Azure上七層負載均衡APP Gateway

衡子發表於2015-12-16
負載APPGateway

Azure的SLB和ILB是最常用的4層負載均衡工具。但有些場景是7層的負載均衡,SLB和ILB就無能為力了。

Azure上已經推出了APP Gateway的服務,就是7層負載均衡的負載均衡器。

如上圖,APP Gateway實現使用者HTTPS網站的SSL Offload,還可以實現多個VM的負載均衡。而且可以實現Cookie Affinity功能,這也是7層負載均衡的一種功能。

通過App Gateway、SLB、Traffic Manager綜合使用,可以實現對應用系統的高擴充套件性:

可以通過智慧DNS選擇北部的Azure的資料中心還是東部的Azure的資料中心,再通過4層的SLB把流量分擔到多個Application Gateway上,Application Gateway再根據策略,把流量分擔到各個虛擬機器上。

Application Gateway的部署基於VNet,但其負載均衡的節點可以是非本VNet的虛擬機器。如下圖:

其負載均衡的節點除本VNet的虛擬機器外,可以是其他的Cloud Service,其他VNet內的虛擬機器(需要VPN打通),甚至外部的虛擬機器都可以成為Application Gateway的負載均衡節點。

App Gateway一共有3中型號:

  1. Small – Dev/Test使用,不建議部署在生產環境
  2. Medium – 可以支援150Mbps的SSL流量
  3. Large – 可以支援200Mbps的SSL流量

具體配置命令:

  1. 建立Application Gateway

    New-AzureApplicationGateway -Name hwappgw -VnetName hwvnet -Subnets Subnet-1 -InstanceCount 2 -GatewaySize Medium

    New-AzureApplicationGateway -Name hwappgw02 -VnetName hwvnet -Subnets Subnet-1 -InstanceCount 2 -GatewaySize Medium

    上面的配置中配置了兩個APP Gateway。

    第一個會把其對外的地址設定為Subnet-1的地址,將採用ILB的四層負載均衡;第二個會讓其自動獲得公網的VIP地址,將採用SLB的四層負載均衡。

  2. 設定Application Gateway的配置檔案

    首先編輯Application Gateway的配置檔案,a.xml將採用ILB的方式實現負載均衡,c.xml將採用SLB的方式實現負載均衡:

a.xml

<?xml version="1.0" encoding="utf-8"?>

<ApplicationGatewayConfiguration xmlns:i="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://schemas.microsoft.com/windowsazure">

<FrontendIPConfigurations>

<FrontendIPConfiguration>

<Name>fip1</Name>

<Type>Private</Type>

<StaticIPAddress>10.1.1.140</StaticIPAddress>

</FrontendIPConfiguration>

</FrontendIPConfigurations>

<FrontendPorts>

<FrontendPort>

<Name>FrontendPort1</Name>

<Port>80</Port>

</FrontendPort>

</FrontendPorts>

<BackendAddressPools>

<BackendAddressPool>

<Name>BackendPool1</Name>

<IPAddresses>

<IPAddress>10.1.1.151</IPAddress>

<IPAddress>10.1.1.152</IPAddress>

</IPAddresses>

</BackendAddressPool>

</BackendAddressPools>

<BackendHttpSettingsList>

<BackendHttpSettings>

<Name>BackendSetting1</Name>

<Port>80</Port>

<Protocol>Http</Protocol>

<CookieBasedAffinity>Enabled</CookieBasedAffinity>

</BackendHttpSettings>

</BackendHttpSettingsList>

<HttpListeners>

<HttpListener>

<Name>HTTPListener1</Name>

<FrontendIP>fip1</FrontendIP>

<FrontendPort>FrontendPort1</FrontendPort>

<Protocol>Http</Protocol>

</HttpListener>

</HttpListeners>

<HttpLoadBalancingRules>

<HttpLoadBalancingRule>

<Name>HttpLBRule1</Name>

<Type>basic</Type>

<BackendHttpSettings>BackendSetting1</BackendHttpSettings>

<Listener>HTTPListener1</Listener>

<BackendAddressPool>BackendPool1</BackendAddressPool>

</HttpLoadBalancingRule>

</HttpLoadBalancingRules>

</ApplicationGatewayConfiguration>

 

可以注意到其前端的IP地址是10.1.1.140。

 

c.xml

<?xml version="1.0" encoding="utf-8"?>

<ApplicationGatewayConfiguration xmlns:i="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://schemas.microsoft.com/windowsazure">

<FrontendPorts>

<FrontendPort>

<Name>FrontendPort1</Name>

<Port>80</Port>

</FrontendPort>

</FrontendPorts>

<BackendAddressPools>

<BackendAddressPool>

<Name>BackendPool1</Name>

<IPAddresses>

<IPAddress>10.1.1.151</IPAddress>

<IPAddress>10.1.1.152</IPAddress>

</IPAddresses>

</BackendAddressPool>

</BackendAddressPools>

<BackendHttpSettingsList>

<BackendHttpSettings>

<Name>BackendSetting1</Name>

<Port>80</Port>

<Protocol>Http</Protocol>

<CookieBasedAffinity>Enabled</CookieBasedAffinity>

</BackendHttpSettings>

</BackendHttpSettingsList>

<HttpListeners>

<HttpListener>

<Name>HTTPListener1</Name>

<FrontendPort>FrontendPort1</FrontendPort>

<Protocol>Http</Protocol>

</HttpListener>

</HttpListeners>

<HttpLoadBalancingRules>

<HttpLoadBalancingRule>

<Name>HttpLBRule1</Name>

<Type>basic</Type>

<BackendHttpSettings>BackendSetting1</BackendHttpSettings>

<Listener>HTTPListener1</Listener>

<BackendAddressPool>BackendPool1</BackendAddressPool>

</HttpLoadBalancingRule>

</HttpLoadBalancingRules>

</ApplicationGatewayConfiguration>

 

