什麼是 Azure 應用程式閘道?What is Azure Application Gateway?

Azure 應用程式閘道是網路流量負載平衡器,可讓您管理 Web 應用程式的流量。Azure Application Gateway is a web traffic load balancer that enables you to manage traffic to your web applications. 傳統負載平衡器會在傳輸層 (OSI 層 4 - TCP 和 UDP) 上運作,並根據來源 IP 位址和連接埠,將流量路由傳送到目的地 IP 位址和連接埠。Traditional load balancers operate at the transport layer (OSI layer 4 - TCP and UDP) and route traffic based on source IP address and port, to a destination IP address and port.

應用程式閘道概念

透過應用程式閘道,您可以根據 HTTP 要求的其他屬性 (例如 URI 路徑或主機標頭) 進行路由決策。With Application Gateway, you can make routing decisions based on additional attributes of an HTTP request, such as URI path or host headers. 例如,您可以根據傳入 URL 路由傳送流量。For example, you can route traffic based on the incoming URL. 因此,如果 /images 在傳入的 URL 中,您可以將流量路由傳送至一組針對影像設定的特定伺服器 (也稱為集區)。So if /images is in the incoming URL, you can route traffic to a specific set of servers (known as a pool) configured for images. 如果 /video 在此 URL 中,該流量就會路由至另一個針對影片最佳化的集區。If /video is in the URL, that traffic is routed to another pool that's optimized for videos.

imageURLroute

這類型的路由也稱為應用程式層 (OSI 層 7) 負載平衡。This type of routing is known as application layer (OSI layer 7) load balancing. Azure 應用程式閘道可以進行 URL 型路由等作業。Azure Application Gateway can do URL-based routing and more.

Azure 應用程式閘道包含下列功能︰The following features are included with Azure Application Gateway:

安全通訊端層 (SSL/TLS) 終止Secure Sockets Layer (SSL/TLS) termination

應用程式閘道支援在閘道上終止 SSL/TLS,之後流量通常會以未加密狀態流至後端伺服器。Application gateway supports SSL/TLS termination at the gateway, after which traffic typically flows unencrypted to the backend servers. 這項功能可讓 Web 伺服器不必再負擔昂貴的加密和解密成本。This feature allows web servers to be unburdened from costly encryption and decryption overhead. 不過,有時候無法對伺服器進行未加密的通訊。But sometimes unencrypted communication to the servers is not an acceptable option. 這可能是因為安全性需求、合規性需求,或應用程式可能只接受安全連線。This can be because of security requirements, compliance requirements, or the application may only accept a secure connection. 對於這些應用程式,應用程式閘道可支援端對端 SSL/TLS 加密。For these applications, application gateway supports end to end SSL/TLS encryption.

自動調整Autoscaling

Standard_v2 或 WAF_v2 SKU 下的應用程式閘道或 WAF 部署支援自動調整,並且可根據變動的流量負載模式來相應增加或相應減少。Application Gateway or WAF deployments under Standard_v2 or WAF_v2 SKU support autoscaling and can scale up or down based on changing traffic load patterns. 自動調整規模也可讓您在佈建時,無須選擇部署大小或執行個體計數。Autoscaling also removes the requirement to choose a deployment size or instance count during provisioning. 如需應用程式閘道 standard_v2 和 WAF_v2 功能的詳細資訊,請參閱自動調整 v2 SKUFor more information about the Application Gateway Standard_v2 and WAF_v2 features, see Autoscaling v2 SKU.

區域備援Zone redundancy

Standard_v2 或 WAF_v2 SKU 下的應用程式閘道或 WAF 部署可以跨多個可用性區域、提供更好的錯誤復原能力,且讓您無須在每個區域中佈建個別的應用程式閘道。An Application Gateway or WAF deployments under Standard_v2 or WAF_v2 SKU can span multiple Availability Zones, offering better fault resiliency and removing the need to provision separate Application Gateways in each zone.

