部署 Azure Stack Hub 上的 App Service 的必要條件Prerequisites for deploying App Service on Azure Stack Hub

重要

將 Azure Stack Hub 更新為支援的版本 (或部署最新的 Azure Stack 開發套件) (如有必要),然後再部署或更新 App Service RP (的) 資源提供者。Update Azure Stack Hub to a supported version (or deploy the latest Azure Stack Development Kit) if necessary, before deploying or updating the App Service resource provider (RP). 請務必閱讀 RP 版本資訊,以瞭解有哪些新功能、修正,以及任何可能會影響您部署的已知問題。Be sure to read the RP release notes to learn about new functionality, fixes, and any known issues that could affect your deployment.

支援的 Azure Stack Hub 版本Supported Azure Stack Hub version App Service RP 版本App Service RP version
20082008 2020. 第3季 安裝程式 (版本 資訊) 2020.Q3 Installer (release notes)
20052005 2020. Q2 安裝程式 (版本 資訊) 2020.Q2 Installer (release notes)
20022002 2020. Q2 安裝程式 (版本 資訊) 2020.Q2 Installer (release notes)

在部署 Azure Stack Hub 上的 Azure App Service 之前,您必須完成本文中的先決條件步驟。Before you deploy Azure App Service on Azure Stack Hub, you must complete the prerequisite steps in this article.

開始之前Before you get started

本節列出要部署整合式系統和 Azure Stack 開發套件 (ASDK) 所必須符合的必要條件。This section lists the prerequisites for both integrated system and Azure Stack Development Kit (ASDK) deployments.

資源提供者必要條件Resource provider prerequisites

如果您已安裝資源提供者,則可能已完成下列必要條件,並可略過本節。If you've already installed a resource provider, you've likely completed the following prerequisites, and can skip this section. 否則,請先完成這些步驟,再繼續進行:Otherwise, complete these steps before continuing:

  1. 如果尚未進行,請向 Azure 註冊您的 Azure Stack Hub 執行個體Register your Azure Stack Hub instance with Azure, if you haven't done so. 由於您會連線至 Azure 並將項目下載至市集,因此必須進行此步驟。This step is required as you'll be connecting to and downloading items to marketplace from Azure.

  2. 如果您不熟悉 Azure Stack Hub 管理員入口網站的 Marketplace 管理功能,請檢閱從 Azure 下載市集項目並發佈至 Azure Stack HubIf you're not familiar with the Marketplace Management feature of the Azure Stack Hub administrator portal, review Download marketplace items from Azure and publish to Azure Stack Hub. 本文將逐步引導您完成從 Azure 將項目下載到 Azure Stack Hub 市集的流程。The article walks you through the process of downloading items from Azure to the Azure Stack Hub marketplace. 內容涵蓋已連線和已中斷連線兩種情況。It covers both connected and disconnected scenarios. 如果您的 Azure Stack Hub 執行個體已中斷連線或僅有部分連線,則在準備安裝時需要完成其他必要條件。If your Azure Stack Hub instance is disconnected or partially connected, there are additional prerequisites to complete in preparation for installation.

  3. 更新 Azure Active Directory (Azure AD) 主目錄。Update your Azure Active Directory (Azure AD) home directory. 從組建1910開始,必須在您的主目錄租使用者中註冊新的應用程式。Starting with build 1910, a new application must be registered in your home directory tenant. 此應用程式可讓 Azure Stack Hub 成功建立和註冊較新的資源提供者 (例如事件中樞、IoT 中樞,以及其他與 Azure AD 租使用者) 的資源提供者。This app will enable Azure Stack Hub to successfully create and register newer resource providers (like Event Hubs, IoT Hub, and others) with your Azure AD tenant. 這是在升級至組建1910或更新版本之後,需要完成的一次性動作。This is an one-time action that needs to be done after upgrading to build 1910 or newer. 如果未完成此步驟,marketplace 資源提供者安裝將會失敗。If this step isn't completed, marketplace resource provider installations will fail.

安裝程式和協助程式指令碼Installer and helper scripts

  1. 下載 Azure Stack Hub 上的 App Service 部署協助程式指令碼Download the App Service on Azure Stack Hub deployment helper scripts.

  2. 下載 Azure Stack Hub 上的 App Service 安裝程式Download the App Service on Azure Stack Hub installer.

  3. 從協助程式指令碼 .zip 檔案解壓縮檔案。Extract the files from the helper scripts .zip file. 系統會解壓縮下列檔案和資料夾:The following files and folders are extracted:

    • Common.ps1Common.ps1
    • Create-AADIdentityApp.ps1Create-AADIdentityApp.ps1
    • Create-ADFSIdentityApp.ps1Create-ADFSIdentityApp.ps1
    • Create-AppServiceCerts.ps1Create-AppServiceCerts.ps1
    • Get-AzureStackRootCert.ps1Get-AzureStackRootCert.ps1
    • Modules 資料夾Modules folder
      • GraphAPI.psm1GraphAPI.psm1

憑證和伺服器設定 (整合式系統)Certificates and server configuration (Integrated Systems)

本節列出整合式系統部署的必要條件。This section lists the prerequisites for integrated system deployments.

憑證需求Certificate requirements

若要在生產環境中執行資源提供者,您必須提供下列憑證:To run the resource provider in production, you must provide the following certificates:

  • 預設網域憑證Default domain certificate
  • API 憑證API certificate
  • 發行憑證Publishing certificate
  • 身分識別憑證Identity certificate

預設網域憑證Default domain certificate

預設網域憑證置於「前端」角色。The default domain certificate is placed on the front-end role. 對 Azure App Service 要求使用萬用字元或預設網域的使用者應用程式會使用此憑證。User apps for wildcard or default domain request to Azure App Service use this certificate. 憑證也用於原始檔控制作業 (Kudu)。The certificate is also used for source control operations (Kudu).

