-AzVirtualNetworkSubnetConfig -Name "ContosoWebTier1" -AddressPrefix "10.0.0.0/24" -WarningAction SilentlyContinue 
    $virtualNetwork = New-AzVirtualNetwork -Name “ContosoVNet” -Location “East US” -ResourceGroupName “ContosOrg” -AddressPrefix "10.0.0.0/24" -Subnet $subnet 
    
  7. 创建公共 IP 地址,并设置公共 IP 地址的 DNS 标签属性。Create a public IP address and set the DNS label property of the public IP address. 云服务(外延支持)仅支持基本 SKU 公共 IP 地址。Cloud Services (extended support) only supports Basic SKU Public IP addresses. 标准 SKU 公共 IP 不适用于云服务。Standard SKU Public IPs do not work with Cloud Services. 如果使用的是静态 IP,则需要在服务配置 (.cscfg) 文件中将其作为保留 IP 引用。If you are using a Static IP you need to reference it as a Reserved IP in Service Configuration (.cscfg) file

    $publicIp = New-AzPublicIpAddress -Name “ContosIp” -ResourceGroupName “ContosOrg” -Location “East US” -AllocationMethod Dynamic -IpAddressVersion IPv4 -DomainNameLabel “contosoappdns” -Sku Basic 
    
  8. 创建网络配置文件对象,并将公共 IP 地址与负载均衡器的前端相关联。Create a Network Profile Object and associate the public IP address to the frontend of the load balancer. Azure 平台会自动在云服务资源所在的订阅中创建“经典”SKU 负载均衡器资源。The Azure platform automatically creates a 'Classic' SKU load balancer resource in the same subscription as the cloud service resource. 负载均衡器资源是 ARM 中的只读资源。The load balancer resource is a read-only resource in ARM. 仅通过云服务部署文件(.cscfg 和 .csdef)支持对该资源的任何更新Any updates to the resource are supported only via the cloud service deployment files (.cscfg & .csdef)

    $publicIP = Get-AzPublicIpAddress -ResourceGroupName ContosOrg -Name ContosIp  
    $feIpConfig = New-AzCloudServiceLoadBalancerFrontendIPConfigurationObject -Name 'ContosoFe' -PublicIPAddressId $publicIP.Id 
    $loadBalancerConfig = New-AzCloudServiceLoadBalancerConfigurationObject -Name 'ContosoLB' -FrontendIPConfiguration $feIpConfig 
    $networkProfile = @{loadBalancerConfiguration = $loadBalancerConfig} 
    
  9. 创建 Key Vault。Create a Key Vault. 此 Key Vault 将用于存储与云服务(外延支持)角色关联的证书。This Key Vault will be used to store certificates that are associated with the Cloud Service (extended support) roles. Key Vault 必须与云服务位于同一区域和订阅中,并且名称必须唯一。The Key Vault must be located in the same region and subscription as cloud service and have a unique name. 有关详细信息,请参阅在 Azure 云服务(外延支持)中使用证书For more information see Use certificates with Azure Cloud Services (extended support).

    New-AzKeyVault -Name "ContosKeyVault” -ResourceGroupName “ContosOrg” -Location “East US” 
    
  10. 更新 Key Vault 访问策略,并向用户帐户授予证书权限。Update the Key Vault access policy and grant certificate permissions to your user account.

    Set-AzKeyVaultAccessPolicy -VaultName 'ContosKeyVault' -ResourceGroupName 'ContosOrg' -EnabledForDeployment
    Set-AzKeyVaultAccessPolicy -VaultName 'ContosKeyVault' -ResourceGroupName 'ContosOrg' -UserPrincipalName 'user@domain.com' -PermissionsToCertificates create,get,list,delete 
    

    或者,通过 ObjectId 设置访问策略(可通过运行 Get-AzADUser 获得)Alternatively, set access policy via ObjectId (which can be obtained by running Get-AzADUser)

    Set-AzKeyVaultAccessPolicy -VaultName 'ContosKeyVault' -ResourceGroupName 'ContosOrg' -ObjectId 'xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx' -PermissionsToCertificates create,get,list,delete 
    
  11. 在本示例中,我们会将自签名证书添加到 Key Vault。For the purpose of this example we will add a self signed certificate to a Key Vault. 需要在云服务配置文件 (.cscfg) 中添加证书指纹才能在云服务角色上进行部署。The certificate thumbprint needs to be added in Cloud Service Configuration (.cscfg) file for deployment on cloud service roles.