靜態 VIPStatic VIP

Standard_v2 或 WAF_v2 SKU 上的應用程式閘道 VIP 支援獨佔的靜態 VIP 類型。The application gateway VIP on Standard_v2 or WAF_v2 SKU supports static VIP type exclusively. 這可確保與應用程式閘道相關聯的 VIP 即使在應用程式閘道的存留期結束後也不會變更。This ensures that the VIP associated with application gateway doesn't change even over the lifetime of the Application Gateway.

Web 應用程式防火牆Web application firewall

Web 應用程式防火牆 (WAF) 是可集中保護 Web 應用程式的服務,使其免於遭遇常見的攻擊和弱點。Web application firewall (WAF) is a service that provides centralized protection of your web applications from common exploits and vulnerabilities. WAF 會根據 OWASP (Open Web Application Security Project) 核心規則集 3.1 (僅限 WAF_v2)、3.0 或 2.2.9 中的規則提供保護。WAF is based on rules from the OWASP (Open Web Application Security Project) core rule sets 3.1 (WAF_v2 only), 3.0, and 2.2.9.

Web 應用程式已逐漸成為利用常見已知弱點的惡意攻擊目標。Web applications are increasingly targets of malicious attacks that exploit common known vulnerabilities. 這些攻擊中最常見的是 SQL 插入式攻擊、跨網站指令碼攻擊等等。Common among these exploits are SQL injection attacks, cross site scripting attacks to name a few. 想要防止應用程式的程式碼受到這類攻擊會非常困難,而且可能需要對許多層次的應用程式拓撲執行嚴格的維護、修補和監視工作。Preventing such attacks in application code can be challenging and may require rigorous maintenance, patching and monitoring at many layers of the application topology. 集中式 Web 應用程式防火牆有助於簡化安全性管理作業,且更加確保應用程式管理員能夠對抗威脅或入侵。A centralized web application firewall helps make security management much simpler and gives better assurance to application administrators against threats or intrusions. 相較於保護每個個別的 Web 應用程式,WAF 方案還可透過在中央位置修補已知弱點,更快地因應安全性威脅。A WAF solution can also react to a security threat faster by patching a known vulnerability at a central location versus securing each of individual web applications. 現有的應用程式閘道可以輕易地轉換成已啟用 Web 應用程式防火牆的應用程式閘道。Existing application gateways can be converted to a web application firewall enabled application gateway easily.

如需詳細資訊,請參閱什麼是 Azure Web 應用程式防火牆?For more information, see What is Azure Web Application Firewall?.

AKS 的輸入控制器Ingress Controller for AKS

應用程式閘道輸入控制器 (AGIC) 可讓您使用應用程式閘道作為 Azure Kubernetes Service (AKS) 叢集的輸入。Application Gateway Ingress Controller (AGIC) allows you to use Application Gateway as the ingress for an Azure Kubernetes Service (AKS) cluster.

輸入控制器會在 AKS 叢集中以 Pod 的形式執行,並取用 Kubernetes 輸入資源,然後將其轉換成應用程式閘道設定,讓閘道能夠對 Kubernetes Pod 的流量進行負載平衡。The ingress controller runs as a pod within the AKS cluster and consumes Kubernetes Ingress Resources and converts them to an Application Gateway configuration which allows the gateway to load-balance traffic to the Kubernetes pods. 輸入控制器僅支援應用程式閘道 V2 SKU。The ingress controller only supports Application Gateway V2 SKU.

如需詳細資訊,請參閱應用程式閘道輸入控制器 (AGIC)For more information, see Application Gateway Ingress Controller (AGIC).

URL 型路由URL-based routing

URL 路徑型路由可讓您根據要求的 URL 路徑,將流量路由傳送至後端伺服器集區。URL Path Based Routing allows you to route traffic to back-end server pools based on URL Paths of the request. 有一個案例是將對於不同內容類型的要求路由傳送至不同的集區。One of the scenarios is to route requests for different content types to different pool.

