シャドーイング練習: Azure App Service and Virtual Network Integration Options - YouTubeで英語スピーキングを学ぶ
C1
Hey everyone.
315 文
文が短すぎたり長すぎる場合は、Editをタップして調整してください。
1
Hey everyone.
2
In this video, I want to talk about the relationship and the interaction between app services and virtual networks.
3
Because there seems to be a lot of questions coming in about,
4
well, do I use a private endpoint?
5
Do I use VNet integration?
6
Do I use a gateway?
7
So let's kind of look at this.
8
So app services were actually one of the original Azure services way back
9
when it first started and gone through a lot of innovation around now.
10
So I can think about,
11
well, I have my app service plan.
12
Now, normally this is a multi-tenant model.
13
There's a certain stamp of infrastructure that has front ends.
14
There's data roles.
15
There's file services.
16
So that is shared by the customers on that particular staff.
17
There's a single inbound IP address.
18
You can get a unique IP address if you really want it through the kind of SSL option.
19
Then there's multiple outbound IP addresses.
20
We have this shared set of front ends,
21
the data roles, the file servers.
22
And then unique per customer,
23
you have a number of workers.
24
These are the things where you say,
25
hey, this is the type of worker on the SKU.
26
These can auto scale.
27
And this is where when you create your particular kind of web app,
28
etc., it's running on your workers.
29
So the workers, they're unique to you.
30
Then there's that other shared set of infrastructure.
31
And then you have kind of your virtual network.
32
So over here I'm creating my VNet,
33
which again is kind of a set of IP addresses.
34
And the challenge we have is really two.
35
The first one is the apps running in my app service plan
36
want to be able to reach resources running in my VNet.
37
And or, well maybe there's other VNets that I have tiered them.
38
And or there's on-premises resources that I happen to have connected via site-to-site VPN or ExpressRoute.
39
So from the app, maybe there's a database,
40
there's some other tier of service.
41
I want to be able to get to things here.
42
And then I've got resources running here that want to be able to privately get to the app.
43
Remember, the multi-tenant model, there's an inbound IP address that's public facing.
44
And maybe I want to lock that down.
45
So what can I do with that?
46
So we have these two different requirements.
47
Now, when we think about that,
48
let's start off thinking about going to our application.
49
And the first solution is kind of a very familiar one.
50
It's service endpoints.
51
So if we think about,
52
well, hey, look, we've got our virtual network here.
53
And we think about, well,
54
we divide this into subnets.
55
So I can think about,
56
well, I have a particular subnet here.
57
And what I can do is I can turn on the service endpoint.
58
So the service endpoint is going to be that Microsoft.web.
59
Now, this particular subnet can be known to app services.
60
So now on this app service,
61
it has kind of its set of inbound controls.
62
I can actually specify, hey,
63
well, on those inbound controls,
64
you can imagine it's kind of like a firewall into the app service.
65
I'm only going to allow in,
66
and we'll call this subnet one,
67
well I'm going to say subnet one, yes, you're allowed.
68
So it's still technically going through the public IP address,
69
but when I do the service endpoint,
70
remember it creates the optimized route,
71
so it's not just bouncing around the regular edge routers,
72
etc. It's doing a very direct route,
73
really as optimized as it can get.
74
And I'm now restricting it through its rules to say,
75
hey, only coming from this particular subnet.
76
Now the challenge with this is service endpoints,
77
it's just for things in the subnet.
78
What about if I want to get to it from other networks or on-premises?
79
So one of the things I can kind of add to this is,
80
well, I can actually do something like AppGateway.
81
If I deployed AppGateway into that subnet with the service endpoint of Microsoft.web,
82
other things would come into the AppGateway and essentially proxy through and then go via that path.
83
So this gives me that ability.
84
So it's still going to the public endpoint,
85
but it's completely locked down.
86
I can't get to it from anywhere other than the subnet to the service endpoint that I have enabled.
87
So it's all about, hey,
88
from our vNet, wanting to go to that particular app.
89
The other option, well, there is one other,
90
but the other main option for controlling giving access that way is private endpoints.
91
So that's obviously very, very common today.
92
More and more services are kind of adopting this.
93
So the private endpoint, there's an IP address is consumed from a particular subnet in our virtual network that essentially
94
is natting the traffic to that.
95
I could now completely again lock down the app to not allow anything other than this particular private endpoint.
