使用 Azure CLI 在标准负载均衡器中配置负载均衡和出站规则Configure load balancing and outbound rules in Standard Load Balancer using Azure CLI

本快速入门介绍如何使用 Azure CLI 在标准负载均衡器中配置出站规则。This quickstart shows you how to configure outbound rules in Standard Load Balancer using Azure CLI.

完成后,负载均衡器资源包含两个前端以及与之关联的规则:一个前端用于入站,另一个前端用于出站。When you are done, the Load Balancer resource contains two frontends and rules associated with them: one for inbound and another for outbound. 每个前端都会引用一个公共 IP 地址,此方案对于入站和出站使用不同的公共 IP 地址。Each frontend has a reference to a public IP address and this scenario uses a different public IP address for inbound versus outbound. 负载均衡规则仅提供入站负载均衡,由出站规则控制为 VM 提供的出站 NAT。The load balancing rule provides only inbound load balancing and the outbound rule controls the outbound NAT provided for the VM. 本快速入门使用两个独立的后端池(一个用于入站连接,一个用于出站连接)来演示功能,以及如何灵活实施此方案。This quickstart uses two separate backend pools, one for inbound and one for outbound, to illustrate capability and allow for flexibility for this scenario.

本教程要求运行 Azure CLI 2.0.28 或更高版本。This tutorial requires that you are running a version of the Azure CLI version 2.0.28 or later. 要查找版本,请运行 az --versionTo find the version, run az --version. 如果需要进行安装或升级,请参阅安装 Azure CLI 2.0If you need to install or upgrade, see Install Azure CLI 2.0.

创建资源组Create resource group

使用 az group create 创建资源组。Create a resource group with az group create. Azure 资源组是在其中部署和管理 Azure 资源的逻辑容器。An Azure resource group is a logical container into which Azure resources are deployed and managed.

以下示例在“chinaeast2”位置创建名为“myresourcegroupoutbound”的资源组:The following example creates a resource group named myresourcegroupoutbound in the chinaeast2 location:

  az group create \
    --name myresourcegroupoutbound \
    --location chinaeast2

创建虚拟网络Create virtual network

使用 az network vnet createmyresourcegroupoutbound 中创建名为 myvnetoutbound 的虚拟网络,该虚拟网络包含名为 mysubnetoutbound 的子网。Create a virtual network named myvnetoutbound with a subnet named mysubnetoutbound in the myresourcegroupoutbound using az network vnet create.

  az network vnet create \
    --resource-group myresourcegroupoutbound \
    --name myvnetoutbound \
    --address-prefix 192.168.0.0/16 \
    --subnet-name mysubnetoutbound \
    --subnet-prefix 192.168.0.0/24

创建入站公共 IP 地址Create inbound Public IP address

若要通过 Internet 访问 Web 应用,需要负载均衡器有一个公共 IP 地址。To access your web app on the Internet, you need a public IP address for the load balancer. 标准负载均衡器仅支持标准公共 IP 地址。A Standard Load Balancer only supports Standard Public IP addresses. 使用 az network public-ip createmyresourcegroupoutbound 中创建名为 mypublicipinbound 的标准公共 IP 地址。Use az network public-ip create to create a Standard Public IP address named mypublicipinbound in myresourcegroupoutbound.

  az network public-ip create --resource-group myresourcegroupoutbound --name mypublicipinbound --sku standard

创建出站公共 IP 地址Create outbound public IP address

使用 az network public-ip create 为负载均衡器的前端出站配置创建标准 IP 地址。Create a Standard IP address for Load Balancer's frontend outbound configuration using az network public-ip create.

  az network public-ip create --resource-group myresourcegroupoutbound --name mypublicipoutbound --sku standard

创建 Azure 负载均衡器Create Azure Load Balancer

本部分详细介绍如何创建和配置负载均衡器的以下组件:This section details how you can create and configure the following components of the load balancer:

  • 前端 IP,用于在负载均衡器上接收传入网络流量。A frontend IP that receives the incoming network traffic on the load balancer.
  • 后端池,前端 IP 将负载均衡的网络流量发送到此处。A backend pool where the frontend IP sends the load balanced network traffic.
  • 用于出站连接的后端池。A backend pool for outbound connectivity.
  • 运行状况探测,用于确定后端 VM 实例的运行状况。A health probe that determines health of the backend VM instances.
  • 负载均衡器入站规则,用于定义如何将流量分配给 VM。A load balancer inbound rule that defines how traffic is distributed to the VMs.
  • 负载均衡器出站规则,用于定义如何从 VM 分配流量。A load balancer outbound rule that defines how traffic is distributed from the VMs.

创建负载均衡器Create Load Balancer

使用 az network lb create 创建名为 lb 的入站 IP 地址负载均衡器,该负载均衡器包括入站前端 IP 配置和后端池 bepoolinbound(与在前一步创建的公共 IP 地址 mypublicipinbound 相关联)。Create a Load Balancer with the inbound IP address using az network lb create named lb that includes an inbound frontend IP configuration and a backend pool bepoolinbound that is associated with the public IP address mypublicipinbound that you created in the preceding step.

  az network lb create \
    --resource-group myresourcegroupoutbound \
    --name lb \
    --sku standard \
    --backend-pool-name bepoolinbound \
    --frontend-ip-name myfrontendinbound \
    --location chinaeast2 \
    --public-ip-address mypublicipinbound   

