将 Cosmos DB(作为服务终结点)作为后端服务器与应用程序网关连接
Connect Cosmos DB (as service endpoint) as backend server with Application Gateway
目前我想连接一个 Cosmos DB 实例,它位于一个子网的服务端点后面,还有一个应用程序网关实例,它位于另一个子网后面。
因此,我实现了从 public IP 到 Cosmos DB 实例的 Https 转发。但是,Azure 门户告诉我数据库是一个不健康的后端服务,并说证书未列入白名单:
这些是我到目前为止完成的步骤:
- 为从 App Gateway 到 Cosmos DB 的连接创建 TLS 证书,其中通用名称 (FQDN) 等于概述中 Cosmos DB 实例的 URI (example.documents.azure.com):
$ openssl genrsa -out priv-key-db.pem 4096
$ openssl req -new -key priv-key-db.pem -out csr-db.pem
$ openssl x509 -in csr-db.pem -out cert-db.cer -req -signkey priv-key-db.pem -days 365
- 在 Azure 门户中创建适当的 http 规则时上传 .cer 文件:
Azure Cosmos DB 是一项 Azure 托管服务。我们使用 Baltimore CyberTrust Root 颁发的 public 证书通过 HTTPS 访问它。我不认为您可以在通过应用程序网关访问数据库实例时为连接创建 TLS 证书,因为如果要这样做,您还需要 bind TLS 证书到Azure Cosmos DB 服务,否则探测失败并且后端未列入白名单。
来自 step 7 - 上传要在启用 SSL 的后端池资源上使用的证书。
The default probe gets the public key from the default SSL binding on
the back-end's IP address and compares the public key value it
receives to the public key value you provide here.
If you are using host headers and Server Name Indication (SNI) on the
back end, the retrieved public key might not be the intended site to
which traffic flows. If you're in doubt, visit https://127.0.0.1/ on
the back-end servers to confirm which certificate is used for the
default SSL binding. Use the public key from that request in this
section. If you are using host-headers and SNI on HTTPS bindings and
you do not receive a response and certificate from a manual browser
request to https://127.0.0.1/ on the back-end servers, you must set up
a default SSL binding on the them. If you do not do so, probes fail
and the back end is not whitelisted.
作为解决方法,您可以使用一些第三方代理服务器来帮助将 HTTPS 流量重定向到您的后端,例如 Nginx。希望对您有所帮助。
目前我想连接一个 Cosmos DB 实例,它位于一个子网的服务端点后面,还有一个应用程序网关实例,它位于另一个子网后面。
因此,我实现了从 public IP 到 Cosmos DB 实例的 Https 转发。但是,Azure 门户告诉我数据库是一个不健康的后端服务,并说证书未列入白名单:
这些是我到目前为止完成的步骤:
- 为从 App Gateway 到 Cosmos DB 的连接创建 TLS 证书,其中通用名称 (FQDN) 等于概述中 Cosmos DB 实例的 URI (example.documents.azure.com):
$ openssl genrsa -out priv-key-db.pem 4096
$ openssl req -new -key priv-key-db.pem -out csr-db.pem
$ openssl x509 -in csr-db.pem -out cert-db.cer -req -signkey priv-key-db.pem -days 365
- 在 Azure 门户中创建适当的 http 规则时上传 .cer 文件:
Azure Cosmos DB 是一项 Azure 托管服务。我们使用 Baltimore CyberTrust Root 颁发的 public 证书通过 HTTPS 访问它。我不认为您可以在通过应用程序网关访问数据库实例时为连接创建 TLS 证书,因为如果要这样做,您还需要 bind TLS 证书到Azure Cosmos DB 服务,否则探测失败并且后端未列入白名单。
来自 step 7 - 上传要在启用 SSL 的后端池资源上使用的证书。
The default probe gets the public key from the default SSL binding on the back-end's IP address and compares the public key value it receives to the public key value you provide here.
If you are using host headers and Server Name Indication (SNI) on the back end, the retrieved public key might not be the intended site to which traffic flows. If you're in doubt, visit https://127.0.0.1/ on the back-end servers to confirm which certificate is used for the default SSL binding. Use the public key from that request in this section. If you are using host-headers and SNI on HTTPS bindings and you do not receive a response and certificate from a manual browser request to https://127.0.0.1/ on the back-end servers, you must set up a default SSL binding on the them. If you do not do so, probes fail and the back end is not whitelisted.
作为解决方法,您可以使用一些第三方代理服务器来帮助将 HTTPS 流量重定向到您的后端,例如 Nginx。希望对您有所帮助。