Azure 云服务连接性和网络问题:常见问题解答 (FAQ)Connectivity and networking issues for Azure Cloud Services: Frequently asked questions (FAQs)

本文包括一些关于 Azure 云服务连接性和网络问题的常见问题解答。This article includes frequently asked questions about connectivity and networking issues for Azure Cloud Services. 有关大小信息,请参阅云服务 VM 大小页For size information, see the Cloud Services VM size page.

如果本文未解决你的 Azure 问题,请访问 MSDN 和 CSDN 上的 Azure 论坛。If your Azure issue is not addressed in this article, visit the Azure forums on MSDN and CSDN. 可以在这些论坛上发布问题。You can post your issue in these forums. 还可提交 Azure 支持请求。You also can submit an Azure support request. 若要提交支持请求,请在 Azure 支持页上提交。To submit a support request, on the Azure support page.

无法在多 VIP 云服务中保留 IPI can't reserve an IP in a multi-VIP cloud service.

首先,请确保已打开想要为其保留 IP 的虚拟机实例。First, make sure that the virtual machine instance that you try to reserve the IP for is turned on. 其次,请确保为过渡和生产部署使用保留的 IP。Second, make sure that you use reserved IPs for both the staging and production deployments. 请勿 在部署升级过程中更改设置。Do not change the settings while the deployment is upgrading.

设置了 NSG 时,如何使用远程桌面?How do I use Remote Desktop when I have an NSG?

将规则添加到 NSG,允许端口 338920000 上的流量。Add rules to the NSG that allow traffic on ports 3389 and 20000 . 远程桌面使用端口 3389Remote Desktop uses port 3389 . 云服务实例经过负载均衡,因此无法直接控制要连接到哪个实例。Cloud service instances are load balanced, so you can't directly control which instance to connect to. RemoteForwarderRemoteAccess 代理管理远程桌面协议 (RDP) 流量,允许客户端发送 RDP cookie 和指定要连接到的单个实例。The RemoteForwarder and RemoteAccess agents manage Remote Desktop Protocol (RDP) traffic and allow the client to send an RDP cookie and specify an individual instance to connect to. RemoteForwarderRemoteAccess 代理要求打开端口 20000 (如果你具有 NSG,此端口可能已被阻止)。The RemoteForwarder and RemoteAccess agents require port 20000 to be open, which might be blocked if you have an NSG.

是否可以 ping 云服务?Can I ping a cloud service?

否,不能通过使用正常 "ping"/ICMP 协议 ping 云服务。No, not by using the normal "ping"/ICMP protocol. 通过 Azure 负载均衡器不允许使用 ICMP 协议。The ICMP protocol is not permitted through the Azure load balancer.

若要测试连接性,我们建议执行端口 ping 操作。To test connectivity, we recommend that you do a port ping. 当 Ping.exe 使用 ICMP 时,其他工具(如 PSPing、Nmap 和 telnet)允许你测试到特定 TCP 端口的连接性。While Ping.exe uses ICMP, you can use other tools, such as PSPing, Nmap, and telnet, to test connectivity to a specific TCP port.

有关详细信息,请参阅使用端口 ping 而不是 ICMP 来测试 Azure VM 连接性For more information, see Use port pings instead of ICMP to test Azure VM connectivity.

如何防止接收来自未知 IP 地址的数千次点击,这些 IP 地址是否会对云服务造成某种形式的恶意攻击?How do I prevent receiving thousands of hits from unknown IP addresses that might indicate a malicious attack to the cloud service?

Azure 实现多层网络安全性,以保护其平台服务免受分布式拒绝服务 (DDoS) 攻击。Azure implements a multilayer network security to protect its platform services against distributed denial-of-service (DDoS) attacks. Azure DDoS 防御系统是 Azure 持续监视过程的一部分,通过渗透测试不断改进。The Azure DDoS defense system is part of Azure's continuous monitoring process, which is continually improved through penetration testing. 该 DDoS 防御系统的设计不仅可以抵御外部的攻击,还可以承受其他 Azure 租户的攻击。This DDoS defense system is designed to withstand not only attacks from the outside but also from other Azure tenants. 有关详细信息,请参阅 Azure 网络安全For more information, see Azure network security.

还可以创建一个启动任务来选择性地阻止某些特定 IP 地址。You also can create a startup task to selectively block some specific IP addresses. 有关详细信息,请参阅阻止特定 IP 地址For more information, see Block a specific IP address.