创建出站池Create outbound pool

使用 az network lb address-pool create 创建名为 bepooloutbound 的另一个后端地址池,用于定义 VM 池的出站连接。Create an additional backend address pool to define outbound connectivity for a pool of VMs with az network lb address-pool create with the name bepooloutbound. 创建独立的出站池可以提供最大的灵活性,但你也可以忽略此步骤,仅使用入站池 bepoolinboundCreating a separate outbound pool provides maximum flexibility, but you can omit this step and only use the inbound bepoolinbound as well.

  az network lb address-pool create \
    --resource-group myresourcegroupoutbound \
    --lb-name lb \
    --name bepooloutbound

创建出站前端 IPCreate outbound frontend IP

使用 az network lb frontend-ip create 为负载均衡器创建出站前端 IP 配置,该负载均衡器包括名为 myfrontendoutbound 的出站前端 IP 配置(关联到公共 IP 地址 mypublicipoutboundCreate the outbound frontend IP configuration for the Load Balancer with az network lb frontend-ip create that includes and outbound frontend IP configuration named myfrontendoutbound that is associated to the public IP address mypublicipoutbound

  az network lb frontend-ip create \
    --resource-group myresourcegroupoutbound \
    --name myfrontendoutbound \
    --lb-name lb \
    --public-ip-address mypublicipoutbound 

创建运行状况探测Create health probe

运行状况探测器会检查所有虚拟机实例,以确保它们可以发送网络流量。A health probe checks all virtual machine instances to make sure they can send network traffic. 探测器检查失败的虚拟机实例将从负载均衡器中删除,直到它恢复联机状态并且探测器检查确定它运行正常。The virtual machine instance with failed probe checks is removed from the load balancer until it goes back online and a probe check determines that it's healthy. 使用 az network lb probe create 创建运行状况探测,以监视虚拟机的运行状况。Create a health probe with az network lb probe create to monitor the health of the virtual machines.

  az network lb probe create \
    --resource-group myresourcegroupoutbound \
    --lb-name lb \
    --name http \
    --protocol http \
    --port 80 \
    --path /  

创建负载均衡规则Create load balancing rule

负载均衡器规则定义传入流量的前端 IP 配置和后端池以接收流量,同时定义所需源和目标端口。A load balancer rule defines the frontend IP configuration for the incoming traffic and the backend pool to receive the traffic, along with the required source and destination port. 使用 az network lb rule create 创建负载均衡器规则 myinboundlbrule,以便侦听前端池 myfrontendinbound 中的端口 80,并且将经过负载均衡的网络流量发送到也使用端口 80 的后端地址池 bepoolCreate a load balancer rule myinboundlbrule with az network lb rule create for listening to port 80 in the frontend pool myfrontendinbound and sending load-balanced network traffic to the backend address pool bepool also using port 80.

Note

此负载均衡规则通过其 --disable-outbound-snat 参数禁用自动出站 (S)NAT。This load balancing rule disables automatic outbound (S)NAT as a result of this rule with the --disable-outbound-snat parameter. 出站 NAT 仅通过出站规则提供。Outbound NAT is only provided by the outbound rule.

az network lb rule create \
--resource-group myresourcegroupoutbound \
--lb-name lb \
--name inboundlbrule \
--protocol tcp \
--frontend-port 80 \
--backend-port 80 \
--probe http \
--frontend-ip-name myfrontendinbound \
--backend-pool-name bepoolinbound \
--disable-outbound-snat

创建出站规则Create outbound rule

出站规则定义前端公共 IP,该 IP 由前端 myfrontendoutbound(用于此规则适用的所有出站 NAT 流量和后端池)表示。An outbound rule defines the frontend public IP, represented by the frontend myfrontendoutbound, which will be used for all outbound NAT traffic as well as the backend pool to which this rule applies. 创建出站规则 myoutboundrule,以便对 bepool 后端池中的所有虚拟机(NIC IP 配置)进行出站网络转换。Create an outbound rule myoutboundrule for outbound network translation of all virtual machines (NIC IP configurations) in bepool backend pool. 下面的命令还将出站空闲超时从 4 分钟更改为 15 分钟,并分配 10000 SNAT 端口而不是 1024 端口。The command below also changes the outbound idle timeout from 4 to 15 minutes and allocates 10000 SNAT ports instead of 1024. 有关详细信息,请参阅出站规则Review outbound rules for more details.

az network lb outbound-rule create \
 --resource-group myresourcegroupoutbound \
 --lb-name lb \
 --name outboundrule \
 --frontend-ip-configs myfrontendoutbound \
 --protocol All \
 --idle-timeout 15 \
 --outbound-ports 10000 \
 --address-pool bepooloutbound

如果你不想要使用独立的出站池,可以更改上述命令中的地址池参数,以指定 bepoolinboundIf you do not want to use a separate outbound pool, you can change the address pool argument in the preceding command to specify bepoolinbound instead. 我们建议使用独立的池,以提高灵活性,并方便阅读最终的配置。We recommend to use separate pools for flexibility and readability of the resulting configuration.

此时,可以使用 az network nic ip-config address-pool add,通过更新相应 NIC 资源的 IP 配置来继续将 VM 添加到后端池 bepoolinbound bepooloutboundAt this point, you can proceed with adding your VM's to the backend pool bepoolinbound and bepooloutbound by updating the IP configuration of the respective NIC resources using az network nic ip-config address-pool add.

清理资源Clean up resources

如果不再需要资源组、负载均衡器和所有相关的资源,可以使用 az group delete 命令将其删除。When no longer needed, you can use the az group delete command to remove the resource group, load balancer, and all related resources.

  az group delete --name myresourcegroupoutbound