App Service Environment 管理位址App Service Environment management addresses

App Service 環境 (ASE) 是在 Azure 虛擬網路 (VNet) 內執行的 Azure App Service 部署。The App Service Environment (ASE) is a single tenant deployment of the Azure App Service that runs in your Azure Virtual Network (VNet). 當 ASE 確實在 VNet 中執行時,必須仍然可從 Azure App Service 用以管理服務的一些專用私人 IP 位址來存取 ASE。While the ASE does run in your VNet, it must still be accessible from a number of dedicated IP addresses that are used by the Azure App Service to manage the service. 使用 ASE 時,管理流量會周遊使用者控制的網路。In the case of an ASE, the management traffic traverses the user-controlled network. 如果封鎖或誤傳此流量,ASE 會暫止。If this traffic is blocked or misrouted, the ASE will become suspended. 如需 ASE 網路服務相依性的詳細資料,請閱讀網路考量和 App Service 環境For details on the ASE networking dependencies, read Networking considerations and the App Service Environment. 如需 ASE 的一般資訊,您可從 App Service 環境簡介開始。For general information on the ASE, you can start with Introduction to the App Service Environment.

所有 ASE 都有可讓管理流量進入的公用 VIP。All ASEs have a public VIP which management traffic comes into. 這些位址的連入管理流量會進入 ASE 公用 VIP 上的連接埠 454 和 455。The incoming management traffic from these addresses comes in from to ports 454 and 455 on the public VIP of your ASE. 本文件列出流向 ASE 之管理流量的 App Service 來源位址。This document lists the App Service source addresses for management traffic to the ASE. 這些位址位也會列在名為 AppServiceManagement 的 IP 服務標籤中。These addresses are also in the IP Service Tag named AppServiceManagement.

您可在路由表中設定以下標記的位址,以避免管理流量發生非對稱式路由問題。The addresses noted below can be configured in a route table to avoid asymmetric routing problems with the management traffic. 路由會作用於 IP 層級的流量,但不會察覺流量方向,或流量是否為 TCP 回復訊息的一部分。Routes act on traffic at the IP level and do not have an awareness of traffic direction or that the traffic is a part of a TCP reply message. 如果回復 TCP 要求的位址不同於送往位址,即表示發生了非對稱式路由問題。If the reply address for a TCP request is different than the address it was sent to, you have an asymmetric routing problem. 為避免 ASE 管理流量發生非對稱式路由問題,則必須確保回復是從送往的相同位址送回。To avoid asymmetric routing problems with your ASE management traffic, you need to ensure that replies are sent back from the same address they were sent to. 如需深入了解如何設定 ASE,以便在由內部部署軟體傳送輸出流量的環境中運作,請參閱為 ASE 設定強制通道For details on how to configure your ASE to operate in an environment where outbound traffic is sent on premises, read Configure your ASE with forced tunneling

管理位址的清單List of management addresses

區域Region 位址Addresses
所有公用區域All public regions、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
Microsoft Azure GovernmentMicrosoft Azure Government,,,,,,,,,,,,,,
Azure 中國Azure China,,

設定網路安全性群組Configuring a Network Security Group

使用網路安全性群組,您就不必擔心個別地址或維護自己的設定。With Network Security Groups, you do not need to worry about the individual addresses or maintaining your own configuration. 名為 AppServiceManagement 的 IP 服務標籤,隨時掌握所有位址的最新狀態。There is an IP service tag named AppServiceManagement that is kept up-to-date with all of the addresses. 若要在 NSG 中使用 IP 服務標籤,請移至入口網站,開啟網路安全性群組 UI,並選取輸入安全性規則。To use this IP service tag in your NSG, go to the portal, open your Network Security Groups UI, and select Inbound security rules. 如果具有輸入管理流量的預先存在規則,請加以編輯。If you have a pre-existing rule for the inbound management traffic, edit it. 如果未使用 ASE 建立此 NSG,或者該 NSG 是全新的,則選取 [新增]。If this NSG was not created with your ASE, or if it is all new, then select Add. 在來源下拉式清單中,選取 [服務標籤]。Under the Source drop down, select Service Tag. 在 [來源] 服務標籤下,選取 [AppServiceManagement]。Under the Source service tag, select AppServiceManagement. 將來源連接埠範圍設為 *、目的地設為 Any、目的地連接埠範圍設為 454-455、通訊協定設為 TCP,以及將動作設為 AllowSet the source port ranges to *, Destination to Any, Destination port ranges to 454-455, Protocol to TCP, and Action to Allow. 如果您正在制定規則,則必須設定優先順序。If you are making the rule, then you need to set the Priority.

使用服務標籤建立 NSG

設定路由表Configuring a route table

管理位址可以放在具有網際網路下一個躍點的路由表中,以確保所有輸入管理流量可以通過相同的路徑返回。The management addresses can be placed in a route table with a next hop of internet to ensure that all inbound management traffic is able to go back through the same path. 設定強制通道時,會需要這些路由。These routes are needed when configuring forced tunneling. 若要建立路由表,您可以使用入口網站、PowerShell 或 Azure CLI。To create the route table, you can use the portal, PowerShell or Azure CLI. 從 PowerShell 提示中使用 Azure CLI 建立路由表的命令如下。The commands to create a route table using Azure CLI from a PowerShell prompt are below.

$rg = "resource group name"
$rt = "route table name"
$location = "azure location"
$managementAddresses = "", "", "", "", "", "", "", "", "", "", "", "", "", "", "", "", "", "", "", "", "", "", "", "", "", "", "", "", "", "", "", "", "", "", "", "", "", "", "", "", "", "", "", "", "", "", "", "", "", "", "", "", "", "", "", "", "", "", "", "", "", "", "", "", "", "", "", "", "", "", "", "", ""

az network route-table create --name $rt --resource-group $rg --location $location
foreach ($ip in $managementAddresses) {
    az network route-table route create -g $rg --route-table-name $rt -n $ip --next-hop-type Internet --address-prefix ($ip + "/32")

建立路由表之後,您需要在 ASE 子網路上進行設定。After your route table is created, you need to set it on your ASE subnet.

從 API 取得管理位址Get your management addresses from API

您可以使用下列 API 呼叫來列出符合您 ASE 的管理位址。You can list the management addresses that match to your ASE with the following API call.

get /subscriptions/<subscription ID>/resourceGroups/<resource group>/providers/Microsoft.Web/hostingEnvironments/<ASE Name>/inboundnetworkdependenciesendpoints?api-version=2016-09-01

此 API 會傳回一份 JSON 文件,其中包含適用於 ASE 的所有連入位址。The API returns a JSON document that includes all of the inbound addresses for your ASE. 位址清單會包含管理位址、您 ASE 所使用的 VIP,以及 ASE 子網路位址範圍本身。The list of addresses includes the management addresses, the VIP used by your ASE and the ASE subnet address range itself.

若要使用 armclient 呼叫 API,請使用下列命令,但必須以您的值取代訂用帳戶識別碼、資源群組與 ASE 名稱。To call the API with the armclient use the following commands but substitute in your subscription ID, resource group and ASE name.

armclient login
armclient get /subscriptions/<subscription ID>/resourceGroups/<resource group>/providers/Microsoft.Web/hostingEnvironments/<ASE Name>/inboundnetworkdependenciesendpoints?api-version=2016-09-01