您现在访问的是微软AZURE全球版技术文档网站,若需要访问由世纪互联运营的MICROSOFT AZURE中国区技术文档网站,请访问 https://docs.azure.cn.

为不同网络拓扑中的 Azure Dev Spaces 配置网络Configure networking for Azure Dev Spaces in different network topologies

重要

Azure Dev Spaces 即将停用,将于 2023 年 10 月 31 日停止工作。Azure Dev Spaces is being retired and will stop working on October 31, 2023. 请考虑迁移到 Bridge to KubernetesConsider migrating to Bridge to Kubernetes.

Azure Dev Spaces 在 Azure Kubernetes Service (AKS) 具有默认网络配置的群集上运行。Azure Dev Spaces runs on Azure Kubernetes Service (AKS) clusters with the default networking configuration. 如果要更改 AKS 群集的网络配置,例如,将群集放在防火墙后面、使用网络安全组或使用网络策略,则必须合并运行 Azure Dev Spaces 的其他注意事项。If you want to change the networking configuration of your AKS cluster, such as putting the cluster behind a firewall, using network security groups, or using network policies, you have to incorporate additional considerations for running Azure Dev Spaces.

虚拟网络配置

虚拟网络或子网配置Virtual network or subnet configurations

AKS 群集可能具有不同的虚拟网络或子网配置,以限制 AKS 群集的入口或出口流量。Your AKS cluster may have a different virtual network or subnet configuration to restrict ingress or egress traffic for your AKS cluster. 例如,群集可能位于防火墙(如 Azure 防火墙)后面,或者可能使用网络安全组或自定义角色来限制网络流量。For example, your cluster may be behind a firewall, such as Azure Firewall, or you might use Network Security Groups or custom roles for restricting network traffic. 可在 GitHub 上的 Azure Dev Spaces 示例存储库中找到示例网络配置。You can find an example network configuration in the Azure Dev Spaces sample repository on GitHub.

Azure Dev Spaces 对 入口和出口 网络流量以及 仅流入 流量有一定的要求。Azure Dev Spaces has certain requirements for Ingress and Egress network traffic as well as Ingress only traffic. 如果你使用的是 AKS 群集上的 Azure Dev Spaces,且该群集的虚拟网络或子网配置限制了 AKS 群集的流量,则必须遵循以下仅入站和出口流量要求,才能正常运行 Azure Dev Spaces。If you are using Azure Dev Spaces on an AKS cluster with a virtual network or subnet configuration that restricts traffic for your AKS cluster, you must follow the following ingress only and ingress and egress traffic requirements in order for Azure Dev Spaces to function properly.

入口和出口网络流量要求Ingress and egress network traffic requirements

Azure Dev Spaces 需要以下 Fqdn 的入口和出口流量:Azure Dev Spaces needs ingress and egress traffic for following FQDNs:

FQDNFQDN 端口Port 用途Use
cloudflare.docker.comcloudflare.docker.com HTTPS:443HTTPS: 443 请求 Azure Dev Spaces 的 docker 映像To pull docker images for Azure Dev Spaces
gcr.iogcr.io HTTPS:443HTTPS: 443 获取 Azure Dev Spaces 的 helm 映像To pull helm images for Azure Dev Spaces
storage.googleapis.comstorage.googleapis.com HTTPS:443HTTPS: 443 获取 Azure Dev Spaces 的 helm 映像To pull helm images for Azure Dev Spaces

更新防火墙或安全配置,以允许与上述所有 Fqdn 和 Azure Dev Spaces 基础结构服务的网络流量。Update your firewall or security configuration to allow network traffic to and from the all of the above FQDNs and Azure Dev Spaces infrastructure services. 例如,如果你使用防火墙来保护网络,则应将上述 Fqdn 添加到防火墙的应用程序规则中,并且还必须将 Azure Dev Spaces 服务标记 添加到防火墙For example, if you are using a firewall to secure your network, the above FQDNs should be added to the application rule of the firewall and the Azure Dev Spaces service tag must also be added to the firewall. 需要对防火墙进行这两项更新,以允许进出这些域的流量。Both of those updates to the firewall are required to allow traffic to and from these domains.