憑證的格式必須是 .pfx,而且應該是三主體的萬用字元憑證。The certificate must be in .pfx format and should be a three-subject wildcard certificate. 此需求允許一個憑證同時涵蓋用於原始檔控制作業的預設網域和 SCM 端點。This requirement allows one certificate to cover both the default domain and the SCM endpoint for source control operations.

[格式]Format 範例Example
*.appservice.<region>.<DomainName>.<extension> *.appservice.redmond.azurestack.external
*.scm.appservice.<region>.<DomainName>.<extension> *.scm.appservice.redmond.azurestack.external
*.sso.appservice.<region>.<DomainName>.<extension> *.sso.appservice.redmond.azurestack.external

API 憑證API certificate

API 憑證位於管理角色中。The API certificate is placed on the Management role. 資源提供者會使用它來協助保護 API 呼叫。The resource provider uses it to help secure API calls. 用於發佈的憑證必須包含符合 API DNS 項目的主體。The certificate for publishing must contain a subject that matches the API DNS entry.

[格式]Format 範例Example
appservice <region> ... <DomainName><extension>api.appservice.<region>.<DomainName>.<extension> api.appservice.redmond.azurestack.externalapi.appservice.redmond.azurestack.external

發行憑證Publishing certificate

發行者角色的憑證會在應用程式擁有者上傳內容時,保護其 FTPS 流量。The certificate for the Publisher role secures the FTPS traffic for app owners when they upload content. 用於發佈的憑證必須包含符合 FTPS DNS 項目的主體。The certificate for publishing must contain a subject that matches the FTPS DNS entry.

[格式]Format 範例Example
appservice <region> ... <DomainName><extension>ftp.appservice.<region>.<DomainName>.<extension> ftp.appservice.redmond.azurestack.externalftp.appservice.redmond.azurestack.external

身分識別憑證Identity certificate

身分識別應用程式的憑證可讓:The certificate for the identity app enables:

  • Azure Active Directory (Azure AD) 或 Active Directory 同盟服務 (AD FS) 目錄、Azure Stack Hub 和 App Service 之間整合,以支援與計算資源提供者的整合。Integration between the Azure Active Directory (Azure AD) or Active Directory Federation Services (AD FS) directory, Azure Stack Hub, and App Service to support integration with the compute resource provider.
  • Azure Stack Hub 上的 Azure App Service 中進階開發人員工具的單一登入案例。Single sign-on scenarios for advanced developer tools within Azure App Service on Azure Stack Hub.

身分識別的憑證必須包含符合下列格式的主體。The certificate for identity must contain a subject that matches the following format.

[格式]Format 範例Example
sso <region> . appservice ... <DomainName><extension>sso.appservice.<region>.<DomainName>.<extension> sso.appservice.redmond.azurestack.externalsso.appservice.redmond.azurestack.external

驗證憑證Validate certificates

在部署 App Service 資源提供者之前,應先使用 PowerShell 資源庫所提供的 Azure Stack Hub 整備檢查工具,來驗證要使用的憑證Before deploying the App Service resource provider, you should validate the certificates to be used by using the Azure Stack Hub Readiness Checker tool available from the PowerShell Gallery. Azure Stack Hub 整備檢查工具會驗證產生的 PKI 憑證是否適用於 App Service 部署。The Azure Stack Hub Readiness Checker Tool validates that the generated PKI certificates are suitable for App Service deployment.

最佳做法就是在使用任何必要的 Azure Stack Hub PKI 憑證時,應該規劃足夠的時間以便測試和重新發行憑證 (如有必要)。As a best practice, when working with any of the necessary Azure Stack Hub PKI certificates, you should plan enough time to test and reissue certificates if necessary.

準備檔案伺服器Prepare the file server

Azure App Service 需要使用檔案伺服器。Azure App Service requires the use of a file server. 在實際執行的部署中,必須將檔案伺服器設定為高度可用,且能夠處理失敗。For production deployments, the file server must be configured to be highly available and capable of handling failures.

高可用性檔案伺服器和 SQL Server 的快速入門範本Quickstart template for Highly Available file server and SQL Server

現已提供參考架構快速入門範本,會部署檔案伺服器和 SQL Server。A reference architecture quickstart template is now available that will deploy a file server and SQL Server. 此範本在設定為支援 Azure Stack Hub 上的 Azure App Service 高可用性部署的虛擬網路中,可支援 Active Directory 基礎結構。This template supports Active Directory infrastructure in a virtual network configured to support a highly available deployment of Azure App Service on Azure Stack Hub.

注意

整合式系統執行個體必須能夠從 GitHub 下載資源才能完成部署。The integrated system instance must be able to download resources from GitHub in order to complete the deployment.

部署自訂檔案伺服器的步驟Steps to deploy a custom file server

重要

如果您選擇在現有的虛擬網路中部署 App Service,則應該將檔案伺服器部署至與 App Service 不同的子網路。If you choose to deploy App Service in an existing virtual network, the file server should be deployed into a separate Subnet from App Service.

注意

如果您選擇使用前述的快速入門範本來部署檔案伺服器,您可以略過本節,因為檔案伺服器會設定為範本部署的一部分。If you have chosen to deploy a file server using either of the Quickstart templates mentioned above, you can skip this section as the file servers are configured as part of the template deployment.