当尝试 RDP 到我的云服务实例时,我收到消息:“此用户帐户已过期。”When I try to RDP to my cloud service instance, I get the message "The user account has expired."

当绕过 RDP 设置中配置的到期日期时,你可能会收到“此用户帐户已过期”的错误消息。You might get the error message "This user account has expired" when you bypass the expiration date that is configured in your RDP settings. 你可以按照以下步骤从门户更改到期日期:You can change the expiration date from the portal by following these steps:

  1. 登录到 Azure 门户,导航到云服务并选择“远程桌面” 选项卡。Sign in to the Azure portal, go to your cloud service, and select the Remote Desktop tab.

  2. 选择“生产” 或“暂存” 部署槽位。Select the Production or Staging deployment slot.

  3. 更改“到期日期”字段中的日期,然后保存配置。 Change the Expires On date, and then save the configuration.

你现在应能够 RDP 到你的计算机了。You now should be able to RDP to your machine.

为什么 Azure 负载均衡器不平均地均衡流量?Why is Azure Load Balancer not balancing traffic equally?

有关内部负载均衡器工作原理的信息,请参阅 Azure 负载均衡器新分发模式For information about how an internal load balancer works, see Azure Load Balancer new distribution mode.

使用的分发算法是将流量映射到可用服务器的 5 元组(源 IP、源端口、目标 IP、目标端口和协议类型)哈希。The distribution algorithm used is a 5-tuple (source IP, source port, destination IP, destination port, and protocol type) hash to map traffic to available servers. 它仅在传输会话内部提供粘性。It provides stickiness only within a transport session. 同一 TCP 或 UDP 会话中的数据包将被定向到经过负载均衡的终结点后面的同一数据中心 IP (DIP) 实例。Packets in the same TCP or UDP session are directed to the same datacenter IP (DIP) instance behind the load-balanced endpoint. 客户端从同一源 IP 关闭并重新打开连接或发起新会话时,源端口会更改,并导致流量定向到其他 DIP 终结点。When the client closes and reopens the connection or starts a new session from the same source IP, the source port changes and causes the traffic to go to a different DIP endpoint.

如何将发往云服务的默认 URL 的传入流量重定向到自定义 URL?How can I redirect incoming traffic to the default URL of my cloud service to a custom URL?

可以使用 IIS 的 URL 重写模块将传入到云服务的默认 URL(例如 *.chinacloudapp.cn)的流量重定向到某个自定义名称/URL。The URL Rewrite module of IIS can be used to redirect traffic that comes to the default URL for the cloud service (for example, *.chinacloudapp.cn) to some custom name/URL. 由于默认情况下,URL 重写模块在 Web 角色上已启用,并且其规则是在应用程序的 web.config 中配置的,因此无论重新启动/重置映像,URL 重写模块都始终在 VM 上可用。有关详细信息,请参阅:Because the URL Rewrite module is enabled on web roles by default and its rules are configured in the application's web.config, it's always available on the VM regardless of reboots/reimages.For more information, see:

如何阻止/禁用发往云服务的默认 URL 的传入流量?How can I block/disable incoming traffic to the default URL of my cloud service?

可以阻止发往云服务的默认 URL/名称(例如 *.chinacloudapp.cn)的传入流量。You can prevent incoming traffic to the default URL/name of your cloud service (for example, *.chinacloudapp.cn). 在云服务定义 (*.csdef) 文件中的站点绑定配置下将主机头设置为自定义 DNS 名称(例如 www.MyCloudService.com),如下所示:Set the host header to a custom DNS name (for example, www.MyCloudService.com) under site binding configuration in the cloud service definition (*.csdef) file, as indicated:

<?xml version="1.0" encoding="utf-8"?>
<ServiceDefinition name="AzureCloudServicesDemo" xmlns="http://schemas.microsoft.com/ServiceHosting/2008/10/ServiceDefinition" schemaVersion="2015-04.2.6">
    <WebRole name="MyWebRole" vmsize="Small">
        <Sites>
            <Site name="Web">
            <Bindings>
                <Binding name="Endpoint1" endpointName="Endpoint1" hostHeader="www.MyCloudService.com" />
            </Bindings>
            </Site>
        </Sites>
        <Endpoints>
            <InputEndpoint name="Endpoint1" protocol="http" port="80" />
        </Endpoints>
        <ConfigurationSettings>
            <Setting name="Microsoft.WindowsAzure.Plugins.Diagnostics.ConnectionString" />
        </ConfigurationSettings>
    </WebRole>
</ServiceDefinition>

