将 Azure 防火墙与 Azure 标准负载均衡器相集成Integrate Azure Firewall with Azure Standard Load Balancer

可将 Azure 防火墙集成到使用 Azure 标准负载均衡器(公共或内部)的虚拟网络中。You can integrate an Azure Firewall into a virtual network with an Azure Standard Load Balancer (either public or internal).

首选设计是将内部负载均衡器与 Azure 防火墙集成,因为这是一个简单得多的设计。The preferred design is to integrate an internal load balancer with your Azure firewall, as this is a much simpler design. 如果已部署了一个公共负载均衡器,并且想要将其保留,则可以使用该负载均衡器。You can use a public load balancer if you already have one deployed and you want to keep it in place. 但需要注意,非对称路由问题可能会破坏公共负载均衡器方案的功能。However, you need to be aware of an asymmetric routing issue that can break functionality with the public load balancer scenario.

有关 Azure 负载均衡器的详细信息,请参阅什么是 Azure 负载均衡器?For more information about Azure Load Balancer, see What is Azure Load Balancer?

公共负载均衡器Public load balancer

使用公共负载均衡器时,部署的负载均衡器使用公共前端 IP 地址。With a public load balancer, the load balancer is deployed with a public frontend IP address.

非对称路由Asymmetric routing

非对称路由是指数据包采用一条路径发往目标,并采用另一条路径返回到源。Asymmetric routing is where a packet takes one path to the destination and takes another path when returning to the source. 如果子网的默认路由转到防火墙的专用 IP 地址,并且使用的是公共负载均衡器,则会出现非对称路由问题。This issue occurs when a subnet has a default route going to the firewall's private IP address and you're using a public load balancer. 在这种情况下,将通过负载均衡器的公共 IP 地址接收传入的负载均衡器流量,但返回路径将通过防火墙的专用 IP 地址。In this case, the incoming load balancer traffic is received via its public IP address, but the return path goes through the firewall's private IP address. 由于防火墙是有状态的,并且无法识别此类已建立的会话,因此会丢弃返回的数据包。Since the firewall is stateful, it drops the returning packet because the firewall isn't aware of such an established session.

解决路由问题Fix the routing issue

将 Azure 防火墙部署到子网时,一个步骤是为子网创建默认路由,用于通过 AzureFirewallSubnet 中的防火墙专用 IP 地址定向数据包。When you deploy an Azure Firewall into a subnet, one step is to create a default route for the subnet directing packets through the firewall's private IP address located on the AzureFirewallSubnet. 有关详细信息,请参阅教程:使用 Azure 门户部署和配置 Azure 防火墙For more information, see Tutorial: Deploy and configure Azure Firewall using the Azure portal.

在负载均衡器方案中引入防火墙时,Internet 流量需要通过防火墙的公共 IP 地址传入。When you introduce the firewall into your load balancer scenario, you want your Internet traffic to come in through your firewall's public IP address. 在此处,防火墙将应用其防火墙规则,并将数据包的网络地址转换 (NAT) 成负载均衡器的公共 IP 地址。From there, the firewall applies its firewall rules and NATs the packets to your load balancer's public IP address. 这就是问题所在。This is where the problem occurs. 数据包抵达防火墙的公共 IP 地址,但通过专用 IP 地址返回到防火墙(使用默认路由)。Packets arrive on the firewall's public IP address, but return to the firewall via the private IP address (using the default route). 若要避免此问题,请为防火墙的公共 IP 地址创建附加的主机路由。To avoid this problem, create an additional host route for the firewall's public IP address. 发往防火墙公共 IP 地址的数据包将通过 Internet 路由。Packets going to the firewall's public IP address are routed via the Internet. 这可以避免默认路由转到防火墙的专用 IP 地址。This avoids taking the default route to the firewall's private IP address.

非对称路由

路由表示例Route table example

例如,以下路由适用于公共 IP 地址为 20.185.97.136、专用 IP 地址为 10.0.1.4 的防火墙。For example, the following routes are for a firewall at public IP address 20.185.97.136, and private IP address 10.0.1.4.

路由表Route table

NAT 规则示例NAT rule example

在下面的示例中,NAT 规则会对 RDP 流量进行网络地址转换,使之在到达防火墙 (20.185.97.136) 后再发往负载均衡器 (20.42.98.220):In the following example, a NAT rule translates RDP traffic to the firewall at 20.185.97.136 over to the load balancer at 20.42.98.220:

NAT 规则NAT rule

运行状况探测Health probes

请记住,如果你对端口 80 使用 TCP 运行状况探测,或者使用 HTTP/HTTPS 探测,则需要在负载均衡器池中的主机上运行 Web 服务。Remember, you need to have a web service running on the hosts in the load balancer pool if you use TCP health probes to port 80, or HTTP/HTTPS probes.

内部负载均衡器Internal load balancer

使用内部负载均衡器时,部署的负载均衡器使用专用前端 IP 地址。With an internal load balancer, the load balancer is deployed with a private frontend IP address.

此方案不会出现非对称路由问题。There's no asymmetric routing issue with this scenario. 传入的数据包抵达防火墙的公共 IP 地址、转换为负载均衡器的专用 IP 地址,然后使用相同的返回路径返回到防火墙的专用 IP 地址。The incoming packets arrive at the firewall's public IP address, get translated to the load balancer's private IP address, and then returns to the firewall's private IP address using the same return path.

因此,可以像部署公共负载均衡器方案一样部署此方案,但无需防火墙公共 IP 地址主机路由。So, you can deploy this scenario similar to the public load balancer scenario, but without the need for the firewall public IP address host route.

其他安全性Additional security

若要进一步增强负载均衡方案的安全性,可以使用网络安全组 (NSG)。To further enhance the security of your load-balanced scenario, you can use network security groups (NSGs).

例如,可以在负载均衡虚拟机所在的后端子网中创建 NSG。For example, you can create an NSG on the backend subnet where the load-balanced virtual machines are located. 允许源自防火墙 IP 地址/端口的传入流量。Allow incoming traffic originating from the firewall IP address/port.

网络安全组

有关 NSG 的详细信息,请参阅安全组For more information about NSGs, see Security groups.

后续步骤Next steps