在 Azure Stack Hub 中準備延伸主機Prepare for extension host in Azure Stack Hub

延伸主機可藉由減少所需的 TCP/IP 連接埠數目來保護 Azure Stack Hub。The extension host secures Azure Stack Hub by reducing the number of required TCP/IP ports. 本文將探討如何準備 Azure Stack Hub 以使用延伸主機,此功能會透過 1808 更新之後的 Azure Stack Hub 更新套件自動啟用。This article looks at preparing Azure Stack Hub for the extension host that is automatically enabled through an Azure Stack Hub update package after the 1808 update. 本文適用於 Azure Stack Hub 更新 1808、1809 和 1811。This article applies to Azure Stack Hub updates 1808, 1809, and 1811.

憑證需求Certificate requirements

延伸主機會實作兩個新網域命名空間,以確保每個入口網站延伸模組都有唯一的主機項目。The extension host implements two new domain namespaces to guarantee unique host entries for each portal extension. 新網域命名空間需要兩個額外的萬用字元憑證,如此才能確保通訊安全。The new domain namespaces require two additional wildcard certificates to ensure secure communication.

下表顯示新的命名空間和相關聯的憑證:The table shows the new namespaces and the associated certificates:

部署資料夾Deployment Folder 必要的憑證主體和主體別名 (SAN)Required certificate subject and subject alternative names (SAN) 範圍 (每個區域)Scope (per region) 子網域命名空間Subdomain namespace
管理員延伸主機Admin extension host * <region> . .adminhosting。<fqdn>*.adminhosting.<region>.<fqdn> (萬用字元 SSL 憑證) (Wildcard SSL Certificates) 管理員延伸主機Admin extension host .adminhosting. ... <region><fqdn>adminhosting.<region>.<fqdn>
公用延伸主機Public extension host * <region> . 裝載。<fqdn>*.hosting.<region>.<fqdn> (萬用字元 SSL 憑證) (Wildcard SSL Certificates) 公用延伸主機Public extension host 裝載。 <region><fqdn>hosting.<region>.<fqdn>

如需詳細的憑證需求,請參閱 Azure Stack Hub 公開金鑰基礎結構憑證需求For detailed certificate requirements, see Azure Stack Hub public key infrastructure certificate requirements.

建立憑證簽署要求Create certificate signing request

Azure Stack Hub 整備檢查工具可讓您為兩個必要的新 SSL 憑證建立憑證簽署要求。The Azure Stack Hub Readiness Checker tool lets you create a certificate signing request for the two new and required SSL certificates. 請遵循 Azure Stack Hub 憑證簽署要求產生一文中的步驟。Follow the steps in the article Azure Stack Hub certificates signing request generation.

注意

視您要求 SSL 憑證的方式而定,您也許可以略過此步驟。You may skip this step depending on how you requested your SSL certificates.

驗證新的憑證Validate new certificates

  1. 使用提升的權限在硬體生命週期主機或 Azure Stack Hub 管理工作站上開啟 PowerShell。Open PowerShell with elevated permission on the hardware lifecycle host or the Azure Stack Hub management workstation.

  2. 執行下列 Cmdlet 以安裝 Azure Stack Hub 整備檢查工具:Run the following cmdlet to install the Azure Stack Hub Readiness Checker tool:

    Install-Module -Name Microsoft.AzureStack.ReadinessChecker
    
  3. 執行下列指令碼來建立必要的資料夾結構。Run the following script to create the required folder structure:

    New-Item C:\Certificates -ItemType Directory
    
    $directories = 'ACSBlob','ACSQueue','ACSTable','Admin Portal','ARM Admin','ARM Public','KeyVault','KeyVaultInternal','Public Portal', 'Admin extension host', 'Public extension host'
    
    $destination = 'c:\certificates'
    
    $directories | % { New-Item -Path (Join-Path $destination $PSITEM) -ItemType Directory -Force}
    

    注意

    如果您使用 Azure Active Directory 同盟服務部署 (AD FS) 必須將下列目錄新增至腳本中的 $directoriesADFSGraphIf you deploy with Azure Active Directory Federated Services (AD FS) the following directories must be added to $directories in the script: ADFS, Graph.