在 Active Directory 中佈建群組和帳戶Provision groups and accounts in Active Directory
  1. 建立下列 Active Directory 全域安全性群組:Create the following Active Directory global security groups:

    • FileShareOwnersFileShareOwners
    • FileShareUsersFileShareUsers
  2. 建立下列 Active Directory 帳戶做為服務帳戶:Create the following Active Directory accounts as service accounts:

    • FileShareOwnerFileShareOwner
    • FileShareUserFileShareUser

    基於安全性最佳做法,這些帳戶 (以及所有 Web 角色) 的使用者應該是獨一無二的,而且必須擁有強式使用者名稱和密碼。As a security best practice, the users for these accounts (and for all web roles) should be unique and have strong usernames and passwords. 使用下列條件設定密碼:Set the passwords with the following conditions:

    • 啟用 [密碼永久有效] 。Enable Password never expires.
    • 啟用 [使用者不可變更密碼] 。Enable User cannot change password.
    • 停用 [使用者必須在下次登入時變更密碼] 。Disable User must change password at next logon.
  3. 將帳戶新增至群組成員資格,如下所示:Add the accounts to the group memberships as follows:

    • FileShareOwner 新增至 FileShareOwners 群組。Add FileShareOwner to the FileShareOwners group.
    • FileShareUser 新增至 FileShareUsers 群組。Add FileShareUser to the FileShareUsers group.
在工作群組中佈建群組和帳戶Provision groups and accounts in a workgroup

注意

當您設定檔案伺服器時,請從 系統管理員命令提示字元 中執行下列所有命令。When you're configuring a file server, run all the following commands from an Administrator Command Prompt.
*請勿使用 PowerShell。 _*Don't use PowerShell. _

當您使用 Azure Resource Manager 範本時,使用者已建立。When you use the Azure Resource Manager template, the users are already created.

  1. 執行下列命令來建立 FileShareOwner 與 FileShareUser 帳戶。Run the following commands to create the FileShareOwner and FileShareUser accounts. 以您自己的值取代 <password>Replace <password> with your own values.

    net user FileShareOwner <password> /add /expires:never /passwordchg:no
    net user FileShareUser <password> /add /expires:never /passwordchg:no
    
  2. 執行以下 WMIC 命令,將帳戶的密碼設定為永不過期:Set the passwords for the accounts to never expire by running the following WMIC commands:

    WMIC USERACCOUNT WHERE "Name='FileShareOwner'" SET PasswordExpires=FALSE
    WMIC USERACCOUNT WHERE "Name='FileShareUser'" SET PasswordExpires=FALSE
    
  3. 建立本機群組 FileShareUsers 和 FileShareOwners,並在第一個步驟中為其新增帳戶:Create the local groups FileShareUsers and FileShareOwners, and add the accounts in the first step to them:

    net localgroup FileShareUsers /add
    net localgroup FileShareUsers FileShareUser /add
    net localgroup FileShareOwners /add
    net localgroup FileShareOwners FileShareOwner /add
    

佈建內容共用Provision the content share

內容共用包含租用戶網站內容。The content share contains tenant website content. 在單一檔案伺服器上佈建內容共用的程序與在 Active Directory 和工作群組環境中均相同。The procedure to provision the content share on a single file server is the same for both Active Directory and workgroup environments. 但是對於 Active Directory 中的容錯移轉叢集則不同。But it's different for a failover cluster in Active Directory.

在單一檔案伺服器上 (Active Directory 或工作群組) 佈建內容共用Provision the content share on a single file server (Active Directory or workgroup)

在單一檔案伺服器上,請在提升權限的命令提示字元中執行下列命令。On a single file server, run the following commands at an elevated command prompt. 以您的環境中的對應路徑,取代C:\WebSites 的值。Replace the value for C:\WebSites with the corresponding paths in your environment.

set WEBSITES_SHARE=WebSites
set WEBSITES_FOLDER=C:\WebSites
md %WEBSITES_FOLDER%
net share %WEBSITES_SHARE% /delete
net share %WEBSITES_SHARE%=%WEBSITES_FOLDER% /grant:Everyone,full

設定共用的存取控制Configure access control to the shares

在檔案伺服器上或容錯移轉叢集節點 (目前的叢集資源擁有者) 的提高權限命令提示字元中,執行下列命令。Run the following commands at an elevated command prompt on the file server or on the failover cluster node, which is the current cluster resource owner. 以環境特有的值取代斜體的值。Replace values in italics with values that are specific to your environment.

Active DirectoryActive Directory

set DOMAIN=<DOMAIN>
set WEBSITES_FOLDER=C:\WebSites
icacls %WEBSITES_FOLDER% /reset
icacls %WEBSITES_FOLDER% /grant Administrators:(OI)(CI)(F)
icacls %WEBSITES_FOLDER% /grant %DOMAIN%\FileShareOwners:(OI)(CI)(M)
icacls %WEBSITES_FOLDER% /inheritance:r
icacls %WEBSITES_FOLDER% /grant %DOMAIN%\FileShareUsers:(CI)(S,X,RA)
icacls %WEBSITES_FOLDER% /grant _S-1-1-0:(OI)(CI)(IO)(RA,REA,RD)

工作群組Workgroup

set WEBSITES_FOLDER=C:\WebSites
icacls %WEBSITES_FOLDER% /reset
icacls %WEBSITES_FOLDER% /grant Administrators:(OI)(CI)(F)
icacls %WEBSITES_FOLDER% /grant FileShareOwners:(OI)(CI)(M)
icacls %WEBSITES_FOLDER% /inheritance:r
icacls %WEBSITES_FOLDER% /grant FileShareUsers:(CI)(S,X,RA)
icacls %WEBSITES_FOLDER% /grant *S-1-1-0:(OI)(CI)(IO)(RA,REA,RD)

準備 SQL Server 執行個體Prepare the SQL Server instance

注意

如果您選擇部署高可用性檔案伺服器和 SQL Server 的快速入門範本,您可以略過本節,因為該範本會在 HA 組態中部署並設定 SQL Server。If you've chosen to deploy the Quickstart template for Highly Available File Server and SQL Server, you can skip this section as the template deploys and configures SQL Server in a HA configuration.