仅引入网络流量要求Ingress only network traffic requirements

Azure Dev Spaces 提供了 Kubernetes 命名空间级别的路由以及使用其自己的 FQDN 的服务的公共访问权限。Azure Dev Spaces provides Kubernetes namespace-level routing as well as public access to services using its own FQDN. 要使这两个功能正常工作,请更新防火墙或网络配置,使其能够公开进入群集上 Azure Dev Spaces 入口控制器的外部 IP 地址。For both of those features to work, update your firewall or network configuration to allow public ingress to the external IP address of the Azure Dev Spaces ingress controller on your cluster. 或者,你可以在防火墙中创建 内部负载均衡器 并添加 NAT 规则,以将防火墙的公共 ip 转换为内部负载均衡器的 ip。Alternatively, you can create an internal load balancer and add a NAT rule in your firewall to translate the public IP of your firewall to the IP of your internal load balancer. 还可以使用 traefikNGINX 创建自定义入口控制器。You can also use traefik or NGINX to create a custom ingress controller.

AKS 群集网络要求AKS cluster network requirements

通过 AKS,可以使用 网络策略 来控制群集上的 pod 和来自 pod 的出口流量之间的入口和出口流量。AKS allows you to use network policies to control ingress and egress traffic between pods on a cluster as well as egress traffic from a pod. Azure Dev Spaces 对 入口和出口 网络流量以及 仅流入 流量有一定的要求。Azure Dev Spaces has certain requirements for Ingress and Egress network traffic as well as Ingress only traffic. 如果在具有 AKS 网络策略的 AKS 群集上使用 Azure Dev Spaces,则必须遵循以下仅入站和出口流量要求,才能正常运行 Azure Dev Spaces。If you are using Azure Dev Spaces on an AKS cluster with AKS network policies, you must follow the following ingress only and ingress and egress traffic requirements in order for Azure Dev Spaces to function properly.

入口和出口网络流量要求Ingress and egress network traffic requirements

Azure Dev Spaces 允许你直接与群集上的开发人员空间中的 pod 通信,以便进行调试。Azure Dev Spaces allows you to communicate directly with a pod in a dev space on your cluster for debugging. 要使此功能正常工作,请添加一个网络策略,该策略允许入站和出站通信与 Azure Dev Spaces 基础结构的 IP 地址,该地址 因区域而异For this feature to work, add a network policy that allows ingress and egress communication to the IP addresses of the Azure Dev Spaces infrastructure, which vary by region.

仅引入网络流量要求Ingress only network traffic requirements

Azure Dev Spaces 提供跨命名空间的 pod 之间的路由。Azure Dev Spaces provides routing between pods across namespaces. 例如,启用了 Azure Dev Spaces 的命名空间可以具有父/子关系,这允许跨父命名空间和子命名空间中的 pod 路由网络流量。For example, namespaces with Azure Dev Spaces enabled can have a parent/child relationship, which allows network traffic to be routed between pods across the parent and child namespaces. Azure Dev Spaces 也使用其自己的 FQDN 公开服务终结点。Azure Dev Spaces also exposes service endpoints using its own FQDN. 若要配置公开服务的不同方式,以及它如何影响命名空间级别的路由,请参阅 使用不同的终结点选项To configure different ways of exposing services and how it impacts namespace level routing see Using different endpoint options.

使用 Azure CNIUsing Azure CNI

默认情况下,AKS 群集配置为使用 kubenet 进行网络处理,这与 Azure Dev Spaces 配合使用。By default, AKS clusters are configured to use kubenet for networking, which works with Azure Dev Spaces. 你还可以将 AKS 群集配置为使用 Azure Container 网络接口 (CNI) You can also configure your AKS cluster to use Azure Container Networking Interface (CNI). 若要在 AKS 群集上将 Azure Dev Spaces 与 Azure CNI 一起使用,请允许 Azure Dev Spaces 部署的虚拟网络和子网地址空间最多为10个专用 IP 地址。To use Azure Dev Spaces with Azure CNI on your AKS cluster, allow your virtual network and subnet address spaces up to 10 private IP addresses for pods deployed by Azure Dev Spaces. 有关允许专用 IP 地址的详细信息,请 参阅 AKS AZURE CNI 文档More details on allowing private IP addresses are available in the AKS Azure CNI documentation.