  4. 將現有憑證 (亦即您目前在 Azure Stack Hub 中使用的憑證) 放在適當的目錄中。Place the existing certificates, which you're currently using in Azure Stack Hub, in appropriate directories. 例如,將 管理員 ARM 憑證放入 Arm Admin 資料夾。For example, put the Admin ARM certificate in the Arm Admin folder. 然後,將新建立的裝載憑證放入 Admin extension hostPublic extension host 目錄。And then put the newly created hosting certificates in the Admin extension host and Public extension host directories.

  5. 執行下列 Cmdlet 來啟動憑證檢查:Run the following cmdlet to start the certificate check:

    $pfxPassword = Read-Host -Prompt "Enter PFX Password" -AsSecureString 
    
    Start-AzsReadinessChecker -CertificatePath c:\certificates -pfxPassword $pfxPassword -RegionName east -FQDN azurestack.contoso.com -IdentitySystem AAD
    
  6. 檢查輸出,確認是否所有憑證都通過所有測試。Check the output and if all certificates pass all tests.

匯入延伸主機憑證Import extension host certificates

針對後續步驟,請使用可以連線至 Azure Stack Hub 特殊權限端點的電腦。Use a computer that can connect to the Azure Stack Hub privileged endpoint for the next steps. 請確定您可以從該電腦存取新的的憑證檔案。Make sure you have access to the new certificate files from that computer.

  1. 針對後續步驟,請使用可以連線至 Azure Stack Hub 特殊權限端點的電腦。Use a computer that can connect to the Azure Stack Hub privileged endpoint for the next steps. 請確定您可以從該電腦存取新的的憑證檔案。Make sure you access to the new certificate files from that computer.

  2. 開啟 PowerShell ISE 來執行後續的指令碼區塊。Open PowerShell ISE to execute the next script blocks.

  3. 匯入管理員主機端點的憑證。Import the certificate for the admin hosting endpoint.

    
    $CertPassword = read-host -AsSecureString -prompt "Certificate Password"
    
    $CloudAdminCred = Get-Credential -UserName <Privileged endpoint credentials> -Message "Enter the cloud domain credentials to access the privileged endpoint."
    
    [Byte[]]$AdminHostingCertContent = [Byte[]](Get-Content c:\certificate\myadminhostingcertificate.pfx -Encoding Byte)
    
    Invoke-Command -ComputerName <PrivilegedEndpoint computer name> `
    -Credential $CloudAdminCred `
    -ConfigurationName "PrivilegedEndpoint" `
    -ArgumentList @($AdminHostingCertContent, $CertPassword) `
    -ScriptBlock {
            param($AdminHostingCertContent, $CertPassword)
            Import-AdminHostingServiceCert $AdminHostingCertContent $certPassword
    }
    
  4. 匯入主機端點的憑證。Import the certificate for the hosting endpoint.

    $CertPassword = read-host -AsSecureString -prompt "Certificate Password"
    
    $CloudAdminCred = Get-Credential -UserName <Privileged endpoint credentials> -Message "Enter the cloud domain credentials to access the privileged endpoint."
    
    [Byte[]]$HostingCertContent = [Byte[]](Get-Content c:\certificate\myhostingcertificate.pfx  -Encoding Byte)
    
    Invoke-Command -ComputerName <PrivilegedEndpoint computer name> `
    -Credential $CloudAdminCred `
    -ConfigurationName "PrivilegedEndpoint" `
    -ArgumentList @($HostingCertContent, $CertPassword) `
    -ScriptBlock {
            param($HostingCertContent, $CertPassword)
            Import-UserHostingServiceCert $HostingCertContent $certPassword
    }
    