針對 Azure Stack Hub 上的 Azure App Service 託管和計量資料庫,您必須準備 SQL Server 執行個體,以用來存放 App Service 資料庫。For the Azure App Service on Azure Stack Hub hosting and metering databases, you must prepare a SQL Server instance to hold the App Service databases.

若要用於生產環境及高可用性,您應該使用完整版本的 SQL Server 2014 SP2 或更新版本,啟用混合模式驗證,並在高可用性配置中部署。For production and high-availability purposes, you should use a full version of SQL Server 2014 SP2 or later, enable mixed-mode authentication, and deploy in a highly available configuration.

Azure Stack Hub 上的 Azure App Service 的 SQL Server 執行個體必須能夠從所有 App Service 角色存取。The SQL Server instance for Azure App Service on Azure Stack Hub must be accessible from all App Service roles. 您可以在 Azure Stack Hub 中的預設提供者訂用帳戶中部署 SQL Server。You can deploy SQL Server within the Default Provider Subscription in Azure Stack Hub. 或者,您可以使用組織中現有的基礎結構 (請確認可以連線到 Azure Stack Hub)。Or you can make use of the existing infrastructure within your organization (as long as there's connectivity to Azure Stack Hub). 如果您使用 Azure Marketplace 映像,請記得設定適用的防火牆。If you're using an Azure Marketplace image, remember to configure the firewall accordingly.

注意

您可以透過 Marketplace 管理功能取得一些 SQL IaaS VM 映像。A number of SQL IaaS VM images are available through the Marketplace Management feature. 請確定在使用 Marketplace 項目部署 VM 之前,一律會下載最新版的 SQL IaaS 延伸模組。Make sure you always download the latest version of the SQL IaaS Extension before you deploy a VM using a Marketplace item. SQL 映像與 Azure 中提供的 SQL VM 相同。The SQL images are the same as the SQL VMs that are available in Azure. 針對從這些映像建立的 SQL VM,IaaS 延伸模組和對應的入口網站增強功能,可提供自動修補和備份功能之類的功能。For SQL VMs created from these images, the IaaS extension and corresponding portal enhancements provide features such as automatic patching and backup capabilities.

針對任何 SQL Server 角色,您可以使用預設執行個體或具名執行個體。For any of the SQL Server roles, you can use a default instance or a named instance. 如果您使用具名執行個體,請務必手動啟動 SQL Server Browser 服務並開啟連接埠 1434。If you use a named instance, be sure to manually start the SQL Server Browser service and open port 1434.

App Service 安裝程式將會檢查並確認 SQL Server 已啟用資料庫的內含項目。The App Service installer will check to ensure the SQL Server has database containment enabled. 若要在要裝載 App Service 資料庫的 SQL Server 上啟用資料庫內含項目,請執行下列 SQL 命令:To enable database containment on the SQL Server that will host the App Service databases, run these SQL commands:

sp_configure 'contained database authentication', 1;
GO
RECONFIGURE;
GO

憑證和伺服器設定 (ASDK)Certificates and server configuration (ASDK)

本節列出 ASDK 部署的必要條件。This section lists the prerequisites for ASDK deployments.

Azure App Service 的 ASDK 部署所需的憑證Certificates required for ASDK deployment of Azure App Service

Create-AppServiceCerts.ps1 指令碼會搭配 Azure Stack Hub 憑證授權單位運作,以建立 App Service 所需的四個憑證。The Create-AppServiceCerts.ps1 script works with the Azure Stack Hub certificate authority to create the four certificates that App Service needs.

檔案名稱File name 使用Use
.appservice.local.azurestack.external.pfx.appservice.local.azurestack.external.pfx App Service 預設 SSL 憑證App Service default SSL certificate
api.appservice.local.azurestack.external.pfxapi.appservice.local.azurestack.external.pfx App Service API SSL 憑證App Service API SSL certificate
ftp.appservice.local.azurestack.external.pfxftp.appservice.local.azurestack.external.pfx App Service 發行者 SSL 憑證App Service publisher SSL certificate
sso.appservice.local.azurestack.external.pfxsso.appservice.local.azurestack.external.pfx App Service 身分識別應用程式憑證App Service identity application certificate

若要建立憑證,請依照下列步驟執行:To create the certificates, follow these steps:

  1. 使用 AzureStack\AzureStackAdmin 帳戶登入 ASDK 主機。Sign in to the ASDK host using the AzureStack\AzureStackAdmin account.
  2. 開啟提升權限的 PowerShell 工作階段。Open an elevated PowerShell session.
  3. 從您解壓縮協助程式指令碼所在的資料夾執行 Create-AppServiceCerts.ps1 指令碼。Run the Create-AppServiceCerts.ps1 script from the folder where you extracted the helper scripts. 此指令碼會在與 App Service 建立憑證所需指令碼的相同資料夾中建立四個憑證。This script creates four certificates in the same folder as the script that App Service needs for creating certificates.
  4. 輸入密碼來保護 .pfx 檔案,並記下密碼。Enter a password to secure the .pfx files, and make a note of it. 您稍後必須在 Azure Stack Hub 上的 App Service 安裝程式中輸入此密碼。You must enter it later, in the App Service on Azure Stack Hub installer.

