Azure 负载均衡器的多个前端Multiple Frontends for Azure Load Balancer

使用 Azure 负载均衡器可对多个端口和/或多个 IP 地址上的服务进行负载均衡。Azure Load Balancer allows you to load balance services on multiple ports, multiple IP addresses, or both. 可以使用公共和内部负载均衡器定义来对一组 VM 之间的流量进行负载均衡。You can use public and internal load balancer definitions to load balance flows across a set of VMs.

本文介绍此功能的基础知识、重要概念和约束。This article describes the fundamentals of this ability, important concepts, and constraints. 如果只想要公开一个 IP 地址上的服务,可以查看公共内部负载均衡器配置的简要说明。If you only intend to expose services on one IP address, you can find simplified instructions for public or internal load balancer configurations. 添加多个前端是对单个前端配置的递增。Adding multiple frontends is incremental to a single frontend configuration. 使用本文中的概念,随时可以扩展简化的配置。Using the concepts in this article, you can expand a simplified configuration at any time.

定义 Azure 负载均衡器时,前端和后端池配置与规则相连接。When you define an Azure Load Balancer, a frontend and a backend pool configuration are connected with rules. 规则引用的运行状况探测用于确定如何将新流量发送到后端池中的节点。The health probe referenced by the rule is used to determine how new flows are sent to a node in the backend pool. 前端(也称为 VIP)由负载均衡规则中的 IP 地址(公共或内部)、传输协议(UDP 或 TCP)和端口号组成的 3 元组定义。The frontend (aka VIP) is defined by a 3-tuple comprised of an IP address (public or internal), a transport protocol (UDP or TCP), and a port number from the load balancing rule. 后端池是引用负载均衡器后端池的虚拟机 IP 配置(NIC 资源的一部分)的集合。The backend pool is a collection of Virtual Machine IP configurations (part of the NIC resource) which reference the Load Balancer backend pool.

下表包含一些示例前端配置:The following table contains some example frontend configurations:

前端Frontend IP 地址IP address 协议protocol 端口port
11 65.52.0.165.52.0.1 TCPTCP 8080
22 65.52.0.165.52.0.1 TCPTCP 80808080
33 65.52.0.165.52.0.1 UDPUDP 8080
44 65.52.0.265.52.0.2 TCPTCP 8080

该表显示了四个不同的前端。The table shows four different frontends. 前端 #1、#2 和 #3 是具有多个规则的单一前端。Frontends #1, #2 and #3 are a single frontend with multiple rules. 每个前端使用相同的 IP 地址,但端口或协议不同。The same IP address is used but the port or protocol is different for each frontend. 前端 #1 和 #4 是多个前端的示例,在多个前端中重复使用相同的前端协议和端口。Frontends #1 and #4 are an example of multiple frontends, where the same frontend protocol and port are reused across multiple frontends.

在 Azure 负载均衡器中可以灵活定义负载均衡规则。Azure Load Balancer provides flexibility in defining the load balancing rules. 规则声明如何将前端上的地址和端口映射到后端上的目标地址和端口。A rule declares how an address and port on the frontend is mapped to the destination address and port on the backend. 是否在不同的规则中重复使用后端端口取决于规则的类型。Whether or not backend ports are reused across rules depends on the type of the rule. 每种类型的规则有特定的要求,可能会影响主机配置和探测设计。Each type of rule has specific requirements that can affect host configuration and probe design. 有两种类型的规则:There are two types of rules:

  1. 默认规则,不重复使用后端端口The default rule with no backend port reuse
  2. 浮动 IP 规则,重复使用后端端口The Floating IP rule where backend ports are reused

Azure 负载均衡器允许在相同的负载均衡器配置中混用这两种规则类型。Azure Load Balancer allows you to mix both rule types on the same load balancer configuration. 负载均衡器可以针对给定的 VM 同时使用这两种规则或两者的任意组合,只要遵守规则的约束即可。The load balancer can use them simultaneously for a given VM, or any combination, as long as you abide by the constraints of the rule. 选择哪种规则类型取决于应用程序要求以及支持该配置的复杂性。Which rule type you choose depends on the requirements of your application and the complexity of supporting that configuration. 应该评估哪种规则类型最适合自己的方案。You should evaluate which rule types are best for your scenario.

我们从默认行为开始进一步探讨这些方案。We explore these scenarios further by starting with the default behavior.

规则类型 #1:不重复使用后端端口Rule type #1: No backend port reuse

具有绿色前端和紫色前端的多个前端插图

在此方案中,前端的配置如下:In this scenario, the frontends are configured as follows:

前端Frontend IP 地址IP address 协议protocol 端口port
绿色前端 11 65.52.0.165.52.0.1 TCPTCP 8080
紫色前端 22 65.52.0.265.52.0.2 TCPTCP 8080

DIP 是入站流量的目标。The DIP is the destination of the inbound flow. 在后端池中,每个 VM 公开 DIP 上唯一端口上的所需服务。In the backend pool, each VM exposes the desired service on a unique port on a DIP. 此服务通过规则定义与前端关联。This service is associated with the frontend through a rule definition.

我们定义了两个规则:We define two rules:

规则Rule 映射前端Map frontend 目标后端池To backend pool
11 绿色前端 Frontend1:80Frontend1:80 后端 DIP1:80,DIP1:80, 后端 DIP2:80DIP2:80
22 紫色前端 Frontend2:80Frontend2:80 后端 DIP1:81,DIP1:81, 后端 DIP2:81DIP2:81

现在,Azure 负载均衡器的完整映射如下:The complete mapping in Azure Load Balancer is now as follows:

规则Rule 前端 IP 地址Frontend IP address 协议protocol 端口port 目标Destination 端口port
绿色规则 11 65.52.0.165.52.0.1 TCPTCP 8080 DIP IP 地址DIP IP Address 8080
紫色规则 22 65.52.0.265.52.0.2 TCPTCP 8080 DIP IP 地址DIP IP Address 8181

每个规则必须生成具有目标 IP 地址和目标端口唯一组合的流量。Each rule must produce a flow with a unique combination of destination IP address and destination port. 通过改变流量的目标端口,多个规则可将流量发送到不同端口上的相同 DIP。By varying the destination port of the flow, multiple rules can deliver flows to the same DIP on different ports.

运行状况探测始终定向到 VM 的 DIP。Health probes are always directed to the DIP of a VM. 必须确保探测反映 VM 的运行状况。You must ensure you that your probe reflects the health of the VM.

规则类型 #2:使用浮动 IP 来重复使用后端端口Rule type #2: backend port reuse by using Floating IP

使用 Azure 负载均衡器可以灵活地在多个前端中重复使用前端端口,而不管使用哪种规则类型。Azure Load Balancer provides the flexibility to reuse the frontend port across multiple frontends regardless of the rule type used. 此外,在某些应用程序方案中,后端池中单个 VM 上的多个应用程序实例偏好或必须使用相同端口。Additionally, some application scenarios prefer or require the same port to be used by multiple application instances on a single VM in the backend pool. 重复使用端口的常见示例包括提供高可用性群集、网络虚拟设备,以及公开多个不重新加密的 TLS 终结点。Common examples of port reuse include clustering for high availability, network virtual appliances, and exposing multiple TLS endpoints without re-encryption.

如果想要在多个规则中重复使用后端端口,必须在规则定义中启用浮动 IP。If you want to reuse the backend port across multiple rules, you must enable Floating IP in the rule definition.

“浮动 IP”是 Azure 的术语,表示是所谓的直接服务器返回 (DSR) 的一部分。"Floating IP" is Azure's terminology for a portion of what is known as Direct Server Return (DSR). DSR 包括两个组成部分:流拓扑和 IP 地址映射方案。DSR consists of two parts: a flow topology and an IP address mapping scheme. 在平台级别,Azure 负载均衡器始终在 DSR 流拓扑中运行,无论是否已启用浮动 IP。At a platform level, Azure Load Balancer always operates in a DSR flow topology regardless of whether Floating IP is enabled or not. 这意味着,流的出站部分始终正确重写为直接流回到来源。This means that the outbound part of a flow is always correctly rewritten to flow directly back to the origin.

使用默认规则类型时,Azure 公开传统的负载均衡 IP 地址映射方案以便于使用。With the default rule type, Azure exposes a traditional load balancing IP address mapping scheme for ease of use. 启用浮动 IP 会更改 IP 地址映射方案,提供更大的灵活性,请参阅下面的说明。Enabling Floating IP changes the IP address mapping scheme to allow for additional flexibility as explained below.

下图演示了此配置:The following diagram illustrates this configuration:

具有使用 DSR 的绿色前端和紫色前端的多个前端插图

此方案中,后端池中的每个 VM 有三个网络接口:For this scenario, every VM in the backend pool has three network interfaces:

  • DIP:与 VM 关联的虚拟 NIC(Azure NIC 资源的 IP 配置)DIP: a Virtual NIC associated with the VM (IP configuration of Azure's NIC resource)
  • 前端 1:来宾 OS 中的环回接口,该接口上已配置前端 1 的 IP 地址Frontend 1: a loopback interface within guest OS that is configured with IP address of Frontend 1
  • 前端 2:来宾 OS 中的环回接口,该接口上已配置前端 2 的 IP 地址Frontend 2: a loopback interface within guest OS that is configured with IP address of Frontend 2

Important

环回接口的配置在来宾 OS 中执行。The configuration of the loopback interfaces is performed within the guest OS. 此配置不是由 Azure 执行或管理。This configuration is not performed or managed by Azure. 如果没有此配置,规则无法正常运行。Without this configuration, the rules will not function. 运行状况探测定义使用 VM 的 DIP(而不是环回接口)表示 DSR 前端。Health probe definitions use the DIP of the VM rather than the loopback interface representing the DSR Frontend. 因此,服务必须在 DIP 端口上提供探测响应,以反映表示 DSR 前端的环回接口上提供的服务的状态。Therefore, your service must provide probe responses on a DIP port that reflect the status of the service offered on the loopback interface representing the DSR Frontend.

假设上述方案使用相同的前端配置:Let's assume the same frontend configuration as in the previous scenario:

前端Frontend IP 地址IP address 协议protocol 端口port
绿色前端 11 65.52.0.165.52.0.1 TCPTCP 8080
紫色前端 22 65.52.0.265.52.0.2 TCPTCP 8080

我们定义了两个规则:We define two rules:

规则Rule 前端Frontend 映射到后端池Map to backend pool
11 规则 Frontend1:80Frontend1:80 后端 Frontend1:80(在 VM1 和 VM2 中)Frontend1:80 (in VM1 and VM2)
22 规则 Frontend2:80Frontend2:80 后端 Frontend2:80(在 VM1 和 VM2 中)Frontend2:80 (in VM1 and VM2)

下表显示负载均衡器中的完整映射:The following table shows the complete mapping in the load balancer:

规则Rule 前端 IP 地址Frontend IP address 协议protocol 端口port 目标Destination 端口port
绿色规则 11 65.52.0.165.52.0.1 TCPTCP 8080 与前端 (65.52.0.1) 相同same as frontend (65.52.0.1) 与前端 (80) 相同same as frontend (80)
紫色规则 22 65.52.0.265.52.0.2 TCPTCP 8080 与前端 (65.52.0.2) 相同same as frontend (65.52.0.2) 与前端 (80) 相同same as frontend (80)

入站流量的目标是 VM 中环回接口上的前端 IP 地址。The destination of the inbound flow is the frontend IP address on the loopback interface in the VM. 每个规则必须生成具有目标 IP 地址和目标端口唯一组合的流量。Each rule must produce a flow with a unique combination of destination IP address and destination port. 通过改变流量的目标 IP 地址,可以在同一 VM 上重复使用端口。By varying the destination IP address of the flow, port reuse is possible on the same VM. 通过将服务绑定到前端的 IP 地址和相应环回接口的端口,可以向负载均衡器公开服务。Your service is exposed to the load balancer by binding it to the frontend's IP address and port of the respective loopback interface.

请注意,本示例未更改目标端口。Notice that this example does not change the destination port. 这是一个浮动 IP 方案,不过 Azure 负载均衡器也支持定义规则来重写后端的目标端口,使其与前端的目标端口不同。Even though this is a Floating IP scenario, Azure Load Balancer also supports defining a rule to rewrite the backend destination port and to make it different from the frontend destination port.

浮动 IP 规则类型是多种负载均衡器配置模式的基础。The Floating IP rule type is the foundation of several load balancer configuration patterns. 具有多个侦听器的 SQL AlwaysOn 配置是目前提供的示例之一。One example that is currently available is the SQL AlwaysOn with Multiple Listeners configuration. 一段时间后,我们会介绍更多此类方案。Over time, we will document more of these scenarios.

限制Limitations

  • 只有 IaaS VM 支持多个前端配置。Multiple frontend configurations are only supported with IaaS VMs.
  • 使用浮点 IP 规则时,应用程序必须为出站流使用主要 IP 配置。With the Floating IP rule, your application must use the primary IP configuration for outbound flows. 如果应用程序绑定到来宾 OS 中环回接口上配置的前端 IP 地址,则无法使用 Azure 的 SNAT 来重写出站流,此时流处理会失败。If your application binds to the frontend IP address configured on the loopback interface in the guest OS, Azure's SNAT is not available to rewrite the outbound flow and the flow fails.
  • 公共 IP 地址会影响计费。Public IP addresses have an effect on billing. 有关详细信息,请参阅 IP 地址定价For more information, see IP Address pricing
  • 订阅有所限制。Subscription limits apply. 有关详细信息,请参阅服务限制For more information, see Service limits for details.

后续步骤Next steps

  • 查看出站连接,了解多个前端对出站连接行为的影响。Review Outbound connections to understand the impact of multiple frontends on outbound connection behavior.