更新 DNS 組態Update DNS configuration

注意

如果您已使用 DNS 整合的 DNS 區域委派,則不需執行此步驟。This step isn't required if you used DNS Zone delegation for DNS Integration. 如果已設定個別主機 A 記錄來發佈 Azure Stack Hub 端點,則您需要建立兩個額外的主機 A 記錄:If individual host A records have been configured to publish Azure Stack Hub endpoints, you need to create two additional host A records:

IPIP Hostname (主機名稱)Hostname 類型Type
<IP> *..Adminhosting. ... <Region><FQDN>*.Adminhosting.<Region>.<FQDN> AA
<IP> *.裝載。 <Region><FQDN>*.Hosting.<Region>.<FQDN> AA

您可以透過執行 Get AzureStackStampInformation Cmdlet,使用特殊權限端點來擷取已配置的 IP。Allocated IPs can be retrieved using the privileged endpoint by running the cmdlet Get-AzureStackStampInformation.

連接埠和通訊協定Ports and protocols

Azure Stack Hub 資料中心整合 - 發佈端點一文中,會說明推出延伸主機之前需進行輸入通訊以發佈 Azure Stack Hub 的連接埠和通訊協定。The article Azure Stack Hub datacenter integration - Publish endpoints covers the ports and protocols that require inbound communication to publish Azure Stack Hub before the extension host rollout.

發佈新端點Publish new endpoints

有兩個新端點需透過您的防火牆來發佈。There are two new endpoints required to be published through your firewall. 您可使用下列程式碼來擷取來自公用 VIP 集區的已配置 IP;您必須從您 Azure Stack Hub 環境的特殊權限端點來執行該程式碼。The allocated IPs from the public VIP pool can be retrieved using the following code that must be run from your Azure Stack Hub environment's privileged endpoint.

# Create a PEP Session
winrm s winrm/config/client '@{TrustedHosts= "<IpOfERCSMachine>"}'
$PEPCreds = Get-Credential
$PEPSession = New-PSSession -ComputerName <IpOfERCSMachine> -Credential $PEPCreds -ConfigurationName "PrivilegedEndpoint"

# Obtain DNS Servers and extension host information from Azure Stack Hub Stamp Information and find the IPs for the Host Extension Endpoints
$StampInformation = Invoke-Command $PEPSession {Get-AzureStackStampInformation} | Select-Object -Property ExternalDNSIPAddress01, ExternalDNSIPAddress02, @{n="TenantHosting";e={($_.TenantExternalEndpoints.TenantHosting) -replace "https://*.","testdnsentry"-replace "/"}},  @{n="AdminHosting";e={($_.AdminExternalEndpoints.AdminHosting)-replace "https://*.","testdnsentry"-replace "/"}},@{n="TenantHostingDNS";e={($_.TenantExternalEndpoints.TenantHosting) -replace "https://",""-replace "/"}},  @{n="AdminHostingDNS";e={($_.AdminExternalEndpoints.AdminHosting)-replace "https://",""-replace "/"}}
If (Resolve-DnsName -Server $StampInformation.ExternalDNSIPAddress01 -Name $StampInformation.TenantHosting -ErrorAction SilentlyContinue) {
    Write-Host "Can access AZS DNS" -ForegroundColor Green
    $AdminIP = (Resolve-DnsName -Server $StampInformation.ExternalDNSIPAddress02 -Name $StampInformation.AdminHosting).IPAddress
    Write-Host "The IP for the Admin Extension Host is: $($StampInformation.AdminHostingDNS) - is: $($AdminIP)" -ForegroundColor Yellow
    Write-Host "The Record to be added in the DNS zone: Type A, Name: $($StampInformation.AdminHostingDNS), Value: $($AdminIP)" -ForegroundColor Green
    $TenantIP = (Resolve-DnsName -Server $StampInformation.ExternalDNSIPAddress01 -Name $StampInformation.TenantHosting).IPAddress
    Write-Host "The IP address for the Tenant Extension Host is $($StampInformation.TenantHostingDNS) - is: $($TenantIP)" -ForegroundColor Yellow
    Write-Host "The Record to be added in the DNS zone: Type A, Name: $($StampInformation.TenantHostingDNS), Value: $($TenantIP)" -ForegroundColor Green
}
Else {
    Write-Host "Cannot access AZS DNS" -ForegroundColor Yellow
    $AdminIP = (Resolve-DnsName -Name $StampInformation.AdminHosting).IPAddress
    Write-Host "The IP for the Admin Extension Host is: $($StampInformation.AdminHostingDNS) - is: $($AdminIP)" -ForegroundColor Yellow
    Write-Host "The Record to be added in the DNS zone: Type A, Name: $($StampInformation.AdminHostingDNS), Value: $($AdminIP)" -ForegroundColor Green
    $TenantIP = (Resolve-DnsName -Name $StampInformation.TenantHosting).IPAddress
    Write-Host "The IP address for the Tenant Extension Host is $($StampInformation.TenantHostingDNS) - is: $($TenantIP)" -ForegroundColor Yellow
    Write-Host "The Record to be added in the DNS zone: Type A, Name: $($StampInformation.TenantHostingDNS), Value: $($TenantIP)" -ForegroundColor Green
}
Remove-PSSession -Session $PEPSession