這個配置中的前端IP不進行設定,講自動獲得VIP地址。

  1. 設定Application Gateway的配置

    Set-AzureApplicationGatewayConfig -Name hwappgw -ConfigFile D:\a.xml

    Set-AzureApplicationGatewayConfig -Name hwappgw02 -ConfigFile D:\c.xml

  2. 啟動Application Gateway

    Start-AzureApplicationGateway -Name hwappgw

    Start-AzureApplicationGateway -Name hwappgw02

    這個過程將比較耗時,這一步需要大約20分鐘的時間建立。這個過程中,Azure會在後臺建立多臺Application Gateway的VM,實現HA的配置。

  3. 獲得Application Gateway的狀態

    Get-AzureApplicationGateway

Name

hwappgw

Description

 

VnetName

hwvnet

Subnets

{Subnet-1}

InstanceCount

2

GatewaySize

Medium

State

Running

VirtualIPs

{10.1.1.140}

DnsName

 

 

 

 

 

 

 

 

 

Name

hwappgw02

Description

 

VnetName

hwvnet

Subnets

{Subnet-1}

InstanceCount

2

GatewaySize

Medium

State

Running

VirtualIPs

{42.159.241.87}

DnsName

70da9ed4-cf13-45a9-9fa3-c44f7e98e73a.chinacloudapp.cn

 

 

 

 

 

 

 

可以觀察到,hwappgw的地址是一個內部地址,而hwappgw02的地址是一個公網地址,並有DNS的域名。

這時已經可以通過這個兩個負載均衡的地址訪問後臺的服務了。Application Gateway會根據10.1.1.151和10.1.1.152兩臺虛擬機器的狀態進行負載均衡的流量轉發。

  1. 上傳SSL證書

    Add-AzureApplicationGatewaySslCertificate -Name hwappgw02 -CertificateName hengweicert -Password xxxx -CertificateFile D:\HengweiCert.pfx

    Name HTTP Status Code Operation ID Error

    ---- ---------------- ------------ -----

    Successful OK ae3d3289-618f-4da0-bf45-56ed2542d098

  2. 確認證書狀態

    Get-AzureApplicationGatewaySslCertificate -Name hwappgw02

    Name     : hengweicert

    SubjectName     : CN=ClientCertificateHengwei

    Thumbprint     : 1336E8F9BB18A947AD79F0A2939411B0BC3D893B

    ThumbprintAlgo     : sha1RSA

    State         : Provisioned

  3. 更改hwappgw02的配置檔案

    修改c.xml配置檔案,修改協議為https、443埠,以及新增證書配置:

    <?xml version="1.0" encoding="utf-8"?>

    <ApplicationGatewayConfiguration xmlns:i="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://schemas.microsoft.com/windowsazure">

    <FrontendPorts>

    <FrontendPort>

    <Name>FrontendPort1</Name>

    <Port>443</Port>

    </FrontendPort>

    </FrontendPorts>

    <BackendAddressPools>

    <BackendAddressPool>

    <Name>BackendPool1</Name>

    <IPAddresses>

    <IPAddress>10.1.1.151</IPAddress>

    <IPAddress>10.1.1.152</IPAddress>

    </IPAddresses>

    </BackendAddressPool>

    </BackendAddressPools>

    <BackendHttpSettingsList>

    <BackendHttpSettings>

    <Name>BackendSetting1</Name>

    <Port>80</Port>

    <Protocol>Http</Protocol>

    <CookieBasedAffinity>Enabled</CookieBasedAffinity>

    </BackendHttpSettings>

    </BackendHttpSettingsList>

    <HttpListeners>

    <HttpListener>

    <Name>HTTPListener1</Name>

    <FrontendPort>FrontendPort1</FrontendPort>

    <Protocol>Https</Protocol>

         <SslCert>hengweicert</SslCert>

    </HttpListener>

    </HttpListeners>

    <HttpLoadBalancingRules>

    <HttpLoadBalancingRule>

    <Name>HttpLBRule1</Name>

    <Type>basic</Type>

    <BackendHttpSettings>BackendSetting1</BackendHttpSettings>

    <Listener>HTTPListener1</Listener>

    <BackendAddressPool>BackendPool1</BackendAddressPool>

    </HttpLoadBalancingRule>

    </HttpLoadBalancingRules>

    </ApplicationGatewayConfiguration>

  4. 上傳APP Gateway的設定

    Set-AzureApplicationGatewayConfig -Name hwappgw02 -ConfigFile D:\c.xml

    此時通過https訪問這個網站,會提示證書不受信任(自簽名證書)

點選繼續後,出現網站主頁面:

 

而此時虛擬機器提供的只是HTTP服務,由application gateway做了SSL的加密傳送給使用者。

 

目前Application Gateway可以實現的功能主要是基於CookieAffinity的負載均衡和SSL的Offload。

將來還會出基於URL的HTTP路由策略。新功能出來後,再做更新!

相關文章