96
And that's going to work for kind of Windows apps,
97
Linux apps, even Windows containers today.
98
So at this precise moment,
99
as I'm recording, it's previewed,
100
but I think it's going to come out of that any day.
101
So again, that's the other option,
102
private endpoint, I would then access that IP address.
103
And the great thing about private endpoint is it is just an IP in this VNet.
104
So any network that is connected to this VNet can see the IP and use it.
105
I just have to make sure I have the consistent DNS in place so it works and resolves to the private endpoint.
106
I mentioned there was another.
107
There is, of course, IP address restrictions that I can use on this thing.
108
So if I know the IP address the request is coming from,
109
I can restrict it to just that IP address.
110
So if, for example, I could have a NAT gateway,
111
I could have a standard load balancer with outbound rules,
112
I know the outbound IP,
113
I could use that as well.
114
But honestly, if I'm talking about something in the VNet talking to it,
115
that service endpoint is a better option.
116
It's really locking it down to that particular subnet. So great.
117
that addressed things going from the VNet talking to the app.
118
What about the other direction?
119
Now, my application wants to be able to talk to things actually within the virtual network.
120
Now, option one is not really well suited to this.
121
Option one is suited to the idea that,
122
hey, there's some resource on-premises,
123
could be a database, some other component,
124
that I want the app to talk to.
125
And this is where we actually go and use hybrid connections.
126
So with hybrid connections, we have this hybrid connection manager that we deploy.
127
It establishes an outbound connection over 443 to Azure Relay,
128
which then lets the app talk to the service.
129
Now, this is only TCP.
130
It's a particular TCP port and endpoint.
131
So I'd have to have one of these for each different sort of sets of things I want to talk to.
132
It's TCP only.
133
I can't do UDP over this thing.
134
But now it's established the outbound connection which now enables the app to go
135
and talk to whatever source this is kind of offering.
136
It could be a database, for example.
137
So technically, I could deploy a hybrid connection manager in my VNet.
138
It would establish that outbound 443 to the Azure Relay,
139
which would now enable that direction of connectivity.
140
So absolutely, I can do that.
141
It doesn't make the most sense in the world, though.
142
There's better solutions for that. And we have two.
143
So the first is a gateway required VNet integration.
144
So as the name kind of suggests,
145
I have to have a gateway.
146
So I can think about it,
147
we use a different color.
148
So here I'm gonna have a gateway.
149
And it has to support point to site VPN.
150
So we're gonna do the route based dynamic.
151
And what's gonna happen here is my app is essentially gonna establish a point to site VPN connection.
152
So it is gonna go and connect to the gateway,
153
so I have to have the gateway.
154
Remember the gateway lives in its own kind of dedicated subnet.
155
And then from there, well,
156
it would be able to talk to those things.
157
Now, this does not allow me to go and traverse the things like ExpressRoute.
158
What is nice about this gateway option is,
159
well, actually that gateway where you could live in any Azure region.
160
So maybe the app service plan is South Central.
161
I wanna go and talk to a VNet that's in East or West or Europe.
162
This will work.
163
I can have a gateway in other regions and it will be able to go and talk to it.
164
Also, this will work with classic virtual networks.
165
So the old style before ARM,
166
I could have the gateway there and I could do a point to site VPN connection to it.
167
So that's one option.
168
The preferred option is regional vNet integration.
169
So we're going to kind of draw this in yet another color.
170
We'll do this in gold.
171
So with regional vNet integration,
172
as the name kind of suggests,
173
we have a particular subnet.
174
Now this is going to be delegated for this app to integrate in.
175
So now what we're going to do is this app is essentially going to take over this subnet,
176
and it's going to consume IP addresses within that subnet.
177
This has to be in the same region as the app.
178
That's why it's regional VNet integration.
179
I cannot use this if I want to talk to a VNet that's in a different region.
180
I cannot use this to talk to a classic virtual network.
181
So this is the best solution if the VNet is in the same region as the app.
182
But if it's a different region,
183
it's classic, I'll have to go for the gateway approach.
184
Now, what's going to happen here,
185
remember these workers, each worker is going to consume an IP address in this kind of delegated subnet.
186
And I can't use this subnet for anything else.
187
it's locked down only the app service plan.
188
So if I had three workers,
189
I'd be consuming three IP addresses.