例如,對 http://contoso.com/video/* 的要求會路由傳送至 VideoServerPool,而對 http://contoso.com/images/* 的要求則會路由傳送至 ImageServerPool。For example, requests for http://contoso.com/video/* are routed to VideoServerPool, and http://contoso.com/images/* are routed to ImageServerPool. 如果沒有任何路徑模式相符,則會選取 DefaultServerPool。DefaultServerPool is selected if none of the path patterns match.

如需詳細資訊,請參閱使用應用程式閘道的 URL 型路由 (機器翻譯)。For more information, see URL-based routing with Application Gateway.

多網站裝載Multiple-site hosting

多網站裝載可讓您在相同的應用程式閘道執行個體上設定多個網站。Multiple-site hosting enables you to configure more than one web site on the same application gateway instance. 此功能可讓您將最多 100 個網站新增到一個應用程式閘道,或 40 個網站用於 WAF (可取得最佳效能),為您的部署設定更有效率的拓撲。This feature allows you to configure a more efficient topology for your deployments by adding up to 100 web sites to one Application Gateway, or 40 for WAF (for optimal performance). 每個網站都可以導向到自己的集區。Each web site can be directed to its own pool. 例如,應用程式閘道可以從兩個伺服器集區 (名為 ContosoServerPool 和 FabrikamServerPool) 為 contoso.comfabrikam.com 處理流量。For example, application gateway can serve traffic for contoso.com and fabrikam.com from two server pools called ContosoServerPool and FabrikamServerPool.

http://contoso.com 的要求會路由傳送至 ContosoServerPool,而對 http://fabrikam.com 的要求則會路由傳送至 FabrikamServerPool。Requests for http://contoso.com are routed to ContosoServerPool, and http://fabrikam.com are routed to FabrikamServerPool.

同樣地,相同父系網域的兩個子網域也可以裝載在相同的應用程式閘道部署上。Similarly, two subdomains of the same parent domain can be hosted on the same application gateway deployment. 使用子網域的範例可能包括單一應用程式閘道部署上裝載的 http://blog.contoso.comhttp://app.contoso.comExamples of using subdomains could include http://blog.contoso.com and http://app.contoso.com hosted on a single application gateway deployment.

如需詳細資訊,請參閱使用應用程式閘道的多網站裝載 (機器翻譯)。For more information, see multiple-site hosting with Application Gateway.

重新導向Redirection

許多 Web 應用程式的常見案例是支援自動 HTTP 至 HTTPS 的重新導向,以確保應用程式與其使用者之間的通訊會透過加密的路徑進行。A common scenario for many web applications is to support automatic HTTP to HTTPS redirection to ensure all communication between an application and its users occurs over an encrypted path.

在過去,您會使用一些技巧 (例如建立專屬集區),其唯一目的是要將其在 HTTP 上接收的要求重新導向至 HTTPS。In the past, you may have used techniques such as dedicated pool creation whose sole purpose is to redirect requests it receives on HTTP to HTTPS. 應用程式閘道支援在應用程式閘道上重新導向流量的功能。Application gateway supports the ability to redirect traffic on the Application Gateway. 這可簡化應用程式組態、將資源使用量最佳化,並支援新的重新導向案例,包括全域和路徑式重新導向。This simplifies application configuration, optimizes the resource usage, and supports new redirection scenarios, including global and path-based redirection. 應用程式閘道重新導向支援不僅止於 HTTP 至 HTTPS 的重新導向。Application Gateway redirection support isn't limited to HTTP to HTTPS redirection alone. 這是一般重新導向機制,因此您可以從使用規則定義的任何連接埠重新導向,或是重新導向至使用規則定義的任何連接埠。This is a generic redirection mechanism, so you can redirect from and to any port you define using rules. 它也支援重新導向至外部網站。It also supports redirection to an external site as well.

