应用程序网关的两个前端端口使用相同的端口 443 - terraform 中的 Azure 应用程序网关

Posted

技术标签:

【中文标题】应用程序网关的两个前端端口使用相同的端口 443 - terraform 中的 Azure 应用程序网关【英文标题】:two frontend ports of application gateway are using the same port 443 - Azure application gateway in terraform 【发布时间】:2021-06-05 23:29:27 【问题描述】:

我正在使用 terraform 配置 azure 应用程序网关。

以下是我写的模块:

locals 
  backend_address_pool_name      = format("appgwbeap-%[1]s-%[2]s%[3]sweb-gw",var.project_code,var.env,var.zone)
  frontend_port_name             = format("appgwfeport-%[1]s-%[2]s%[3]sweb-gw",var.project_code,var.env,var.zone)
  frontend_ip_configuration_name = format("appgwfeip-%[1]s-%[2]s%[3]sweb-gw",var.project_code,var.env,var.zone)
  http_setting_name              = format("appgwhtst-%[1]s-%[2]s%[3]sweb-gw",var.project_code,var.env,var.zone)
  listener_name                  = format("appgwhttplstnr-%[1]s-%[2]s%[3]sweb-gw",var.project_code,var.env,var.zone)
  request_routing_rule_name      = format("appgwrqrt-%[1]s-%[2]s%[3]sweb-gw",var.project_code,var.env,var.zone)
  redirect_configuration_name    = format("appgwrdrcfg-%[1]s-%[2]s%[3]sweb-gw",var.project_code,var.env,var.zone)


resource "azurerm_application_gateway" "appgw" 
  name                = format("appgw-%[1]s-%[2]s%[3]sweb-gw",var.project_code,var.env,var.zone)
  resource_group_name = var.rg_name
  location            = var.location

  sku 
    name     = var.sku_name
    tier     = var.sku_tier
    capacity = var.sku_capacity
  

  gateway_ip_configuration 
    name      = format("appgwipcfg-%[1]s-%[2]s%[3]sweb-gw",var.project_code,var.env,var.zone)
    subnet_id = var.subnet_id
  

  frontend_port 
    name = "appgwfeport-app1-uatizweb-gw"
    port = "443"
  


  frontend_port 
    name = "appgwfeport-app2-uatizweb-gw"
    port = "443"
  

  ssl_certificate 
    name     = "UAT-APP1-APPGW-SSL-CERT-SGCORE-12Jan21-12Jan23"
    data     = filebase64("./certificates/web.app1.sso.gwwu.xxx.com.de-12Jan2021.pfx")
    password = "$var.app1_pfx_password"
  
  authentication_certificate 
    name = "UAT-APP1-APPGW-SSL-CERT-SGCORE-12Jan21-12Jan23"
    data = file("./certificates/web_app1_sso_gwwu_xxx_com_de-12Jan21.cer")
    

  ssl_certificate 
    name     = "UAT-APP2-APPGW-SSL-CERT-01Mar21"
    data     = filebase64("./certificates/selfsigned-app2-uat-01Mar21.pfx")
    password = "$var.app1_pfx_password"
  
  authentication_certificate 
    name = "UAT-APP2-APPGW-SSL-CERT-01Mar21"
    data = file("./certificates/selfsigned-app2-uat-01Mar21.cer")
    

  frontend_ip_configuration 
    name                 = "$local.frontend_ip_configuration_name"
    subnet_id            = var.subnet_id
    private_ip_address   = var.frontend_private_ip
    private_ip_address_allocation = "Static"
  

  backend_address_pool 
    name = "beap-path-app1-app"
    #fqdns     = var.fqdn_list
    ip_addresses = ["10.xxx.xxx.36"]
  

  backend_address_pool 
    name = "beap-path-app2-app"
    #fqdns     = var.fqdn_list
    ip_addresses = ["10.xxx.xxx.37"]
  

  backend_http_settings 
    name                  = "behs-path-app1-app"
    cookie_based_affinity = var.backend_cookie_based_affinity
    affinity_cookie_name  = "ApplicationGatewayAffinity"
    path                  = var.backend_path
    port                  = "443"
    #probe_name            = "probe-app1"
    protocol              = "Https"
    request_timeout       = var.backend_request_timeout
    authentication_certificate 
      name = "UAT-APP1-APPGW-SSL-CERT-SGCORE-12Jan21-12Jan23"
    
  

  backend_http_settings 
    name                  = "behs-path-app2-app"
    cookie_based_affinity = var.backend_cookie_based_affinity
    affinity_cookie_name  = "ApplicationGatewayAffinity"
    path                  = var.backend_path
    port                  = "443"
    #probe_name            = "probe-app2"
    protocol              = "Https"
    request_timeout       = var.backend_request_timeout
    authentication_certificate 
      name = "UAT-APP2-APPGW-SSL-CERT-01Mar21"
    