Create-AppServiceCerts.ps1 指令碼參數Create-AppServiceCerts.ps1 script parameters

參數Parameter 必要或選用Required or optional 預設值Default value 描述Description
pfxPasswordpfxPassword 必要Required NullNull 協助保護憑證私密金鑰的密碼Password that helps protect the certificate private key
DomainNameDomainName 必要Required local.azurestack.externallocal.azurestack.external Azure Stack Hub 區域和網域尾碼Azure Stack Hub region and domain suffix

可供檔案伺服器部署 Azure App Service on ASDK 的快速入門範本。Quickstart template for file server for deployments of Azure App Service on ASDK.

若是只部署 ASDK,您可以使用範例 Azure Resource Manager 部署範本來部署已設定的單一節點檔案伺服器。For ASDK deployments only, you can use the example Azure Resource Manager deployment template to deploy a configured single-node file server. 單一節點檔案伺服器會位於工作群組中。The single-node file server will be in a workgroup.

注意

ASDK 執行個體必須能夠從 GitHub 下載資源才能完成部署。The ASDK instance must be able to download resources from GitHub in order to complete the deployment.

SQL Server 執行個體SQL Server instance

針對 Azure Stack Hub 上的 Azure App Service 託管和計量資料庫,您必須準備 SQL Server 執行個體,以用來存放 App Service 資料庫。For the Azure App Service on Azure Stack Hub hosting and metering databases, you must prepare a SQL Server instance to hold the App Service databases.

針對 ASDK 部署,您可以使用 SQL Server Express 2014 SP2 或更新版本。For ASDK deployments, you can use SQL Server Express 2014 SP2 or later. SQL Server 必須設定為支援 混合模式 驗證,因為 Azure Stack Hub 上的 App Service 不支援 Windows 驗證。SQL Server must be configured to support Mixed Mode authentication because App Service on Azure Stack Hub DOES NOT support Windows Authentication.

Azure Stack Hub 上的 Azure App Service 的 SQL Server 執行個體必須能夠從所有 App Service 角色存取。The SQL Server instance for Azure App Service on Azure Stack Hub must be accessible from all App Service roles. 您可以在 Azure Stack Hub 中的預設提供者訂用帳戶中部署 SQL Server。You can deploy SQL Server within the Default Provider Subscription in Azure Stack Hub. 或者,您可以使用組織中現有的基礎結構 (請確認可以連線到 Azure Stack Hub)。Or you can make use of the existing infrastructure within your organization (as long as there's connectivity to Azure Stack Hub). 如果您使用 Azure Marketplace 映像,請記得設定適用的防火牆。If you're using an Azure Marketplace image, remember to configure the firewall accordingly.

注意

您可以透過 Marketplace 管理功能取得一些 SQL IaaS VM 映像。A number of SQL IaaS VM images are available through the Marketplace Management feature. 請確定在使用 Marketplace 項目部署 VM 之前,一律會下載最新版的 SQL IaaS 延伸模組。Make sure you always download the latest version of the SQL IaaS Extension before you deploy a VM using a Marketplace item. SQL 映像與 Azure 中提供的 SQL VM 相同。The SQL images are the same as the SQL VMs that are available in Azure. 針對從這些映像建立的 SQL VM,IaaS 延伸模組和對應的入口網站增強功能,可提供自動修補和備份功能之類的功能。For SQL VMs created from these images, the IaaS extension and corresponding portal enhancements provide features such as automatic patching and backup capabilities.

針對任何 SQL Server 角色,您可以使用預設執行個體或具名執行個體。For any of the SQL Server roles, you can use a default instance or a named instance. 如果您使用具名執行個體,請務必手動啟動 SQL Server Browser 服務並開啟連接埠 1434。If you use a named instance, be sure to manually start the SQL Server Browser service and open port 1434.

App Service 安裝程式將會檢查並確認 SQL Server 已啟用資料庫的內含項目。The App Service installer will check to ensure the SQL Server has database containment enabled. 若要在要裝載 App Service 資料庫的 SQL Server 上啟用資料庫內含項目,請執行下列 SQL 命令:To enable database containment on the SQL Server that will host the App Service databases, run these SQL commands:

sp_configure 'contained database authentication', 1;
GO
RECONFIGURE;
GO

必要的檔案伺服器和 SQL Server 的授權考量Licensing concerns for required file server and SQL Server

Azure Stack Hub 上的 Azure App Service 需要檔案伺服器和 SQL Server 才能運作。Azure App Service on Azure Stack Hub requires a file server and SQL Server to operate. 您可以選擇使用位於 Azure Stack Hub 部署外的既有資源,或將資源部署在 Azure Stack Hub 預設提供者訂用帳戶中。You're free to use pre-existing resources located outside of your Azure Stack Hub deployment or deploy resources within their Azure Stack Hub Default Provider Subscription.

