使用包含 Azure Kubernetes 服务 (AKS) 的内部负载均衡器Use an internal load balancer with Azure Kubernetes Service (AKS)

若要限制访问 Azure Kubernetes 服务 (AKS) 中的应用程序,可以创建和使用内部负载均衡器。To restrict access to your applications in Azure Kubernetes Service (AKS), you can create and use an internal load balancer. 内部负载均衡使得仅 Kubernetes 群集所在的同一虚拟网络中运行的应用程序能够访问 Kubernetes 服务。An internal load balancer makes a Kubernetes service accessible only to applications running in the same virtual network as the Kubernetes cluster. 本文介绍如何通过 Azure Kubernetes 服务 (AKS) 创建和使用内部负载均衡器。This article shows you how to create and use an internal load balancer with Azure Kubernetes Service (AKS).

备注

Azure 负载均衡器以两种 SKU 提供:“基本”和“标准”** **。Azure Load Balancer is available in two SKUs - Basic and Standard. 默认情况下,创建 AKS 群集时使用标准 SKU。By default, the Standard SKU is used when you create an AKS cluster. 创建类型为 LoadBalancer 的服务时,你将获得与预配群集时相同的 LB 类型。When creating a Service with type as LoadBalancer, you will get the same LB type as when you provision the cluster.

准备阶段Before you begin

本文假定你拥有现有的 AKS 群集。This article assumes that you have an existing AKS cluster. 如果需要 AKS 群集,请参阅 AKS 快速入门使用 Azure CLI使用 Azure 门户If you need an AKS cluster, see the AKS quickstart using the Azure CLI or using the Azure portal.

还需安装并配置 Azure CLI 2.0.59 或更高版本。You also need the Azure CLI version 2.0.59 or later installed and configured. 运行  az --version 即可查找版本。Run az --version to find the version. 如果需要进行安装或升级,请参阅 安装 Azure CLIIf you need to install or upgrade, see Install Azure CLI.

如果使用现有子网或资源组,则 AKS 群集服务主体需要管理网络资源的权限。The AKS cluster service principal needs permission to manage network resources if you use an existing subnet or resource group. 通常,将“网络参与者”** 角色分配给委派资源上的服务主体。In general, assign the Network contributor role to your service principal on the delegated resources. 有关权限的详细信息,请参阅委派 AKS 访问其他 Azure 资源For more information on permissions, see Delegate AKS access to other Azure resources.

创建内部负载均衡器Create an internal load balancer

若要创建内部负载均衡器,请使用服务类型 LoadBalancer 和 azure-load-balancer-internal 注释创建名为 internal-lb.yaml 的服务清单,如以下示例所示** **:To create an internal load balancer, create a service manifest named internal-lb.yaml with the service type LoadBalancer and the azure-load-balancer-internal annotation as shown in the following example:

apiVersion: v1
kind: Service
metadata:
  name: internal-app
  annotations:
    service.beta.kubernetes.io/azure-load-balancer-internal: "true"
spec:
  type: LoadBalancer
  ports:
  - port: 80
  selector:
    app: internal-app

使用 kubectl apply 部署内部负载均衡器,并指定 YAML 清单的名称:Deploy the internal load balancer using the kubectl apply and specify the name of your YAML manifest:

kubectl apply -f internal-lb.yaml

Azure 负载均衡器在节点资源组中创建,并连接到 AKS 群集所在的虚拟网络。An Azure load balancer is created in the node resource group and connected to the same virtual network as the AKS cluster.

查看服务详细信息时,内部负载均衡器的 IP 地址显示在“EXTERNAL-IP”列中**。When you view the service details, the IP address of the internal load balancer is shown in the EXTERNAL-IP column. 在此上下文中,External 是指负载均衡器的外部接口,不是指收到公共的外部 IP 地址。In this context, External is in relation to the external interface of the load balancer, not that it receives a public, external IP address. 可能需要一两分钟,IP 地址才会从 <pending>** 更改为实际的内部 IP 地址,如以下示例所示:It may take a minute or two for the IP address to change from <pending> to an actual internal IP address, as shown in the following example:

$ kubectl get service internal-app

NAME           TYPE           CLUSTER-IP    EXTERNAL-IP   PORT(S)        AGE
internal-app   LoadBalancer   10.0.248.59   10.240.0.7    80:30555/TCP   2m

指定 IP 地址Specify an IP address

若要对内部负载均衡器使用特定的 IP 地址,请将 loadBalancerIP 属性添加到负载均衡器 YAML 清单**。If you would like to use a specific IP address with the internal load balancer, add the loadBalancerIP property to the load balancer YAML manifest. 指定的 IP 地址必须位于 AKS 群集所在的同一子网,并且必须尚未分配给某个资源。The specified IP address must reside in the same subnet as the AKS cluster and must not already be assigned to a resource.