應用程式閘道重新導向提供下列功能:Application Gateway redirection support offers the following capabilities:

  • 從閘道上的一個連接埠到另一個連接埠的全域重新導向。Global redirection from one port to another port on the Gateway. 這允許在網站上進行 HTTP 至 HTTPS 重新導向。This enables HTTP to HTTPS redirection on a site.
  • 路徑式重新導向。Path-based redirection. 這類型的重新導向只允許在特定網站區域上進行 HTTP 至 HTTPS 重新導向,例如以 /cart/* 表示的購物車區域。This type of redirection enables HTTP to HTTPS redirection only on a specific site area, for example a shopping cart area denoted by /cart/*.
  • 重新導向至外部網站。Redirect to an external site.

如需詳細資訊,請參閱使用應用程式閘道將流量重新導向 (機器翻譯)。For more information, see redirecting traffic with Application Gateway.

工作階段親和性Session affinity

當您想要在同一個後端保留使用者工作階段時,以 Cookie 為基礎的工作階段親和性非常有用。The cookie-based session affinity feature is useful when you want to keep a user session on the same server. 使用受閘道管理的 Cookie,應用程式閘道即可將來自使用者工作階段的後續流量導向至同一部伺服器進行處理。By using gateway-managed cookies, the Application Gateway can direct subsequent traffic from a user session to the same server for processing. 當使用者工作階段的工作階段狀態儲存在伺服器本機時,這項功能很重要。This is important in cases where session state is saved locally on the server for a user session.

Websocket 和 HTTP/2 流量Websocket and HTTP/2 traffic

應用程式閘道可對 WebSocket 和 HTTP/2 通訊協定提供原生支援。Application Gateway provides native support for the WebSocket and HTTP/2 protocols. 使用者無法進行設定來選擇要啟用或停用 WebSocket 支援。There's no user-configurable setting to selectively enable or disable WebSocket support.

WebSocket 和 HTTP/2 通訊協定都可透過長時間執行的 TCP 連線,讓伺服器與用戶端之間能進行全雙工通訊。The WebSocket and HTTP/2 protocols enable full duplex communication between a server and a client over a long running TCP connection. 此功能可讓網頁伺服器和用戶端之間進行互動性更高的通訊,此通訊可以是雙向的,而不需要像 HTTP 型實作所要求的進行輪詢。This allows for a more interactive communication between the web server and the client, which can be bidirectional without the need for polling as required in HTTP-based implementations. 不同於 HTTP,這些通訊協定的負荷很低,而且可以對多個要求/回應重複使用相同的 TCP 連線,進而提升資源使用效率。These protocols have low overhead, unlike HTTP, and can reuse the same TCP connection for multiple request/responses resulting in a more efficient resource utilization . 這些通訊協定設計為透過傳統 HTTP 連接埠 80 和 443 進行運作。These protocols are designed to work over traditional HTTP ports of 80 and 443.

如需詳細資訊,請參閱 WebSocket 支援 (機器翻譯) 與 HTTP/2 支援 (機器翻譯)。For more information, see WebSocket support and HTTP/2 support.

清空連線Connection draining

清空連線可協助您在已規劃的服務更新期間,毫無錯誤地移除後端集區成員。Connection draining helps you achieve graceful removal of backend pool members during planned service updates. 此設定會透過後端 http 設定啟用,而且可以在規則建立期間套用至後端集區的所有成員。This setting is enabled via the backend http setting and can be applied to all members of a backend pool during rule creation. 啟用之後,應用程式閘道可確保所有取消註冊的後端集區執行個體不會再接收任何新要求,但允許在已設定的時間限制內完成現有要求。Once enabled, Application Gateway ensures all de-registering instances of a backend pool do not receive any new request while allowing existing requests to complete within a configured time limit. 這適用於透過 API 呼叫從後端集區中確實移除的後端執行個體,以及根據健康情況探查的判斷,而回報為狀況不良的後端執行個體。This applies to both backend instances that are explicitly removed from the backend pool by an API call, and backend instances that are reported as unhealthy as determined by the health probes.

如需詳細資訊,請參閱應用程式閘道組態概觀的「清空連線」一節。For more information, see the Connection Draining section of Application Gateway Configuration Overview.