如果您選擇將資源部署在 Azure Stack Hub 預設提供者訂用帳戶中,這些資源的授權 (Windows Server 授權及 SQL Server 授權) 將會納入 Azure Stack Hub 上的 Azure App Service 的成本中,並受到下列條件約束:If you choose to deploy the resources within your Azure Stack Hub Default Provider Subscription, the licenses for those resources (Windows Server Licenses and SQL Server Licenses) are included in the cost of Azure App Service on Azure Stack Hub subject to the following constraints:

  • 基礎結構會部署到「預設提供者訂用帳戶」中;the infrastructure is deployed into the Default Provider Subscription;
  • Azure Stack Hub 上的 Azure App Service 資源提供者會以獨佔方式使用基礎結構。the infrastructure is exclusively used by the Azure App Service on Azure Stack Hub resource provider. 沒有其他工作負載、系統管理 (其他資源提供者,例如:SQL-RP) 或租用戶 (例如,需要資料庫的租用戶應用程式),皆不可使用此基礎結構。No other workloads, administrative (other resource providers, for example: SQL-RP) or tenant (for example: tenant apps, which require a database), are permitted to make use of this infrastructure.

檔案和 SQL 伺服器的操作責任Operational responsibility of file and sql servers

雲端操作員負責維護和操作檔案伺服器與 SQL Server。Cloud operators are responsible for the maintenance and operation of the File Server and SQL Server. 資源提供者不會管理這些資源。The resource provider does not manage these resources. 雲端操作員負責備份 App Service 資料庫和租用戶內容檔案共用。The cloud operator is responsible for backing up the App Service databases and tenant content file share.

擷取適用於 Azure Stack Hub 的 Azure Resource Manager 根憑證Retrieve the Azure Resource Manager root certificate for Azure Stack Hub

在可以連線到 Azure Stack Hub 整合式系統或 ASDK 主機上特殊權限端點的電腦上,開啟已提高權限的 PowerShell 工作階段。Open an elevated PowerShell session on a computer that can reach the privileged endpoint on the Azure Stack Hub Integrated System or ASDK Host.

從您解壓縮協助程式指令碼所在的資料夾執行 Get-AzureStackRootCert.ps1 指令碼。Run the Get-AzureStackRootCert.ps1 script from the folder where you extracted the helper scripts. 此指令碼會在與 App Service 建立憑證時所需之指令碼相同的資料夾中建立根憑證。The script creates a root certificate in the same folder as the script that App Service needs for creating certificates.

當您執行下列 PowerShell 命令時,必須提供特殊權限的端點和 AzureStack\CloudAdmin 的認證。When you run the following PowerShell command, you have to provide the privileged endpoint and the credentials for the AzureStack\CloudAdmin.

    Get-AzureStackRootCert.ps1

Get-AzureStackRootCert.ps1 指令碼參數Get-AzureStackRootCert.ps1 script parameters

參數Parameter 必要或選用Required or optional 預設值Default value 描述Description
PrivilegedEndpointPrivilegedEndpoint 必要Required AzS-ERCS01AzS-ERCS01 特殊權限的端點Privileged endpoint
CloudAdminCredentialCloudAdminCredential 必要Required AzureStack\CloudAdminAzureStack\CloudAdmin Azure Stack Hub 雲端管理員的網域帳戶認證Domain account credential for Azure Stack Hub cloud admins

網路和身分識別設定Network and identity configuration

虛擬網路Virtual network

注意

預先建立自訂虛擬網路為選擇性作業,因為 Azure Stack Hub 上的 Azure App Service 可以建立所需的虛擬網路,但之後需要透過公用 IP 位址與 SQL 和檔案伺服器進行通訊。The precreation of a custom virtual network is optional as the Azure App Service on Azure Stack Hub can create the required virtual network but will then need to communicate with SQL and File Server via public IP addresses. 如果您使用 App Service HA 檔案伺服器和 SQL Server 快速入門範本來部署必要的 SQL 和檔案伺服器資源,則此範本也會部署虛擬網路。Should you use the App Service HA File Server and SQL Server Quickstart template to deploy the pre-requisite SQL and File Server resources, the template will also deploy a virtual network.

Azure Stack Hub 上的 Azure App Service 可讓您將資源提供者部署至現有的虛擬網路,或者讓您在部署時建立一個虛擬網路。Azure App Service on Azure Stack Hub lets you deploy the resource provider to an existing virtual network or lets you create a virtual network as part of the deployment. 使用現有的虛擬網路時,便能以內部 IP 連線至 Azure Stack Hub 上的 Azure App Service 所需檔案伺服器和 SQL Server。Using an existing virtual network enables the use of internal IPs to connect to the file server and SQL Server required by Azure App Service on Azure Stack Hub. 安裝 Azure Stack Hub 上的 Azure App Service 之前,您必須為虛擬網路設定下列位址範圍和子網路:The virtual network must be configured with the following address range and subnets before installing Azure App Service on Azure Stack Hub:

虛擬網路 - /16Virtual network - /16

子網路Subnets

  • ControllersSubnet /24ControllersSubnet /24
  • ManagementServersSubnet /24ManagementServersSubnet /24
  • FrontEndsSubnet /24FrontEndsSubnet /24
  • PublishersSubnet /24PublishersSubnet /24
  • WorkersSubnet /21WorkersSubnet /21

重要

如果您選擇在現有的虛擬網路中部署 App Service,則應該將 SQL Server 部署至與 App Service 和「檔案伺服器」不同的子網路。If you choose to deploy App Service in an existing virtual network the SQL Server should be deployed into a separate Subnet from App Service and the File Server.

