从 Stackoverflow 移植
我正在构建一个 Hub & Spoke 网络拓扑 -描述在这里- 按照 Azure 文档中的建议
然而,当在单独的 VNet 中创建 VM 时,我尝试将其链接到 Hub 虚拟网络中的应用程序网关时收到以下信息(“...应用程序网关必须位于同一个虚拟网络中...”)...
我已使用两端的对等连接将 Hub 和 Spoke 虚拟网络对等连接在一起。我是否遗漏了什么?
答案1
我会采用不同的方法,在应用网关中为要使用应用网关保护的虚拟机的 IP 创建一个监听器。然后向虚拟机添加一个公共 IP。 https://docs.microsoft.com/en-us/azure/application-gateway/configuration-listeners https://docs.microsoft.com/en-us/azure/application-gateway/create-ssl-portal
还允许在 VM 的 NSG 中进行以下操作:
您必须允许应用程序网关 v1 SKU 的 TCP 端口 65503-65534 上的传入 Internet 流量,以及 v2 SKU 的 TCP 端口 65200-65535 上的传入 Internet 流量,其中目标子网为 Any,源为 GatewayManager 服务标记。
- 后端服务器池:后端服务器的 IP 地址列表。列出的 IP 地址应该属于 VNet 子网,或者应该是公共 IP/VIP。
- 后端服务器池设置:每个池都有端口、协议和基于 cookie 的亲和性等设置。这些设置与池绑定,并应用于池内的所有服务器。前端端口:此端口是应用程序网关上打开的公共端口。流量到达此端口,然后重定向到后端服务器之一。
- 侦听器:侦听器有一个前端端口、一个协议(Http 或 Https,区分大小写)和 SSL 证书名称(如果配置 SSL 卸载)。
- 规则:规则将侦听器和后端服务器池绑定,并定义当流量到达特定侦听器时应将流量定向到哪个后端服务器池。目前仅支持基本规则。基本规则是循环负载分配。
答案2
这里还有一个 ARM 模板(为您提供概述)
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"sslCertificateData": {
"type": "string",
"metadata": {
"description": "The base-64 encoded SSL certificate PFX data. Must be supplied via a parameters file references to a Key Vault / Secret Name."
}
},
"sslCertificatePassword": {
"type": "securestring",
"metadata": {
"description": "The SSL certificate password. Must be supplied via a parameters file references to a Key Vault / Secret Name."
}
},
"vNetId": {
"type": "string",
"metadata": {
"description": "The ID of the VNet."
}
},
"subnetName": {
"type": "string",
"metadata": {
"description": "The name of the DMZ Subnet."
}
}
},
"variables": {
"networkApiVersion": "2017-04-01",
"subnetId": "[concat(parameters('vNetId'), '/subnets/', parameters('subnetName'))]",
"appGatewayPublicIpAddressId": "[resourceId('Microsoft.Network/publicIPAddresses', 'appGatewayPublicIpAddress')]",
"appGwId": "[resourceId('Microsoft.Network/applicationGateways', 'appGateway')]",
"appGwSize": "Standard_Small",
"appGwTier": "Standard",
"appGwCapacity": 5,
"appGwFePort": 443,
"appGwFeProtocol": "Https",
"appGwBePort": 80,
"appGwBEProtocol": "Http"
},
"resources": [
{
"type": "Microsoft.Network/publicIPAddresses",
"name": "appGatewayPublicIpAddress",
"location": "[resourceGroup().location]",
"apiVersion": "[variables('networkApiVersion')]",
"comments": "This creates a single, dynamically allocated public IP address for use by the Application Gateway.",
"properties": {
"publicIPAllocationMethod": "Dynamic"
}
},
{
"type": "Microsoft.Network/applicationGateways",
"name": "appGateway",
"location": "[resourceGroup().location]",
"apiVersion": "[variables('networkApiVersion')]",
"comments": "This creates the Application Gateway.",
"dependsOn": [
"[concat('Microsoft.Network/publicIPAddresses/', 'appGatewayPublicIpAddress')]"
],
"properties": {
"sku": {
"name": "[variables('appGwSize')]",
"tier": "[variables('appGwTier')]",
"capacity": "[variables('appGwCapacity')]"
},
"gatewayIPConfigurations": [
{
"name": "gatewayIpCofig",
"properties": {
"subnet": {
"id": "[variables('subnetId')]"
}
}
}
],
"frontendIPConfigurations": [
{
"name": "frontendIpConfig",
"properties": {
"PublicIPAddress": {
"id": "[variables('appGatewayPublicIpAddressId')]"
}
}
}
],
"frontendPorts": [
{
"name": "frontendPort",
"properties": {
"Port": "[variables('appGwFePort')]"
}
}
],
"sslCertificates": [
{
"name": "appGwSslCertificate",
"properties": {
"data": "[parameters('sslCertificateData')]",
"password": "[parameters('sslCertificatePassword')]"
}
}
],
"backendAddressPools": [
{
"name": "BackendAddressPool"
}
],
"backendHttpSettingsCollection": [
{
"name": "HttpSettings",
"properties": {
"Port": "[variables('appGwBePort')]",
"Protocol": "[variables('appGwBeProtocol')]"
}
}
],
"httpListeners": [
{
"name": "HttpListener",
"properties": {
"FrontendIPConfiguration": {
"Id": "[concat(variables('appGwId'), '/frontendIPConfigurations/frontendIpConfig')]"
},
"FrontendPort": {
"Id": "[concat(variables('appGwId'), '/frontendPorts/frontendPort')]"
},
"Protocol": "[variables('appGwFeProtocol')]",
"SslCertificate": {
"id": "[concat(variables('appGwId'), '/sslCertificates/appGwSslCertificate')]"
}
}
}
],
"requestRoutingRules": [
{
"Name": "RoutingRule",
"properties": {
"RuleType": "Basic",
"httpListener": {
"id": "[concat(variables('appGwId'), '/httpListeners/HttpListener')]"
},
"backendAddressPool": {
"id": "[concat(variables('appGwId'), '/backendAddressPools/BackendAddressPool')]"
},
"backendHttpSettings": {
"id": "[concat(variables('appGwId'), '/backendHttpSettingsCollection/HttpSettings')]"
}
}
}
]
}
}
]
}
```
### ARM Template Parameter File
*app-gateway-parameters.json*
```
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"sslCertificateData": {
"reference": {
"keyVault": {
"id": "/subscriptions/SUBSCRIPTION_ID/resourcegroups/RESOURCE_GROUP/providers/Microsoft.KeyVault/vaults/KEY_VAULT_NAME"
},
"secretName": "CERT_SECRET_NAME"
}
},
"sslCertificatePassword": {
"reference": {
"keyVault": {
"id": "/subscriptions/SUBSCRIPTION_ID/resourcegroups/RESOURCE_GROUP/providers/Microsoft.KeyVault/vaults/KEY_VAULT_NAME"
},
"secretName": "CERT_PASSWORD_SECRET_NAME"
}
},
"vNetId": {
"value": "/subscriptions/SUBSCRIPTION_ID/resourceGroups/RESOURCE_GROUP/providers/Microsoft.Network/virtualNetworks/VNET_NAME"
},
"subnetName": {
"value": "SUBNET_NAME"
}
}
}