因为通过 csdef 文件强制实施了此主机标头绑定,所以,只能通过自定义名称“www.MyCloudService.com”访问该服务。Because this host header binding is enforced through the csdef file, the service is accessible only via the custom name "www.MyCloudService.com." 所有传入“*.chinacoudapp.cn”域的请求都始终会失败。All incoming requests to the "*.chinacloudapp.cn" domain always fail. 如果在服务中使用了自定义 SLB 探测或内部负载均衡器,则阻止服务的默认 URL/名称可能会干扰探测行为。If you use a custom SLB probe or an internal load balancer in the service, blocking the default URL/name of the service might interfere with the probing behavior.

如何确保云服务面向公众的 IP 地址永不改变?How can I make sure the public-facing IP address of a cloud service never changes?

若要确保云服务面向公众的 IP 地址(也称 VIP)永不改变,以便它通常可由少数特定的客户端批准,我们建议你设置一个与之关联的保留 IP。To make sure the public-facing IP address of your cloud service (also known as a VIP) never changes so that it can be customarily approved by a few specific clients, we recommend that you have a reserved IP associated with it. 否则,如果删除了部署,则会从订阅解除分配由 Azure 提供的虚拟 IP。Otherwise, the virtual IP provided by Azure is deallocated from your subscription if you delete the deployment. 为使 VIP 交换操作成功,需要为生产槽和暂存槽设置单独的保留 IP。For successful VIP swap operation, you need individual reserved IPs for both production and staging slots. 如果缺少这些 IP,交换操作会失败。Without them, the swap operation fails. 请根据以下文章来保留 IP 地址并将其与云服务进行关联:To reserve an IP address and associate it with your cloud service, see these articles:

只要有多个实例用于你的角色,将 RIP 与云服务进行关联就应该不会导致任何停机时间。If you have more than one instance for your roles, associating RIP with your cloud service shouldn't cause any downtime. 另外,还可以将 Azure 数据中心的 IP 范围添加到允许列表。Alternatively, you can add the IP range of your Azure datacenter to an allow list. 可以在 Microsoft 下载中心找到所有 Azure IP 范围。You can find all Azure IP ranges at the Microsoft Download Center.

此文件包含 Azure 数据中心使用的 IP 地址范围(包括计算、SQL 和存储范围)。This file contains the IP address ranges (including compute, SQL, and storage ranges) used in Azure datacenters. 每周都将发布更新的文件,反映当前已部署的范围和任何即将对 IP 范围进行的更改。An updated file is posted weekly that reflects the currently deployed ranges and any upcoming changes to the IP ranges. 数据中心至少在一周后才会使用文件中显示的新范围。New ranges that appear in the file aren't used in the datacenters for at least one week. 请每周下载新的 xml 文件,并在网站上执行必要的更改以正确地标识 Azure 中运行的服务。Download the new .xml file every week, and perform the necessary changes on your site to correctly identify services running in Azure. Azure ExpressRoute 用户可能会注意到,此文件用于在每个月第一周更新 Azure 空间的 BGP 播发。Azure ExpressRoute users might note that this file used to update the BGP advertisement of Azure space in the first week of each month.

如何将 Azure 资源管理器虚拟网络与云服务一起使用?How can I use Azure Resource Manager virtual networks with cloud services?

不能将云服务置于 Azure 资源管理器虚拟网络中。Cloud services can't be placed in Azure Resource Manager virtual networks. 可以通过对等互连将 Azure 资源管理器虚拟网络与经典部署虚拟网络连接起来。Resource Manager virtual networks and classic deployment virtual networks can be connected through peering. 有关详细信息,请参阅虚拟网络对等互连For more information, see Virtual network peering.

如何获取云服务使用的公共 IP 列表?How can I get the list of public IPs used by my Cloud Services?

可以使用以下 PS 脚本来获取订阅下的云服务公共 IP 列表You can use following PS script to get the list of public IPs for Cloud Services under your subscription

$services = Get-AzureService  | Group-Object -Property ServiceName

foreach ($service in $services)
{
    "Cloud Service '$($service.Name)'"

    $deployment = Get-AzureDeployment -ServiceName $service.Name
    "VIP - " +  $deployment.VirtualIPs[0].Address
    "================================="
}