具有Azure负载均衡器的应用程序网关 [英] Application Gateway with Azure Load Balancer
问题描述
您好
我希望有人会告诉我是什么 我正在努力或者如果我必须恢复计划b - 我也将概述
I am hoping someone will tell me if what am trying is possible or if i have to revert to plan b - which i will also outline
目前我们正在使用我们网络层面前的Azure应用程序网关将流量引导到正确的后端服务以及使用它来执行ssl卸载。这很好,它可以满足我们的需求。
Currently we are using the Azure Application gateway infront of our web tier to direct traffic to the correct backend service as well as using it to perform ssl offload. This is fine and it works in this role for what we need it to.
我遇到的问题是我们正在开发的服务需要访问受IP限制的第三方服务白名单。显然这是一个问题,因为Application Gateway不支持静态公共IP,我们显然不希望有
来为每个VM分配公共IP只是为了这个目的,这意味着需要一种替代方法。
The issue I have is that the service we are developing requires access to a third party service that is restricted via IP Whitelist. Obviously this is a problem as the Application Gateway doesnt support a static Public IP and we obviously dont want to have
to assign Public IPs to each of our VMs for this purpose only which means an alternative method is required.
我调查了可能使用Azure负载均衡器刷出应用程序网关,乍一看这似乎可以完成我们所需的一切,并且还有助于开始解决另一个问题。它为我们的出站SNAT提供了额外的
配置,并且还改进了自定义探针健康检查功能 - 非常棒。
I investigated potentially swopping out the Application Gateway with the Azure Load Balancer and at first glance this seemed to do everything that we needed of it, and also helped to begin solving another issue. It gives us outbound SNAT with minimal additional configuration and also improves the custom probe healthcheck functionality - brilliant.
嗯,没有。此处未提供的一项关键服务是SSL卸载。为了在这里使用Load Balancer,我们需要构建一个新的层来处理SSL卸载,我们还将服务的终止移到了一个级别,为这个级别带来了整个
的新考虑范围。派对。那么就不能使用负载均衡器。我检查了开发团队,显然重新配置应用程序以处理SSL卸载本身是非常重要的,因此需要新的层和服务
来执行此操作。很好
Well, no. The one key service not provided here is the SSL offload. In order to use thie Load Balancer here we would need to build out a new tier to handle the SSL Offload, and we have also moved the termination of the service in one level, bringing a whole new range of considerations to the party. Cant use the load balancer then. I checked withe the Development team and apparently it is non-trivial to reconfigure the application to handle the SSL offload itself hence the requirement of the new tier and services to do this. Great
所以计划B - 这是建立一个出站代理框,使用现有技术来做这些事情,然后努力确保引入这个,以及新的UDR和NSG这不需要破坏应用程序或部署过程。
这也需要额外的配置,但它不需要更改应用程序本身,因此它应该是最小的影响。
So Plan B - well this is to build an outbound proxy box, using the existing technologies for such things and then work to ensure that introducing this, as well as the new UDRs and NSGs required for this doesnt break the application, or the deployment process. This also requires additional configuration but it doesnt require a change to the application itself, and so it should be minimal impact from that side.
然而它确实增加了很多复杂性到基础设施,RM模板和我们的配置管理代码(是的,我在这里略显自私)
It does however add a lot of complexity to the infrastructure, the RM Templates and our Configuration Management Code (yes im being slightly selfish here)
所以这让我想到了我的问题:
So that brings me to my question:
我正在考虑将应用程序网关和负载均衡器部署到同一资源组。使用应用程序网关作为服务的前端,仅使用负载均衡器作为其传出SNAT功能,不允许从那里进行入站连接
。有没有人知道1)这是可能的,2)不是愚蠢的,3)它看起来怎么样?
I was thinking about deploying an application gateway and a load balancer to the same resource group. Using the Application gateway as the frontend to the service and only using the Load Balancer for its outgoing SNAT capability, not allowing inbound connections from there at all. Does anyone know if 1)this is possible and 2) not stupid and 3) how it would look?
感谢您的帮助
Joe
推荐答案
你好乔,
感谢您与Microsoft论坛联系。我们很乐意回答您的问题。
$
您可以使用专用IP创建应用程序网关,然后将Azure负载均衡器重定向到网关。既然你提到你需要IP白名单,那么值得注意的是ALB支持静态IP,这是另一个好处。下面给出的图形表示
是设置的样子。希望这会有所帮助!
$
Hi Joe,
Thank you for contacting Microsoft forums. We are pleased to answer your query.
You can create an Application Gateway with a private IP and then redirect the Azure Load Balancer to the Gateway. Since you mentioned you require IP white-listing then it's worth noting that ALB supports a static IP so that's another plus. The pictorial representation given below is what the set-up would look like. Hope this helps!
问候。
Md.Shihab
Regards.
Md. Shihab
这篇关于具有Azure负载均衡器的应用程序网关的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
