简体繁体 English

Azure 应用服务自动缩放 - 处理新的出站 IP

[英]Azure App Service Auto-Scaling - handle new outbound IP

原文 2018-04-06 05:06:27 4 3 azure/ azure-web-app-service/ autoscaling

I am wondering how people handle the situation where an Azure Web App is configured with Auto-Scale that relies on services where IP whitelists have been configured.我想知道人们如何处理使用自动缩放配置 Azure Web 应用程序的情况，该应用程序依赖于已配置 IP 白名单的服务。

For example, lets say I have a Website (Web A) and another App Service (App B) that is providing an API.例如，假设我有一个网站（Web A）和另一个提供 API 的应用服务（App B）。 I would like to set the firewall rules on App B such that Web A only has access to it using IP Whitelisting.我想在 App B 上设置防火墙规则，以便 Web A 只能使用 IP 白名单访问它。

In this scenario, if Web A satisfies the Auto-Scale rules, there is a potential that the newly scaled instance will have a different outbound IP (from my understanding of the documentation there is a chance of receiving a different outbound IP at least).在这种情况下，如果 Web A 满足 Auto-Scale 规则，则新扩展的实例有可能具有不同的出站 IP（根据我对文档的理解，至少有可能收到不同的出站 IP）。 How would I ensure that App B includes this new outbound IP?我如何确保 App B 包含这个新的出站 IP？

In this scenario we already have username/password authentication, but as an added layer of security I would also like to configure IP whitelisting.在这种情况下，我们已经有了用户名/密码身份验证，但作为额外的安全层，我还想配置 IP 白名单。

3 个解决方案

If Web A satisfies the Auto-Scale rules there is a potential that the newly scaled instance will have a different outbound IP [...] 如果Web A满足自动扩展规则，则新扩展的实例可能会具有不同的出站IP [...]

No. All scale out operations take place within the scale unit (stamp), meaning same outbound IP addresses for all your instances. 否。所有向外扩展操作都在扩展单元（标记）内进行，这意味着所有实例都使用相同的出站IP地址。

Secure your service to service calls with OAuth 2.0 client credential grant (access tokens), or X509 client certificates. 使用OAuth 2.0客户端凭据授予（访问令牌）或X509客户端证书来保护您的服务以进行服务调用。 The IP address way isn't a very cloud way of restricting access, you should look at IP addresses as ephemeral by nature in the cloud and deal with access at a higher layer in the OSI model. IP地址方式不是限制访问的非常云化的方式，您应该在云中将IP地址视为临时性的，并在OSI模型中处理更高层的访问。

just had the same question and found this lately in the docs:刚刚有同样的问题，最近在文档中发现了这一点：

Link to the microsoft docs链接到微软文档

So in a nutshell: If you scale out it should work out, if you scale up between app service plan tiers the outbound ip adresses will change所以简而言之：如果你横向扩展它应该工作，如果你在应用服务计划层之间扩展，出站 IP 地址将会改变

What you describe here is exactly how this service works. 您在此处描述的正是该服务的工作方式。

There is no way to tell exactly from which IP a request will be coming to you API. 没有办法确切告诉您来自哪个IP的API请求。 The web app might, without any further notice, transfer the app to a different instance, hence the request will be coming from there. 该Web应用程序可能会在不另行通知的情况下将该应用程序转移到其他实例，因此请求将来自该实例。

However, there are also other ways to secure your API. 但是，还有其他方法可以保护您的API。

I recommend you have a look at adding AzureAD authorization in-front of your API and require all requests to be authorized before they can interact with your API. 我建议您先看看在API的前面添加AzureAD授权，并要求所有请求都必须经过授权才能与API进行交互。

See eg how to 参见例如如何