如何通过(区域)vnet 将 Azure 网站连接到辅助角色 (TCP)?是否可以? [英] How to connect Azure Web Sites to a Worker Role (TCP) through a (regional) vnet? Is it possible?
问题描述
如何从 Azure PaaS 托管 Web 建立 TCP 连接工作者角色的站点?它部署在一个虚拟网络中.这可以在不打开输入端点的情况下完成吗?工人角色?根据 Azure 虚拟网络,网站目前似乎不能成为虚拟网络部署的一部分常见问题解答:
How would one make a TCP connection from an Azure PaaS hosted Web Sites to a Worker Role? That's deployed in one virtual network. Can this be done without opening an Input Endpoints, Internet facing port on the worker role? It looks like WebSites cannot currently be part of virtual network deployments as per Azure Virtual Network FAQ:
我可以使用带有虚拟网络的 Windows Azure 网站吗? 不可以.我们不支持带有虚拟网络的网站.
Can I use Windows Azure websites with Virtual Network? No. We do not support websites with virtual networks.
我是 Azure 的新手,并且正在使用各种配置,看起来这可能可以使用新的 regional vnets (可能还有内部负载均衡器),但是除了它们位于不同的虚拟网络上之外,没有关于此的真正信息机器和不同的网络中,因此使它们进行通信是一个更复杂的过程.
I'm new to Azure and playing with various configurations and it looks like this is something that could perhaps be done with the new regional vnets (and perhaps the internal load balancer), but then again there isn't really information around regarding this other than that they are on different virtual machines and in different networks and thus making them to communicate is a more involved process.
如果对讨论有帮助,我有以下区域 vnet 配置,供工作人员 Xyz.ComputeRole 使用.该角色是接受 TCP 连接的角色.
If it helps discussion, I have the following are the regional vnet configurations, which are used by the worker Xyz.ComputeRole. This role is the one accepting TCP connections.
<我发现了一篇关于这个问题的非常好的帖子 Windows Azure 虚拟网络中机器的网络隔离选项.就目前而言,看起来我可以为工作角色打开一个 Input Endpoint,然后限制仅从 WebSites 部署对其进行访问.但是,它看起来需要做很多工作,并且需要像负载平衡器一样跳过网络元素,也许我需要找出网站部署 IP.
<edit: I found a really good post regarding this matter Network Isolation Options for Machines in Windows Azure Virtual Networks. As it stands, it looks like I could open an Input Endpoint to the worker role and then restrict access to it only from the WebSites deployment. However, it looks like a lot of work to do, and hops over the networking elements like a load-balancer, and perhaps I'd need to find out the Web Sites deployment IP.
我是否脱离基地并且有一种简单的方法可以通过 TCP 连接将网站连接到 Azure 计算机角色?
Am I off-base and there's a simple way to connect a WebSites to a Azure computer role via TCP connection?
网络配置
<VirtualNetworkConfiguration>
<Dns>
<DnsServers>
<DnsServer name="XyzVnetDns" IPAddress="192.168.50.0" />
</DnsServers>
</Dns>
<VirtualNetworkSites>
<VirtualNetworkSite name="XyzVNet" Location="North Europe">
<AddressSpace>
<AddressPrefix>10.0.0.0/8</AddressPrefix>
</AddressSpace>
<Subnets>
<Subnet name="Sub1">
<AddressPrefix>10.0.0.0/11</AddressPrefix>
</Subnet>
</Subnets>
<DnsServersRef>
<DnsServerRef name="XyzVnetDns" />
</DnsServersRef>
</VirtualNetworkSite>
</VirtualNetworkSites>
云服务配置
<NetworkConfiguration>
<VirtualNetworkSite name="XyzVNet" />
<AddressAssignments>
<InstanceAddress roleName="Xyz.ComputeRole">
<Subnets>
<Subnet name="Sub1" />
</Subnets>
</InstanceAddress>
</AddressAssignments>
推荐答案
您无法将 Azure 网站部署添加到 VNet,因为网站没有专用的出站 IP 地址.这也将阻止您在辅助角色的输入端点上设置访问控制列表 (ACL).
You cannot add Azure Web Sites deployments to a VNet because there's no dedicated outbound IP address for Web Sites. This will also preclude you from setting up Access Control Lists (ACL's) on the worker role's input endpoints.
对于网站 -> 工作者角色(云服务)安全性,您需要依赖特定于应用程序的东西(可能是 SSL 证书或其他东西).
For Web Sites -> Worker Role (cloud service) security, you'd need to rely on something app-specific (maybe an SSL cert or something else).
顺便说一句:关于限制访问的大量工作要做":不确定您到底尝试了什么(或者您是否尝试过),但通过门户网站很简单(只需输入子网掩码并...完成),并且通过命令行也很容易.
By the way: regarding "a lot of work to do" for restricting access: Not sure exactly what you tried (or if you tried it), but it's trivial through the portal (just enter a subnet mask and... done), and very easy through command-line as well.
这篇关于如何通过(区域)vnet 将 Azure 网站连接到辅助角色 (TCP)?是否可以?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