    $Policy = New-AzKeyVaultCertificatePolicy -SecretContentType "application/x-pkcs12" -SubjectName "CN=contoso.com" -IssuerName "Self" -ValidityInMonths 6 -ReuseKeyOnRenewal 
    Add-AzKeyVaultCertificate -VaultName "ContosKeyVault" -Name "ContosCert" -CertificatePolicy $Policy 
    
  12. 创建 OS 配置文件内存中对象。Create an OS Profile in-memory object. OS 配置文件指定与云服务角色关联的证书。OS Profile specifies the certificates which are associated to cloud service roles. 该证书与在上一步中创建的证书相同。This will be the same certificate created in the previous step.

    $keyVault = Get-AzKeyVault -ResourceGroupName ContosOrg -VaultName ContosKeyVault 
    $certificate = Get-AzKeyVaultCertificate -VaultName ContosKeyVault -Name ContosCert 
    $secretGroup = New-AzCloudServiceVaultSecretGroupObject -Id $keyVault.ResourceId -CertificateUrl $certificate.SecretId 
    $osProfile = @{secret = @($secretGroup)} 
    
  13. 创建角色配置文件内存中对象。Create a Role Profile in-memory object. 角色配置文件定义角色 SKU 的特定属性,例如名称、容量和层级。Role profile defines a roles sku specific properties such as name, capacity and tier. 在此示例中,我们定义了两个角色:frontendRole 和 backendRole。For this example, we have defined two roles: frontendRole and backendRole. 角色配置文件信息应与配置文件 (cscfg) 和服务定义文件 (csdef) 中定义的角色配置相匹配。Role profile information should match the role configuration defined in configuration (cscfg) file and service definition (csdef) file.

    $frontendRole = New-AzCloudServiceRoleProfilePropertiesObject -Name 'ContosoFrontend' -SkuName 'Standard_D1_v2' -SkuTier 'Standard' -SkuCapacity 2 
    $backendRole = New-AzCloudServiceRoleProfilePropertiesObject -Name 'ContosoBackend' -SkuName 'Standard_D1_v2' -SkuTier 'Standard' -SkuCapacity 2 
    $roleProfile = @{role = @($frontendRole, $backendRole)} 
    
  14. (可选)创建要添加到云服务的扩展配置文件内存中对象。(Optional) Create a Extension Profile in-memory object that you want to add to your cloud service. 在此示例中,我们将添加 RDP 扩展。For this example we will add RDP extension.

    $credential = Get-Credential 
    $expiration = (Get-Date).AddYears(1) 
    $rdpExtension = New-AzCloudServiceRemoteDesktopExtensionObject -Name 'RDPExtension' -Credential $credential -Expiration $expiration -TypeHandlerVersion '1.2.1' 
    
    $storageAccountKey = Get-AzStorageAccountKey -ResourceGroupName "ContosOrg" -Name "contosostorageaccount"
    $configFile = "<WAD public configuration file path>"
    $wadExtension = New-AzCloudServiceDiagnosticsExtension -Name "WADExtension" -ResourceGroupName "ContosOrg" -CloudServiceName "ContosCS" -StorageAccountName "contosostorageaccount" -StorageAccountKey $storageAccountKey[0].Value -DiagnosticsConfigurationPath $configFile -TypeHandlerVersion "1.5" -AutoUpgradeMinorVersion $true 
    $extensionProfile = @{extension = @($rdpExtension, $wadExtension)} 
    

    请注意,configFile 应该只具有 PublicConfig 标记,并且应该包含命名空间,如下所示:Note that configFile should have only PublicConfig tags and should contain a namespace as following:

    <?xml version="1.0" encoding="utf-8"?>
    <PublicConfig xmlns="http://schemas.microsoft.com/ServiceHosting/2010/10/DiagnosticsConfiguration">
        ...............
    </PublicConfig>
    
  15. (可选)将标记定义为要添加到云服务的 PowerShell 哈希表。(Optional) Define Tags as PowerShell hash table which you want to add to your cloud service.

    $tag=@{"Owner" = "Contoso"} 
    
  16. 使用配置文件对象和 SAS URL 创建云服务部署。Create Cloud Service deployment using profile objects & SAS URLs.

    $cloudService = New-AzCloudService ` 
    -Name “ContosoCS” ` 
    -ResourceGroupName “ContosOrg” ` 
    -Location “East US” ` 
    -PackageUrl $cspkgUrl ` 
    -ConfigurationUrl $cscfgUrl ` 
    -UpgradeMode 'Auto' ` 
    -RoleProfile $roleProfile ` 
    -NetworkProfile $networkProfile  ` 
    -ExtensionProfile $extensionProfile ` 
    -OSProfile $osProfile `
    -Tag $tag 
    

后续步骤Next steps