apiVersion: v1
kind: Service
metadata:
  name: internal-app
  annotations:
    service.beta.kubernetes.io/azure-load-balancer-internal: "true"
spec:
  type: LoadBalancer
  loadBalancerIP: 10.240.0.25
  ports:
  - port: 80
  selector:
    app: internal-app

在部署后查看服务详细信息时,“EXTERNAL-IP”列中的 IP 地址反映了指定的 IP 地址**:When deployed and you view the service details, the IP address in the EXTERNAL-IP column reflects your specified IP address:

$ kubectl get service internal-app

NAME           TYPE           CLUSTER-IP     EXTERNAL-IP   PORT(S)        AGE
internal-app   LoadBalancer   10.0.184.168   10.240.0.25   80:30225/TCP   4m

使用专用网络Use private networks

创建 AKS 群集时,可以指定高级网络设置。When you create your AKS cluster, you can specify advanced networking settings. 此方法允许将群集部署到现有 Azure 虚拟网络和子网中。This approach lets you deploy the cluster into an existing Azure virtual network and subnets. 一种方案是将 AKS 群集部署到连接到本地环境的专用网络,并运行仅在内部可访问的服务。One scenario is to deploy your AKS cluster into a private network connected to your on-premises environment and run services only accessible internally. 有关详细信息,请参阅“使用 KubenetAzure CNI 配置自己的虚拟网络子网”。For more information, see configure your own virtual network subnets with Kubenet or Azure CNI.

在使用专用网络的 AKS 群集中部署内部负载均衡器时,不需要更改先前的步骤。No changes to the previous steps are needed to deploy an internal load balancer in an AKS cluster that uses a private network. 负载均衡器在与 AKS 群集相同的资源组中创建,但连接到专用虚拟网络和子网,如以下示例所示:The load balancer is created in the same resource group as your AKS cluster but connected to your private virtual network and subnet, as shown in the following example:

$ kubectl get service internal-app

NAME           TYPE           CLUSTER-IP    EXTERNAL-IP   PORT(S)        AGE
internal-app   LoadBalancer   10.1.15.188   10.0.0.35     80:31669/TCP   1m

备注

可能需要向 AKS 群集的服务主体授予针对部署了 Azure 虚拟网络资源的资源组的“网络参与者”** 角色。You may need to grant the service principal for your AKS cluster the Network Contributor role to the resource group where your Azure virtual network resources are deployed. 使用 az aks show 查看服务主体,例如 az aks show --resource-group myResourceGroup --name myAKSCluster --query "servicePrincipalProfile.clientId"View the service principal with az aks show, such as az aks show --resource-group myResourceGroup --name myAKSCluster --query "servicePrincipalProfile.clientId". 若要创建角色分配,请使用 az role assignment create 命令。To create a role assignment, use the az role assignment create command.

指定其他子网Specify a different subnet

若要为负载均衡器指定子网,请将 azure-load-balancer-internal-subnet 注释添加到服务中。To specify a subnet for your load balancer, add the azure-load-balancer-internal-subnet annotation to your service. 指定的子网必须与 AKS 群集位于同一虚拟网络中。The subnet specified must be in the same virtual network as your AKS cluster. 部署后,负载均衡器“EXTERNAL-IP”** 地址是指定子网的一部分。When deployed, the load balancer EXTERNAL-IP address is part of the specified subnet.

apiVersion: v1
kind: Service
metadata:
  name: internal-app
  annotations:
    service.beta.kubernetes.io/azure-load-balancer-internal: "true"
    service.beta.kubernetes.io/azure-load-balancer-internal-subnet: "apps-subnet"
spec:
  type: LoadBalancer
  ports:
  - port: 80
  selector:
    app: internal-app

删除负载均衡器Delete the load balancer

删除使用该内部负载均衡器的所有服务后,该负载均衡器本身也会一并删除。When all services that use the internal load balancer are deleted, the load balancer itself is also deleted.

也可直接删除含有任何 Kubernetes 资源的服务,例如 kubectl delete service internal-app,它还将删除基础 Azure 负载均衡器。You can also directly delete a service as with any Kubernetes resource, such as kubectl delete service internal-app, which also then deletes the underlying Azure load balancer.

后续步骤Next steps

Kubernetes 服务文档中详细了解 Kubernetes 服务。Learn more about Kubernetes services at the Kubernetes services documentation.