範例輸出Sample Output

Can access AZS DNS
The IP for the Admin Extension Host is: *.adminhosting.\<region>.\<fqdn> - is: xxx.xxx.xxx.xxx
The Record to be added in the DNS zone: Type A, Name: *.adminhosting.\<region>.\<fqdn>, Value: xxx.xxx.xxx.xxx
The IP address for the Tenant Extension Host is *.hosting.\<region>.\<fqdn> - is: xxx.xxx.xxx.xxx
The Record to be added in the DNS zone: Type A, Name: *.hosting.\<region>.\<fqdn>, Value: xxx.xxx.xxx.xxx

注意

請先進行這項變更,再啟用延伸主機。Make this change before enabling the extension host. 這可讓 Azure Stack Hub 入口網站維持可存取的狀態。This allows the Azure Stack Hub portals to be continuously accessible.

端點 (VIP)Endpoint (VIP) 通訊協定Protocol 連接埠Ports
管理員主機Admin Hosting HTTPSHTTPS 443443
裝載Hosting HTTPSHTTPS 443443

更新現有的發佈規則 (延伸主機的啟用後動作)Update existing publishing Rules (Post enablement of extension host)

注意

1808 Azure Stack Hub 更新套件 尚未 啟用延伸主機。The 1808 Azure Stack Hub Update Package does not enable extension host yet. 它可讓您匯入必要的憑證來為延伸主機做好準備。It lets you prepare for extension host by importing the required certificates. 在延伸主機透過 1808 更新之後的 Azure Stack Hub 更新套件自動啟用之前,請勿關閉任何連接埠。Don't close any ports before extension host is automatically enabled through an Azure Stack Hub update package after the 1808 update.

您必須關閉現有防火牆規則中的下列現有端點連接埠。The following existing endpoint ports must be closed in your existing firewall rules.

注意

建議您在驗證成功之後,再關閉這些連接埠。It's recommended to close those ports after successful validation.

端點 (VIP)Endpoint (VIP) 通訊協定Protocol 連接埠Ports
入口網站 (系統管理員)Portal (administrator) HTTPSHTTPS 1249512495
1249912499
1264612646
1264712647
1264812648
1264912649
1265012650
1300113001
1300313003
1301013010
1301113011
1301213012
1302013020
1302113021
1302613026
3001530015
入口網站 (使用者)Portal (user) HTTPSHTTPS 1249512495
1264912649
1300113001
1301013010
1301113011
1301213012
1302013020
1302113021
3001530015
1300313003
Azure Resource Manager (系統管理員)Azure Resource Manager (administrator) HTTPSHTTPS 3002430024
Azure Resource Manager (使用者)Azure Resource Manager (user) HTTPSHTTPS 3002430024

後續步驟Next steps