  

  http_listener 
    name                           = "appgwhttplsnr-app1-uatizweb-gw"
    frontend_ip_configuration_name = "$local.frontend_ip_configuration_name"
    frontend_port_name             = "appgwfeport-app1-uatizweb-gw"
    protocol                       = "Https"
    ssl_certificate_name           = "UAT-APP1-APPGW-SSL-CERT-SGCORE-12Jan21-12Jan23"
    require_sni                    = true
    host_name                      = "web.app1.sso.gwwu.xxx.com.de"
  

  http_listener 
    name                           = "appgwhttplsnr-app2-uatizweb-gw"
    frontend_ip_configuration_name = "$local.frontend_ip_configuration_name"
    frontend_port_name             = "appgwfeport-app2-uatizweb-gw"
    ssl_certificate_name           = "UAT-APP2-APPGW-SSL-CERT-01Mar21"
    require_sni                    = true
    protocol                       = "Https"
    host_name                      = "web.app2.sso.gwwu.xxx.com.de"
  

  request_routing_rule 
    name                       = "appgwrqrt-app2-uatizweb-gw"
    rule_type                  = var.backend_rule_type
    http_listener_name         = "appgwhttplsnr-app2-uatizweb-gw"
    backend_address_pool_name  = "beap-path-app2-app"
    backend_http_settings_name = "behs-path-app2-app"
  

  request_routing_rule 
    name                       = "appgwrqrt-app1-uatizweb-gw"
    rule_type                  = var.backend_rule_type
    http_listener_name         = "appgwhttplsnr-app1-uatizweb-gw"
    backend_address_pool_name  = "beap-path-app1-app"
    backend_http_settings_name = "behs-path-app1-app"

下面是调用模块的main.tf

module "app_gateway" 
  source                     = "../../../modules/appgateway"
  rg_name                    = var.rg_name
  agency                     = local.agency
  project_code               = local.project_code
  env                        = var.env
  zone                       = var.zone
  tier                       = "appgw"
  location                   = local.location
  vnet_name                  = var.vnet_name
  subnet_id                  = module.agw_subnet.subnet_id
  sku_name                   = var.appgw_sku_name
  sku_capacity               = var.appgw_sku_capacity
  frontend_private_ip        = var.appgw_frontend_ip
  frontend_port              = var.frontend_port
  frontend_protocol          = var.frontend_protocol
  app1_pfx_password          = "$var.app1_pfx_password"
  backend_protocol           = var.backend_protocol
  backend_port               = var.backend_port
  backend_path               = "/"
  providers = 
    azurerm = azurerm.corpapps

我使用了多站点,但是当我部署时 -i 收到以下错误: two frontend ports of application gateway are using the same port number 443.

当我将我的一个端口更改为 5443 时 - 它确实被部署并在 terraform 中工作。 另外,我可以从门户创建两个带有 443(多站点)的前端端口。不能从 terraform 执行此操作。

我在 terraform 中缺少什么。 对此有任何帮助!

【问题讨论】:

【参考方案1】:

我们在通过 PowerShell 脚本更新应用网关时遇到了同样的错误。

场景: 有一个现有的多站点侦听器使用 80 的 FrontendPort。当脚本尝试在同一端口上添加第二个多站点侦听器时,我们收到了相同的错误消息。

原来,原来的监听器使用公共前端 IP,而添加的第二个监听器使用的是私有前端 IP。我没有意识到这一点,但您不能为公共侦听器和私有侦听器使用相同的前端端口,即使它们都是多站点的。

无论如何,原始监听器不应该是公共 IP,所以一旦我将原始监听器调整为使用私有 IP,脚本就会毫无错误地执行。

我在这里找到了关于私有 IP 和公共 IP 不能共享同一个端口的解释:

https://github.com/MicrosoftDocs/azure-docs/issues/23652

也许这对其他人有帮助。

【讨论】:

【参考方案2】:

我们可以为多站点侦听器使用相同的前端配置(前端 IP、协议、端口或名称),而不是创建两个 frontend_port 名称。

例如,更改相关代码:

 resource "azurerm_application_gateway" "appgw" 
    #..
    
      frontend_port 
        name = "appgwfeport-app1-uatizweb-gw"
        port = "443"
      
    
    
    #  frontend_port 
    #    name = "appgwfeport-app2-uatizweb-gw"
    #    port = "443"
    #  
    
    #..
    
    
      http_listener 
        name                           = "appgwhttplsnr-app1-uatizweb-gw"
        frontend_ip_configuration_name = "$local.frontend_ip_configuration_name"
        frontend_port_name             = "appgwfeport-app1-uatizweb-gw"
        protocol                       = "Https"
        ssl_certificate_name           = "UAT-APP1-APPGW-SSL-CERT-SGCORE-12Jan21-12Jan23"
        require_sni                    = true
        host_name                      = "web.app1.sso.gwwu.xxx.com.de"
      
    
      http_listener 
        name                           = "appgwhttplsnr-app2-uatizweb-gw"
        frontend_ip_configuration_name = "$local.frontend_ip_configuration_name"
        frontend_port_name             = "appgwfeport-app1-uatizweb-gw"      #change here
        ssl_certificate_name           = "UAT-APP2-APPGW-SSL-CERT-01Mar21"
        require_sni                    = true
        protocol                       = "Https"
        host_name                      = "web.app2.sso.gwwu.xxx.com.de"

更多信息,请阅读https://docs.microsoft.com/en-us/azure/application-gateway/tutorial-multiple-sites-powershell和https://docs.microsoft.com/en-us/azure/application-gateway/create-multiple-sites-portal#configuration-tab

【讨论】:

【参考方案3】:

也许这个链接会有所帮助:https://docs.microsoft.com/en-us/azure/application-gateway/application-gateway-faq#can-i-use-the-same-port-for-both-public-facing-and-private-facing-listeners 简短的回答是 - 不能使用相同的端口私有和公共侦听器。 作为一种解决方法,我使用另一个端口(如 10443)进行 https 私有侦听器配置。就我而言,它运行良好,因为用户没有使用私人监听器

【讨论】:

以上是关于应用程序网关的两个前端端口使用相同的端口 443 - terraform 中的 Azure 应用程序网关的主要内容,如果未能解决你的问题,请参考以下文章

443端口被封,如何远程调试大华摄像机

443端口和80端口的区别?

443端口和80端口的区别?

443端口和80端口的区别?

同一个IP的443端口中的多个域

服务器443端口与80端口的区别