前言
原文
Discover App Service networking features
小結
除了 Isolated tier 之外
其他 tier 都會被佈置在 multi-tenant network
而 Isolated tier 則是會被佈置在 single-tenant network (在 Azure virtual network 內)
由於 Azure App Service 是一個分佈式系統
而且在一個 App Service scale unit (App service plan) 內運行着很多 customer (我猜是 Azure App Service 的意思)
所以你不能直接連接到 Azure App Service 的網絡
雖然你不能直接連接到 App Service 的網絡
但 Azure 還是提供了不少工具來讓你管理它的網絡的
要注意的是,管理 Inbound traffic 的工具就能管 Inbound traffic,你不能用它來管 Outbound traffic
同樣的,你也不能用管理 Outbound traffic 的工具來管 Inbound traffic
有提供的工具如下
| Inbound features | Outbound features |
|---|---|
| App-assigned address | Hybrid Connections |
| Access restrictions | Gateway-required virtual network integration |
| Service endpoints | Virtual network integration |
| Private endpoints |
下面是一些 use cases 的例子
| Inbound use case | Feature |
|---|---|
| Support IP-based SSL needs for your app | App-assigned address |
| Support unshared dedicated inbound address for your app | App-assigned address |
| Restrict access to your app from a set of well-defined addresses | Access restrictions |
Free 和 Share 的 SKU plan (這跟 tier 有什麼區別? 求解答🫠) 的 Azure app service 會在 multi-tenant workers 上運行
而 Basic 或以上的 SKU plan 會在指定的 App services plan 上運行
在 scale out 的時候,plan 內的 app instances 都會被複製到一個新 worker 上運行
Outbound addresses
Premium 及以下的 SKU plan 都是運行在一樣的 worker VM types
而 Premium V2 及 Premium V3 都各自有自己的worker VM types
如果你轉換了 VM family (這又是什麼啊,剛說的 VM types,現在又說 VM family,是一樣的東西嗎),這些 VM 將會有另一組 outbound addresses
你可以在 app 的 properties 內找到這個 app 正在用的 outbound addresses
你也可以用 outboundIpAddresses 來取得這個列表
下面是一個範例
az webapp show \
--resource-group <group_name> \
--name <app_name> \
--query outboundIpAddresses \
--output tsv
如果你想找到 scale unit (App Service Plan) 可能會用到的 outbound addresses,你可以呼叫 possibleOutboundIpAddresses 來取得列表
下面是一個範例
az webapp show \
--resource-group <group_name> \
--name <app_name> \
--query possibleOutboundIpAddresses \
--output tsv
文本抄錄
The multi-tenant public service hosts App Service plans in the Free, Shared, Basic, Standard, Premium, PremiumV2, and PremiumV3 pricing SKUs. There’s also the single-tenant App Service Environment (ASE) hosts Isolated SKU App Service plans directly in your Azure virtual network.
Multi-tenant App Service networking features
Azure App Service is a distributed system. The roles that handle incoming HTTP or HTTPS requests are called front ends. The roles that host the customer workload are called workers. All the roles in an App Service deployment exist in a multi-tenant network. Because there are many different customers in the same App Service scale unit(App service plan), you can’t connect the App Service network directly to your network.
Instead of connecting the networks, you need features to handle the various aspects of application communication. The features that handle requests to your app can’t be used to solve problems when you’re making calls from your app. Likewise, the features that solve problems for calls from your app can’t be used to solve problems to your app.
| Inbound features | Outbound features |
|---|---|
| App-assigned address | Hybrid Connections |
| Access restrictions | Gateway-required virtual network integration |
| Service endpoints | Virtual network integration |
| Private endpoints |
You can mix the features to solve your problems with a few exceptions. The following inbound use cases are examples of how to use App Service networking features to control traffic inbound to your app.
| Inbound use case | Feature |
|---|---|
| Support IP-based SSL needs for your app | App-assigned address |
| Support unshared dedicated inbound address for your app | App-assigned address |
| Restrict access to your app from a set of well-defined addresses | Access restrictions |
Default networking behavior
Azure App Service scale units support many customers in each deployment. The Free and Shared SKU plans host customer workloads on multi-tenant workers. The Basic and higher plans host customer workloads that are dedicated to only one App Service plan. If you have a Standard App Service plan, all the apps in that plan run on the same worker. If you scale out the worker, all the apps in that App Service plan are replicated on a new worker for each instance in your App Service plan.
Find outbound IPs
To find the outbound IP addresses currently used by your app in the Azure portal, select Properties in your app’s left-hand navigation.
You can find the same information by running the following Azure CLI command in the Cloud Shell. They’re listed in the Additional Outbound IP Addresses field.
az webapp show \
--resource-group <group_name> \
--name <app_name> \
--query outboundIpAddresses \
--output tsv
To find all possible outbound IP addresses for your app, regardless of pricing tiers, run the following command in the Cloud Shell.
az webapp show \
--resource-group <group_name> \
--name <app_name> \
--query possibleOutboundIpAddresses \
--output tsv
![[AZ-204] Route traffic in App Service](https://thinkdb.link/wp-content/uploads/2024/11/Route-traffic-in-App-Service.jpg)
![[資安快訊] Apple 產品有重大安全性漏洞,請立即更新 (CVE-2024-44308、CVE-2024-44309)](https://thinkdb.link/wp-content/uploads/2024/11/apple-security-update.jpg)
![[AZ-204] Swap App Service deployment slots](https://thinkdb.link/wp-content/uploads/2024/11/Swap-App-Service-deployment-slots.jpg)
![[AZ-204] Examine App Service slot swapping](https://thinkdb.link/wp-content/uploads/2024/11/Examine-App-Service-slot-swapping.jpg)
發佈留言