190
So when I'm sizing this subnet,
191
I have to think about what's the maximum scale I'm ever gonna do,
192
and then double it.
193
Because let's say I was gonna have eight workers at max.
194
Remember, if I resize my workers,
195
the way Azure works is it spins up eight new ones of the new size,
196
make sure they're working, and then deletes the old one.
197
So it'd have the eight existing,
198
the eight new ones, and then it would delete the old.
199
So I'd have double that number.
200
So when I think about sizing,
201
make sure it's double the maximum number of workers you're ever gonna have.
202
Remember, you lose five IP addresses.
203
So the host, the broadcast,
204
the three Azure ones that it steals.
205
So make sure you size this subnet.
206
So you're gonna size this subnet.
207
So if I thought I was gonna have eight workers,
208
I think, well, I need 16 usable IP addresses,
209
then I'd probably make that kind of a slash 27.
210
If you're not short on IP addresses,
211
maybe just give it a slash 24.
212
But make sure you size it correctly.
213
So from here, it can now go and talk to things in that virtual network.
214
It can talk to things over the express route.
215
So I can go and talk to that as well.
216
It cannot talk to peer networks.
217
So if I had another network that's peered, it's not gonna work.
218
If it was a regional peer, it's not gonna work.
219
That's what's called regional Vignette Peering.
220
It doesn't support peering itself today.
221
It's just a regional integration.
222
Now, if I had private endpoints within this virtual network talking to other services,
223
maybe I've got a particular storage account or something.
224
Well now, this app through the Vignette integration can go and talk via the private endpoint to that storage.
225
So I can start to lock those things that way,
226
it can work together like that.
227
So what do we kind of have to the app?
228
I can do IP access restrictions,
229
but generally we're gonna do a service endpoint for the Microsoft.web.
230
If I need beyond the subnet,
231
I can always proxy via App Gateway,
232
or I can use private endpoints.
233
from the app to my resources,
234
well, yeah, I can use the hybrid connections.
235
Doesn't make the most sense.
236
I can use the gateway,
237
point to site, works across different regions.
238
Best option is the VNet integration.
239
Today, VNet has to be the same region,
240
actually has the app itself.
241
One caveat to all of these things,
242
and there's different types of kind of app,
243
like running an app service plan,
244
web apps, mobile apps, API apps, and functions.
245
Now remember, functions can be serverless.
246
If I wanna use functions,
247
and I wanna use these kind of capabilities,
248
with the exception of the service endpoints and the IP restrictions,
249
if I wanna do functions,
250
I have to run it in kind of a dedicated,
251
I am running it in a regular app service plan of workers,
252
or I think it's kind of the elastic premium,
253
which is fairly close to a kind of dedicated.
254
I cannot do the pure consumption,
255
the regular consumption, can't spell,
256
functions will not work for most of these things,
257
because it can't, there's no dedicated set of resources establish this.
258
So if you want to use Azure Functions,
259
I want to use private endpoints,
260
I want to use the VNet integration,
261
I need to run it on a dedicated App Service Plan or Elastic Premium,
262
then I can get that.
263
Now there is of course one other option and this is the ACE.
264
So if I just draw a brand new picture for this one super quick,
265
I can think about once again,
266
I have my virtual network,
267
so I have my VNet.
268
And remember before we talked about there's all those shared components like the data stores,
269
the file servers, the front ends,
270
and then there was the workers.
271
With an ACE, what actually happens is I have a particular subnet,
272
and then I deploy my app service environment into that directly.
273
So I can think about within here,
274
I have kind of the front ends,
275
I have kind of the file servers,
276
and I have my workers.
277
So these are now actually running in the subnet in my virtual network.
278
It's dedicated, it's all dedicated to me.
279
So now if there are other resources in the vnet
280
or cover connected well there's no other integration required this stuff's
281
sitting in the subnet there's different types of ace there's internal
282
external in terms of what it's facing you would do internal
283
if you wanted that direction but now it's on the subnet
284
inside that ace i would create one or more app service plans where i'd run my apps
285
and they'll now have that full kind of connectivity to it.
286
So that's the other option.
287
The downside is the ACE is more expensive because I'm not getting the benefit of those shared components anymore.
288
I kind of split the cost with other tenants and they're all running inside my subnet.
289
But this was kind of the traditional way we had to have kind of that private connectivity in the past.
