为什么Azure建议不要在集线器网络中部署azure应用网关
[英]Why Azure recommend not to deploy azure application gateway in hub network
问题描述
As a best practice of Azure Networking :
作为Azure Networking 的最佳实践:
Don't deploy Layer-7 inbound NVAs, such as Azure Application Gateway, as a shared service in the central-hub virtual network. Instead, deploy them together with the application in their respective landing zones.
I wonder the reasons behind.我想知道背后的原因。
Deploying inbound NVAs in a hub(shares service VNET) may help in that:在集线器(共享服务 VNET)中部署入站 NVA 可能有助于:
- This VNET can be managed by an experienced Azure administrator, rather than users.此 VNET 可由经验丰富的 Azure 管理员而非用户管理。 If users misconfigure NVAs, administrators can use NSG to stop traffic (Defense in Depth).如果用户错误配置 NVA,管理员可以使用 NSG 来阻止流量(深度防御)。
- Network Administrator can add another NVAs between NVAs and backend applications, eg, traffic inspection or audit.网络管理员可以在 NVA 和后端应用程序之间添加另一个 NVA,例如流量检查或审计。
1 个解决方案
解决方案1
0 2021-05-18 03:00:14
Essentially, the regional Azure Application Gateway provides a customizable layer 7 load-balancing solution.本质上,区域 Azure 应用程序网关提供了可定制的第 7 层负载平衡解决方案。 From the configuration , Application Gateway is always deployed in a virtual network subnet.从配置来看,应用程序网关始终部署在虚拟网络子网中。 It should be deployed close to the application service region to reduce latency.它应该部署在靠近应用服务区域以减少延迟。 If not, we need to set up the VPN connection or virtual network peering to connect the backend cross-region service when using the IP address or hostname.如果没有,我们需要在使用IP地址或主机名时设置VPN连接或虚拟网络对等连接后端跨区域服务。 This also adds complex networking infrastructures and is not often flexible to troubleshoot.这也增加了复杂的网络基础设施,并且通常无法灵活地进行故障排除。
Also, there are constraints for peered virtual networks .此外, 对等虚拟网络也存在限制。 Some services ( Application Gateway (v1) SKU ) that use a Basic load balancer don't work over global virtual network peering.某些使用基本负载均衡器的服务( Application Gateway (v1) SKU )无法通过全局虚拟网络对等互连。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.