自訂錯誤頁面Custom error pages

應用程式閘道可讓您建立自訂的錯誤頁面,而不是顯示預設的錯誤頁面。Application Gateway allows you to create custom error pages instead of displaying default error pages. 您可以使用自訂錯誤頁面來搭配您自己的商標和版面配置。You can use your own branding and layout using a custom error page.

如需相關資訊,請參閱自訂錯誤For more information, see Custom Errors.

重新撰寫 HTTP 標頭Rewrite HTTP headers

HTTP 標頭允許用戶端和伺服器透過要求或回應傳遞其他資訊。HTTP headers allow the client and server to pass additional information with the request or the response. 重寫這些 HTTP 標頭可協助您完成幾個重要的案例,例如:Rewriting these HTTP headers helps you accomplish several important scenarios, such as:

  • 新增安全性相關的標頭欄位,例如 HSTS/ X-XSS-Protection。Adding security-related header fields like HSTS/ X-XSS-Protection.
  • 移除可能會顯示機密資訊的回應標頭欄位。Removing response header fields that can reveal sensitive information.
  • 從 X-Forwarded-For 標頭中移除連接埠資訊。Stripping port information from X-Forwarded-For headers.

Application Gateway 支援在要求及回應封包於用戶端與後端應用程式之間移動時,新增、移除或更新 HTTP 要求及回應標頭的功能。Application Gateway supports the capability to add, remove, or update HTTP request and response headers, while the request and response packets move between the client and back-end pools. 它還為您提供了新增條件的功能,以確保僅在符合特定條件時才重新寫入指定的標頭。It also provides you with the capability to add conditions to ensure the specified headers are rewritten only when certain conditions are met.

如需詳細資訊,請參閱重新撰寫 HTTP 標頭For more information, see Rewrite HTTP headers.

調整大小Sizing

應用程式閘道 Standard_v2 和 WAF_v2 SKU 可以設定自動調整或固定大小的部署。Application Gateway Standard_v2 and WAF_v2 SKU can be configured for autoscaling or fixed size deployments. 這些 SKU 不會提供不同的執行個體大小。These SKUs don't offer different instance sizes. 如需 v2 效能和定價的詳細資訊,請參閱自動調整 v2 SKUFor more information on v2 performance and pricing, see Autoscaling v2 SKU.

應用程式閘道的標準和 WAF SKU 目前提供三種大小:小型中型大型The Application Gateway Standard and WAF SKU is currently offered in three sizes: Small, Medium, and Large. 小型執行個體大小是針對開發和測試案例。Small instance sizes are intended for development and testing scenarios.

如需應用程式閘道限制的完整清單,請瀏覽應用程式閘道服務限制For a complete list of application gateway limits, see Application Gateway service limits.

下表顯示每個應用程式閘道 v1 執行個體,在啟用 SSL 卸載時的平均效能輸送量:The following table shows an average performance throughput for each application gateway v1 instance with SSL offload enabled:

平均後端頁面回應大小Average back-end page response size 小型Small Medium 大型Large
6 KB6 KB 7.5 Mbps7.5 Mbps 13 Mbps13 Mbps 50 Mbps50 Mbps
100 KB100 KB 35 Mbps35 Mbps 100 Mbps100 Mbps 200 Mbps200 Mbps

注意

這些值是應用程式閘道輸送量的近似值。These values are approximate values for an application gateway throughput. 實際的輸送量會依據不同的環境詳細資料而有所不同,例如平均頁面大小、後端執行個體位置,以及提供一個頁面所需的處理時間。The actual throughput depends on various environment details, such as average page size, location of back-end instances, and processing time to serve a page. 如需實際效能數字,您需自行執行測試。For exact performance numbers, you should run your own tests. 這些值僅供容量規劃指引使用。These values are only provided for capacity planning guidance.

後續步驟Next steps

視需求和環境而定,您可以使用 Azure 入口網站、Azure PowerShell 或 Azure CLI 來建立測試應用程式閘道:Depending on your requirements and environment, you can create a test Application Gateway using either the Azure portal, Azure PowerShell, or Azure CLI: