高可用性端口概述High availability ports overview

使用内部负载均衡器时,Azure 标准负载均衡器可帮助同时对所有端口上的 TCP 和 UDP 流进行负载均衡。Azure Standard Load Balancer helps you load-balance TCP and UDP flows on all ports simultaneously when you're using an internal load balancer.

高可用性 (HA) 端口负载均衡规则是在内部标准负载均衡器上配置的负载均衡规则的变体。A high availability (HA) ports load-balancing rule is a variant of a load-balancing rule, configured on an internal Standard Load Balancer. 可以通过提供单个规则对到达内部标准负载均衡器的所有端口的所有 TCP 和 UDP 流进行负载均衡,来简化负载均衡器的使用。You can simplify the use of a load balancer by providing a single rule to load-balance all TCP and UDP flows that arrive on all ports of an internal Standard Load Balancer. 按流进行负载均衡决策。The load-balancing decision is made per flow. 此操作基于以下五元组连接:“源 IP 地址”、“源端口”、“目标 IP 地址”、“目标端口”和“协议”This action is based on the following five-tuple connection: source IP address, source port, destination IP address, destination port, and protocol

HA 端口负载均衡规则可帮助你实现关键方案,例如虚拟网络中网络虚拟设备 (NVA) 的高可用性和缩放。The HA ports load-balancing rules help you with critical scenarios, such as high availability and scale for network virtual appliances (NVAs) inside virtual networks. 当大量端口必须进行负载均衡时,此功能也可以帮助完成。The feature can also help when a large number of ports must be load-balanced.

将前端和后端端口设置为 0 并将协议设置为 All 时,将需要配置 HA 端口负载均衡规则。The HA ports load-balancing rules is configured when you set the front-end and back-end ports to 0 and the protocol to All. 然后,不管端口号是什么,内部负载均衡器资源都会均衡所有 TCP 和 UDP 流The internal load balancer resource then balances all TCP and UDP flows, regardless of port number

为何使用 HA 端口?Why use HA ports?

网络虚拟设备Network virtual appliances

可以使用 NVA 来保护 Azure 工作负荷免受多种类型的安全威胁。You can use NVAs to help secure your Azure workload from multiple types of security threats. 如果在这些方案中使用 NVA,这些设备必须可靠、高度可用且可根据需要横向扩展。When you use NVAs in these scenarios, they must be reliable and highly available, and they must scale out for demand.

只需将 NVA 实例添加到内部负载均衡器后端池,并配置 HA 端口负载均衡器规则,即可实现这些目标。You can achieve these goals simply by adding NVA instances to the back-end pool of your internal load balancer and configuring an HA ports load-balancer rule.

对于 NVA HA 方案,HA 端口具有以下优点:For NVA HA scenarios, HA ports offer the following advantages:

  • 可根据实例运行状况探测快速故障转移到正常的实例Provide fast failover to healthy instances, with per-instance health probes
  • 通过横向扩展到 n 个主动实例来提高性能Ensure higher performance with scale-out to n-active instances
  • 提供 n 个主动和主动-被动方案Provide n-active and active-passive scenarios
  • 无需使用复杂解决方案,例如,使用 Apache ZooKeeper 节点来监视设备Eliminate the need for complex solutions, such as Apache ZooKeeper nodes for monitoring appliances

下图显示了中心辐射型虚拟网络部署。The following diagram presents a hub-and-spoke virtual network deployment. 在离开受信任空间之前,辐射使用强制隧道将其流量发送到中心虚拟网络并通过 NVA。The spokes force-tunnel their traffic to the hub virtual network and through the NVA, before leaving the trusted space. NVA 在采用 HA 端口配置的内部标准负载均衡器后面。The NVAs are behind an internal Standard Load Balancer with an HA ports configuration. 可以处理并相应地转发所有流量。All traffic can be processed and forwarded accordingly. 当如下图所示进行了配置时,HA 端口负载均衡规则还会另外针对入口和出口流量提供流对称。When configured as show in the following diagram, an HA Ports load-balancing rule additionally provides flow symmetry for ingress and egress traffic.

包含以 HA 模式部署的 NVA 的中心辐射型虚拟网络的示意图Diagram of hub-and-spoke virtual network, with NVAs deployed in HA mode

备注

如果使用 NVA,请咨询其提供商来了解如何最好地使用 HA 端口,以及支持哪些方案。If you are using NVAs, confirm with their providers how to best use HA ports and to learn which scenarios are supported.

对大量端口进行负载均衡Load-balancing large numbers of ports

对于需要负载均衡大量端口的应用程序,也可以使用 HA 端口。You can also use HA ports for applications that require load balancing of large numbers of ports. 可以通过将内部标准负载均衡器与 HA 端口配合使用来简化这些方案。You can simplify these scenarios by using an internal Standard Load Balancer with HA ports. 单个负载均衡规则可替换多个单独的负载均衡规则(每个端口一个)。A single load-balancing rule replaces multiple individual load-balancing rules, one for each port.

上市区域Region availability

HA 端口功能在所有 Azure 区域中均可用。The HA ports feature is available in all the Azure regions.

支持的配置Supported configurations

内部标准负载均衡器上的一个非浮动 IP(非直接服务器返回)HA 端口配置A single, non-floating IP (non-Direct Server Return) HA-ports configuration on an internal Standard Load Balancer

此配置是一个基本 HA 端口配置。This configuration is a basic HA ports configuration. 执行以下操作可为单个前端 IP 地址配置 HA 端口负载均衡规则:You can configure an HA ports load-balancing rule on a single front-end IP address by doing the following:

  1. 配置标准负载均衡器时,请在负载均衡器规则配置中选中“HA 端口”复选框。While configuring Standard Load Balancer, select the HA ports check box in the Load Balancer rule configuration.
  2. 对于“浮动 IP”,请选择“禁用” 。For Floating IP, select Disabled.

进行此配置后,无法为当前负载均衡器资源配置任何其他的负载均衡规则。This configuration does not allow any other load-balancing rule configuration on the current load balancer resource. 并且无法为给定的一组后端实例配置其他的内部负载均衡器资源。It also allows no other internal load balancer resource configuration for the given set of back-end instances.

但是,除了此 HA 端口规则外,还可以为后端实例配置公共标准负载均衡器。However, you can configure a public Standard Load Balancer for the back-end instances in addition to this HA ports rule.

内部标准负载均衡器上的一个浮动 IP(直接服务器返回)HA 端口配置A single, floating IP (Direct Server Return) HA-ports configuration on an internal Standard Load Balancer

同样,可以将负载均衡器配置为将负载均衡规则与具有单个前端的“HA 端口”配合使用,并将“浮动 IP”设置为“启用” 。You can similarly configure your load balancer to use a load-balancing rule with HA Port with a single front end by setting the Floating IP to Enabled.

使用此配置,可添加更多浮动 IP 负载均衡规则和/或公共负载均衡器。By using this configuration, you can add more floating IP load-balancing rules and/or a public load balancer. 但是,无法在此配置之上使用非浮动 IP、HA 端口负载均衡配置。However, you cannot use a non-floating IP, HA-ports load-balancing configuration on top of this configuration.

内部标准负载均衡器上的多个 HA 端口配置Multiple HA-ports configurations on an internal Standard Load Balancer

如果方案需要为同一后端池配置多个 HA 端口前端,则可执行以下操作:If your scenario requires that you configure more than one HA port front end for the same back-end pool, you can do the following:

  • 为单个内部标准负载均衡器资源配置多个前端专用 IP 地址。Configure more than one front-end private IP address for a single internal Standard Load Balancer resource.
  • 配置多个负载均衡规则,为其中的每个规则选择一个唯一的前端 IP 地址。Configure multiple load-balancing rules, where each rule has a single unique front-end IP address selected.
  • 对于所有负载均衡规则,选择“HA 端口”选项,并将“浮动 IP”设置为“启用” 。Select the HA ports option, and then set Floating IP to Enabled for all the load-balancing rules.

相同后端实例上具有 HA 端口的内部负载均衡器和公共负载均衡器An internal load balancer with HA ports and a public load balancer on the same back-end instance

可以为后端资源配置一个公共标准负载均衡器资源以及单个具有 HA 端口的内部标准负载均衡器。You can configure one public Standard Load Balancer resource for the backend resources, along with a single internal Standard Load Balancer with HA ports.

限制Limitations

  • HA 端口负载均衡规则仅适用于内部标准负载均衡器。HA ports load-balancing rules are available only for internal Standard Load Balancer.
  • 不支持将 HA 端口负载均衡规则和指向相同后端 ipconfiguration 的非 HA 端口负载均衡规则组合在一起,除非这两者都启用了浮动 IP。The combining of an HA ports load-balancing rule and a non-HA ports load-balancing rule pointing to same backend ipconfiguration(s) is not supported unless both have Floating IP enabled.
  • 现有 IP 片段将由 HA 端口负载均衡规则转发到与第一个数据包相同的目标。Existing IP fragments will be forwarded by HA Ports load-balancing rules to same destination as first packet. 不支持对 UDP 或 TCP 数据包进行 IP 分段。IP fragmenting a UDP or TCP packet is not supported.
  • 只有使用方式如上方的示意图所示并且使用了 HA 端口负载均衡规则时,才会通过后端实例和单一 NIC(以及单 IP 配置)来支持流对称(主要是针对 NVA 方案)。Flow symmetry (primarily for NVA scenarios) is supported with backend instance and a single NIC (and single IP configuration) only when used as shown in the diagram above and using HA Ports load-balancing rules. 任何其他方案中都不提供此功能。It is not provided in any other scenario. 这意味着,两个或多个负载均衡器资源和及其各自的规则都独立做出决策,永远不会进行协调。This means that two or more Load Balancer resources and their respective rules make independent decisions and are never coordinated. 请参阅网络虚拟设备的说明和示意图。See the description and diagram for network virtual appliances. 如果使用了多个 NIC 或者将 NVA 置于公共负载均衡器与内部负载均衡器之间,则流对称功能不可用。When you are using multiple NICs or sandwiching the NVA between a public and internal Load Balancer, flow symmetry is not available. 通过对发往设备 IP 的传入流执行来源 NAT 操作以允许回复到达同一 NVA,也许能够解决此问题。You may be able to work around this by source NAT'ing the ingress flow to the IP of the appliance to allow replies to arrive on the same NVA. 但是,强烈建议使用单一 NIC,并使用上方示意图中所示的参考体系结构。However, we strongly recommend using a single NIC and using the reference architecture shown in the diagram above.

后续步骤Next steps