建立身分識別應用程式以實現 SSO 案例Create an Identity Application to Enable SSO Scenarios

Azure App Service 會使用身分識別應用程式 (服務主體) 來支援下列作業:Azure App Service uses an Identity Application (Service Principal) to support the following operations:

  • 背景工作層上的虛擬機器擴展集整合。Virtual machine scale set integration on worker tiers.
  • 對 Azure Functions 入口網站和進階開發人員工具 (Kudu) 使用 SSO。SSO for the Azure Functions portal and advanced developer tools (Kudu).

根據 Azure Stack Hub 所使用的是識別提供者、Azure Active Directory (Azure AD) 還是 Active Directory 同盟服務 (ADFS),您必須遵循適當步驟來建立服務主體,以供 Azure App Service on Azure Stack Hub 資源提供者使用。Depending on which identity provider the Azure Stack Hub is using, Azure Active Directory (Azure AD) or Active Directory Federation Services (ADFS) you must follow the appropriate steps below to create the service principal for use by the Azure App Service on Azure Stack Hub resource provider.

建立 Azure AD 應用程式Create an Azure AD App

依照下列步驟,在 Azure AD 租用戶中建立一個服務主體:Follow these steps to create the service principal in your Azure AD tenant:

  1. 以 azurestack\AzureStackAdmin 身分開啟 PowerShell 執行個體。Open a PowerShell instance as azurestack\AzureStackAdmin.
  2. 移至您在先決條件步驟中下載並解壓縮的指令碼位置。Go to the location of the scripts that you downloaded and extracted in the prerequisite step.
  3. 安裝適用於 Azure Stack Hub 的 PowerShellInstall PowerShell for Azure Stack Hub.
  4. 執行 Create-AADIdentityApp.ps1 指令碼。Run the Create-AADIdentityApp.ps1 script. 當系統提示時,請輸入您部署 Azure Stack Hub 時使用的 Azure AD 租用戶識別碼。When you're prompted, enter the Azure AD tenant ID that you're using for your Azure Stack Hub deployment. 例如,輸入 myazurestack.onmicrosoft.comFor example, enter myazurestack.onmicrosoft.com.
  5. 在 [認證] 視窗中,輸入您的 Azure AD 服務管理帳戶和密碼。In the Credential window, enter your Azure AD service admin account and password. 選取 [確定] 。Select OK.
  6. 輸入稍早建立的憑證的憑證檔案路徑和憑證密碼。Enter the certificate file path and certificate password for the certificate created earlier. 根據預設值,針對此步驟建立的憑證是 sso.appservice.local.azurestack.external.pfxThe certificate created for this step by default is sso.appservice.local.azurestack.external.pfx.
  7. 請記下 PowerShell 輸出中傳回的應用程式識別碼。Make note of the application ID that's returned in the PowerShell output. 您會在下列步驟中以及安裝期間,使用此識別碼來同意應用程式的權限。You use the ID in the following steps to provide consent for the application's permissions, and during installation.
  8. 開啟新的瀏覽器視窗,並以 Azure Active Directory 服務管理員身分登入 Azure 入口網站。Open a new browser window, and sign in to the Azure portal as the Azure Active Directory service admin.
  9. 開啟 Azure Active Directory 服務。Open the Azure Active Directory service.
  10. 在左窗格中選取 [應用程式註冊] 。Select App Registrations in the left pane.
  11. 搜尋您在步驟 7 記下的應用程式識別碼。Search for the application ID you noted in step 7.
  12. 從清單中選取 App Service 應用程式註冊。Select the App Service application registration from the list.
  13. 在左窗格中選取 [API 權限] 。Select API permissions in the left pane.
  14. 選取 [授與管理員 <tenant> 同意 ],其中 <tenant> 是您 Azure AD 租使用者的名稱。Select Grant admin consent for <tenant> , where <tenant> is the name of your Azure AD tenant. 選取 [是] 以確認同意授與。Confirm the consent grant by selecting Yes.
    Create-AADIdentityApp.ps1
參數Parameter 必要或選用Required or optional 預設值Default value 描述Description
DirectoryTenantNameDirectoryTenantName 必要Required NullNull Azure AD 租用戶識別碼。Azure AD tenant ID. 提供 GUID 或字串。Provide the GUID or string. 例如,myazureaaddirectory.onmicrosoft.com。An example is myazureaaddirectory.onmicrosoft.com.
AdminArmEndpointAdminArmEndpoint 必要Required NullNull 管理員 Azure Resource Manager 端點。Admin Azure Resource Manager endpoint. 例如,adminmanagement.local.azurestack.external。An example is adminmanagement.local.azurestack.external.
TenantARMEndpointTenantARMEndpoint 必要Required NullNull 租用戶 Azure Resource Manager 端點。Tenant Azure Resource Manager endpoint. 例如,management.local.azurestack.external。An example is management.local.azurestack.external.
AzureStackAdminCredentialAzureStackAdminCredential 必要Required NullNull Azure AD Service 管理員的認證。Azure AD service admin credential.
CertificateFilePathCertificateFilePath 必要Required NullNull 稍早產生之身分識別應用程式憑證檔案的 完整路徑Full path to the identity application certificate file generated earlier.
CertificatePasswordCertificatePassword 必要Required NullNull 協助保護憑證私密金鑰的密碼。Password that helps protect the certificate private key.
環境Environment 選用Optional AzureCloudAzureCloud 所支援雲端環境的名稱,此雲端環境提供了目標「Azure Active Directory Graph 服務」。The name of the supported Cloud Environment in which the target Azure Active Directory Graph Service is available. 允許的值:'AzureCloud'、'AzureChinaCloud'、'AzureUSGovernment'、'AzureGermanCloud'。Allowed values: 'AzureCloud', 'AzureChinaCloud', 'AzureUSGovernment', 'AzureGermanCloud'.

