为什么Azure Application Gateway需要一个空子网 [英] Why does Azure Application Gateway require an empty subnet

问题描述

当我尝试执行New-AzureRmApplicationGatewayIPConfiguration创建应用程序网关时，出现异常:

When I try to execute New-AzureRmApplicationGatewayIPConfiguration to create an application gateway, I get an exception:

Subnet xxx cannot be used for application gateway yyy since subnet is not empty.

当我尝试将应用程序网关添加到与后端服务器相同的子网中时，遇到了此错误.

I encountered this error when I tried to add the application gateway to the same subnet as the backend servers.

为什么这不是一个选择?每个网关都需要一个单独的子网吗?推荐的配置是什么?

Why is this not an option? Does each gateway require a separate subnet? What is the recommended configuration?

相关问题:

• 文档说，后端服务器属于虚拟网络子网时，可以添加它们.如果应用程序网关必须位于单独的子网中，后端服务器如何才能属于该应用程序网关的虚拟网络子网?
• 如何在后端服务器上不需要公用IP地址的情况下配置应用程序网关?

推荐答案

应用程序网关必须自己位于子网中，如

The application gateway must be in a subnet by itself as explained in the documentation, hence the reason it is not an option. Create a smaller address space for your application gateway subnet (CIDR 'x.x.x.x/29') so you're not wasting IP addresses unnecessarily.

尝试使用子网建立多层网络拓扑是一个好习惯.这使您可以定义路由和网络安全组(即:允许端口80进入，拒绝端口80出口，拒绝RDP等)来控制子网中资源的流量.网关的路由和安全组要求通常会与虚拟网络中其他资源的路由和安全组要求不同.

It's a good practice to strive for a multi-tier network topology using subnets. This enables you to define routes and network security groups (ie: allow port 80 ingress, deny port 80 egress, deny RDP, etc.) to control traffic flow for the resources in the subnet. The routing and security group requirements for a gateway are generally going to be different than routing and security group requirements of other resources in the virtual network.

这篇关于为什么Azure Application Gateway需要一个空子网的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！