使用 API 服务器授权的 IP 范围Using API server authorized IP ranges

使用 AKS 群集,你可以配置额外的安全性,以限制哪个 IP 地址可以与你的群集进行交互,例如,使用自定义虚拟网络或 通过授权的 IP 范围保护对 API 服务器的访问AKS clusters allow you to configure additional security that limits which IP address can interact with your clusters, for example using custom virtual networks or securing access to the API server using authorized IP ranges. 若要在 创建 群集时使用此附加安全性时使用 Azure Dev Spaces,你必须 根据你所在的区域允许其他范围To use Azure Dev Spaces when using this additional security while creating your cluster, you must allow additional ranges based on your region. 还可以 更新 现有群集以允许其他范围。You can also update an existing cluster to allow those additional ranges. 还需要允许连接到 AKS 群集的任何开发计算机的 IP 地址进行调试,以连接到 API 服务器。You also need to allow the IP address of any development machines that connect to your AKS cluster for debugging to connect to your API server.

使用 AKS 专用群集Using AKS private clusters

目前, AKS 专用群集不支持 Azure Dev Spaces。At this time, Azure Dev Spaces is not supported with AKS private clusters.

使用不同的终结点选项Using different endpoint options

Azure Dev Spaces 可以选择公开在 AKS 上运行的服务的终结点。Azure Dev Spaces has the option to expose endpoints for your services running on AKS. 启用群集上的 Azure Dev Spaces 时,可以使用以下选项配置群集的终结点类型:When enabling Azure Dev Spaces on your cluster, you have the following options for configuring the endpoint type for your cluster:

  • 默认情况下, 公用 终结点使用公共 IP 地址部署入口控制器。A public endpoint, which is the default, deploys an ingress controller with a public IP address. 公共 IP 地址在群集的 DNS 上注册,允许使用 URL 对服务进行公共访问。The public IP address is registered on the cluster's DNS, allowing public access to your services using a URL. 您可以使用查看此 URL azds list-urisYou can view this URL using azds list-uris.
  • 专用终结点使用专用 IP 地址部署入口控制器。A private endpoint deploys an ingress controller with a private IP address. 使用专用 IP 地址,可以从群集的虚拟网络内部访问群集的负载均衡器。With a private IP address, the load balancer for your cluster is only accessible from inside the virtual network of the cluster. 负载均衡器的专用 IP 地址在群集的 DNS 上注册,以便可以使用 URL 访问群集的虚拟网络中的服务。The private IP address of the load balancer is registered on cluster's DNS so that services inside the cluster's virtual network can be accessed using a URL. 您可以使用查看此 URL azds list-urisYou can view this URL using azds list-uris.
  • 如果为 endpoint 选项设置 none ,则不会部署入口控制器。Setting none for the endpoint option causes no ingress controller to be deployed. 如果未部署入口控制器, Azure Dev Spaces 路由功能 将不起作用。With no ingress controller deployed, the Azure Dev Spaces routing capabilities will not work. 或者,你可以使用 traefikNGINX实现你自己的入口控制器解决方案,这将允许路由功能重新工作。Optionally, you can implement your own ingress controller solution using traefik or NGINX, which will allow the routing capabilities to work again.

若要配置终结点选项,请在群集上启用 Azure Dev Spaces 时使用 -e--endpointTo configure your endpoint option, use -e or --endpoint when enabling Azure Dev Spaces on your cluster. 例如:For example:

备注

Endpoint 选项要求 Azure CLI 版本2.2.0 或更高版本运行。The endpoint option requires that you are running Azure CLI version 2.2.0 or later. 运行 az --version 即可查找版本。Run az --version to find the version. 如果需要进行安装或升级,请参阅安装 Azure CLIIf you need to install or upgrade, see Install Azure CLI.

az aks use-dev-spaces -g MyResourceGroup -n MyAKS -e private

客户端要求Client requirements

Azure Dev Spaces 使用客户端工具(如 Azure Dev Spaces CLI 扩展、Visual Studio Code 扩展和 Visual Studio 扩展)来与 AKS 群集进行调试,以便进行调试。Azure Dev Spaces uses client-side tooling, such as the Azure Dev Spaces CLI extension, Visual Studio Code extension, and Visual Studio extension, to communicate with your AKS cluster for debugging. 若要使用 Azure Dev Spaces 的客户端工具,请允许从开发计算机到 Azure Dev Spaces 基础结构的流量。To use the Azure Dev Spaces client-side tooling, allow traffic from the development machines to the Azure Dev Spaces infrastructure. 如果使用 API 服务器授权的 IP 范围,则还需要允许连接到 AKS 群集的任何开发计算机的 ip 地址进行调试,以连接到 API 服务器。If using API server authorized IP ranges, you also need to allow the IP address of any development machines that connect to your AKS cluster for debugging to connect to your API server.

后续步骤Next steps

深入了解 Azure Dev Spaces 的工作方式。Learn more about how Azure Dev Spaces works.