建立 ADFS 應用程式Create an ADFS app

  1. 以 azurestack\AzureStackAdmin 身分開啟 PowerShell 執行個體。Open a PowerShell instance as azurestack\AzureStackAdmin.
  2. 移至您在先決條件步驟中下載並解壓縮的指令碼位置。Go to the location of the scripts that you downloaded and extracted in the prerequisite step.
  3. 安裝適用於 Azure Stack Hub 的 PowerShellInstall PowerShell for Azure Stack Hub.
  4. 執行 Create-ADFSIdentityApp.ps1 指令碼。Run the Create-ADFSIdentityApp.ps1 script.
  5. 在 [認證] 視窗中,輸入您的 AD FS 雲端管理帳戶和密碼。In the Credential window, enter your AD FS cloud admin account and password. 選取 [確定] 。Select OK.
  6. 提供稍早建立之憑證的憑證檔案路徑和憑證密碼。Provide the certificate file path and certificate password for the certificate created earlier. 根據預設值,針對此步驟建立的憑證是 sso.appservice.local.azurestack.external.pfxThe certificate created for this step by default is sso.appservice.local.azurestack.external.pfx.
    Create-ADFSIdentityApp.ps1
參數Parameter 必要或選用Required or optional 預設值Default value 描述Description
AdminArmEndpointAdminArmEndpoint 必要Required NullNull 管理員 Azure Resource Manager 端點。Admin Azure Resource Manager endpoint. 例如,adminmanagement.local.azurestack.external。An example is adminmanagement.local.azurestack.external.
PrivilegedEndpointPrivilegedEndpoint 必要Required NullNull 特殊權限的端點。Privileged endpoint. 例如,AzS-ERCS01。An example is AzS-ERCS01.
CloudAdminCredentialCloudAdminCredential 必要Required NullNull Azure Stack Hub 雲端管理員的網域帳戶認證。Domain account credential for Azure Stack Hub cloud admins. 例如,Azurestack\CloudAdmin。An example is Azurestack\CloudAdmin.
CertificateFilePathCertificateFilePath 必要Required NullNull 識別應用程式憑證 PFX 檔案的 完整路徑Full path to the identity application's certificate PFX file.
CertificatePasswordCertificatePassword 必要Required NullNull 協助保護憑證私密金鑰的密碼。Password that helps protect the certificate private key.

從 Azure Marketplace 下載項目Download items from the Azure Marketplace

Azure Stack Hub 上的 Azure App Service 需要從 Azure Marketplace 下載項目,使其可在 Azure Stack Hub Marketplace 中使用。Azure App Service on Azure Stack Hub requires items to be downloaded from the Azure Marketplace, making them available in the Azure Stack Hub Marketplace. 您必須先下載這些項目,然後才能開始部署或升級 Azure Stack Hub 上的 Azure App Service:These items must be downloaded before you start the deployment or upgrade of Azure App Service on Azure Stack Hub:

重要

Windows Server Core 不是受支援的平台映像,無法與 Azure App Service on Azure Stack Hub 搭配使用。Windows Server Core is not a supported platform image for use with Azure App Service on Azure Stack Hub.

請勿將評估映像用於生產環境部署。Do not use evaluation images for production deployments.

  1. 最新版的 Windows Server 2016 Datacenter VM 映像The latest version of Windows Server 2016 Datacenter VM image.
  1. 已啟用 Microsoft.Net 3.5.1 SP1 的 Windows Server 2016 Datacenter Full VM 映像Windows Server 2016 Datacenter Full VM image with Microsoft.Net 3.5.1 SP1 activated. Azure App Service on Azure Stack Hub 要求在用於部署的映像上必須啟用 Microsoft.NET 3.5.1 SP1。Azure App Service on Azure Stack Hub requires that Microsoft .NET 3.5.1 SP1 is activated on the image used for deployment. Marketplace 摘要整合的 Windows Server 2016 映像並未啟用此功能,而且在已中斷連線的環境中,並無法連線到 Microsoft Update 以下載要透過 DISM 安裝的套件。Marketplace-syndicated Windows Server 2016 images don't have this feature enabled and in disconnected environments are unable to reach Microsoft Update to download the packages to install via DISM. 因此,您必須在已中斷連線的部署中建立並使用已預先啟用此功能的 Windows Server 2016 映像。Therefore, you must create and use a Windows Server 2016 image with this feature pre-enabled with disconnected deployments.

    如需如何建立自訂映像並新增至 Marketplace 的詳細資訊,請參閱將自訂 VM 映像新增至 Azure Stack HubSee Add a custom VM image to Azure Stack Hub for details on creating a custom image and adding to Marketplace. 將映像新增至 Marketplace 時,請務必指定下列屬性:Be sure to specify the following properties when adding the image to Marketplace:

    • Publisher = MicrosoftWindowsServerPublisher = MicrosoftWindowsServer
    • Offer = WindowsServerOffer = WindowsServer
    • SKU = 2016-DatacenterSKU = 2016-Datacenter
    • Version = 指定「最新」版本Version = Specify the "latest" version
  1. 自訂指令碼擴充功能 v 1.9.1 或更高版本Custom Script Extension v1.9.1 or greater. 此項目為 VM 擴充功能。This item is a VM extension.

後續步驟Next steps

安裝 App Service 資源提供者Install the App Service resource provider