290
But now we have all those other great private endpoints,
291
service endpoints, Bnet integration, etc. One note,
292
if you do this, remember there is still kind of the Azure Resource Manager management plane and lots of other things.
293
This still has to be able to talk to that.
294
If you do a bunch of controls and locks and things on this and lock it down so much,
295
you can break it.
296
There's actually a lot of different communications required.
297
They're all documented, but don't think I can just deploy an ACE and then turn everything off,
298
it's gonna break.
299
So there's still communications required with the kind of arm management,
300
but this is another option.
301
It's just they are in your vNet.
302
That wouldn't be my first choice because of the cost.
303
There's more things involved.
304
Ideally, you'll kind of look at these And in the ideal world,
305
it's the same region.
306
I'm probably going to use the regional network integration option and private endpoints or those kind of service endpoints.
307
We'll hopefully do what you need.
308
So, again, I hope this was useful.
309
I was trying to clear up the distinction.
310
I'm going to need one of each.
311
VNet integration doesn't provide me with the ability to talk to the service.
312
VNet integration is app talking stuff here and then private endpoints or service endpoints go in the other way.
313
So, it's different technologies.
314
they're all unidirectional they do one of the requirements we have hope this was useful again please like comment subscribe
315
and share if it was until next time take care
アプリをダウンロード
話したすべての文をAIが採点
TRENDING
人気動画
コンテキストと背景
このビデオでは、アプリサービスと仮想ネットワークの関係と相互作用について説明しています。特に、プライベートエンドポイント、VNet統合、ゲートウェイの選択肢についての質問が多く寄せられていることを踏まえて、どのようにしてリソースにアクセスするか、またどのようにセキュリティを向上させるかに焦点を当てています。アプリサービスは、Azureのサービスの中でも初期に登場したものであり、現在では多くの革新が行われています。これらの情報は、日常の英会話に役立つ具体的なフレーズや表現が含まれているため、英語力向上に役立つでしょう。
日常コミュニケーションのための5つのフレーズ
- リソースにアクセスする - これは、アプリサービスプラン内のアプリが仮想ネットワーク内のリソースに到達したい場合に使われるフレーズです。
- プライベートエンドポイントを使用する - 安全な接続を確保するために使用される選択肢の一つです。
- サイト間VPN - オンプレミスリソースに接続する手段を表します。
- 自動スケールする - 必要に応じてアプリのパフォーマンスを向上させる機能について言及しています。
- マルチテナントモデル - 複数の顧客が同じインフラを共有していることを説明する際に使います。
ステップバイステップ シャドーイングガイド
このビデオの内容を理解し、発音練習を行うためには、以下のステップに従うと良いでしょう。
- スクリプトを準備する:ビデオのトランスクリプトを手に入れ、その内容を事前に確認しておきます。
- フレーズを分解する:日常会話で使われるフレーズを一つ一つ確認し、自分の言葉として再構成します。例えば、「リソースにアクセスする」とは何を意味するのか、使い方を考えます。
- シャドースピーキング練習:ビデオを再生しながら、話し手の後について発音します。この時、英語の発音を良くすることを意識しましょう。
- 反復練習:難しいと感じたフレーズは何度も繰り返し、自然に言えるようになるまで練習します。
- フィードバックを受ける:友人や教師に自分の発音を聞いてもらい、改善点を指摘してもらいます。
これらの練習を通じて、IELTS スピーキング対策にも役立つであろうスキルを身につけることができます。 Regular practice of shadow speak is an effective way to improve your English speaking ability.
シャドーイングとは?英語上達に効果的な理由
シャドーイング(Shadowing)は、もともとプロの通訳者養成プログラムで開発された言語学習法で、多言語習得者として知られるDr. Alexander Arguelles によって広く普及されました。方法はシンプルですが非常に効果的:ネイティブスピーカーの英語を聞きながら、1〜2秒の遅延で声に出してすぐに繰り返す——まるで「影(shadow)」のように話者を追いかけます。文法ドリルや受動的なリスニングと異なり、シャドーイングは脳と口の筋肉が同時にリアルタイムで英語を処理・再現することを強制します。研究により、発音精度、抑揚、リズム、連音、リスニング力、そして会話の流暢さが大幅に向上することが確認されています。IELTSスピーキング対策や自然な英語コミュニケーションを目指す方に特におすすめです。