Azure 中的出站连接Outbound connections in Azure

Azure 负载均衡器通过多种不同的机制为客户部署提供出站连接。The Azure Load Balancer provides outbound connectivity for customer deployments through several different mechanisms. 本文介绍具体的方案、其应用方式、工作原理以及管理方式。This article describes what the scenarios are, when they apply, how they work, and how to manage them. 如果通过 Azure 负载均衡器进行出站连接时遇到问题,请参阅出站连接故障排除指南If you are experiencing issue with outbound connectivity through an Azure Load Balancer, see the [troubleshooting guide for outbound connections] (../load-balancer/troubleshoot-outbound-connection.md).

Note

本文仅涵盖了资源管理器部署。This article covers Resource Manager deployments only. 有关 Azure 中的所有经典部署方案,请查看出站连接(经典)Review Outbound connections (Classic) for all Classic deployment scenarios in Azure.

Azure 中的部署可与 Azure 外部的公共 IP 地址空间中的终结点进行通信。A deployment in Azure can communicate with endpoints outside Azure in the public IP address space. 当实例启动到公共 IP 地址空间中的目标的出站流时,Azure 会动态将专用 IP 地址映射到公共 IP 地址。When an instance initiates an outbound flow to a destination in the public IP address space, Azure dynamically maps the private IP address to a public IP address. 创建此映射后,此出站发起流的返回流量还可以抵达发起流的专用 IP 地址。After this mapping is created, return traffic for this outbound originated flow can also reach the private IP address where the flow originated.

Azure 使用源网络地址转换 (SNAT) 来执行此功能。Azure uses source network address translation (SNAT) to perform this function. 当多个专用 IP 地址伪装成单个公共 IP 地址时,Azure 将使用端口地址转换 (PAT) 来伪装专用 IP 地址。When multiple private IP addresses are masquerading behind a single public IP address, Azure uses port address translation (PAT) to masquerade private IP addresses. 临时端口用于 PAT,是基于池大小预先分配的。Ephemeral ports are used for PAT and are preallocated based on pool size.

有多种出站方案There are multiple outbound scenarios. 可根据需要结合这些方案。You can combine these scenarios as needed. 请认真分析这些方案,以了解在部署模型和应用方案中应用这些方案时的功能、约束和模式。Review them carefully to understand the capabilities, constraints, and patterns as they apply to your deployment model and application scenario. 查看有关管理这些方案的指导。Review guidance for managing these scenarios.

Important

标准负载均衡器和标准公共 IP 为出站连接引入了新功能和不同的行为。Standard Load Balancer and Standard Public IP introduce new abilities and different behaviors to outbound connectivity. 它们不同于基本 SKU。They are not the same as Basic SKUs. 如果在使用标准 SKU 时需要出站连接,则必须使用标准公共 IP 地址或标准公共负载均衡器显式定义它。If you want outbound connectivity when working with Standard SKUs, you must explicitly define it either with Standard Public IP addresses or Standard public Load Balancer. 这包括在使用内部标准负载均衡器时创建出站连接。This includes creating outbound connectivity when using an internal Standard Load Balancer. 建议始终使用标准公共负载均衡器上的出站规则。We recommend you always use outbound rules on a Standard public Load Balancer. 方案 3不适用于标准 SKU。Scenario 3 is not available with Standard SKU. 这意味着使用内部标准负载均衡器时,如果需要出站连接,则需要采取步骤为后端池中的 VM 创建出站连接。That means when an internal Standard Load Balancer is used, you need to take steps to create outbound connectivity for the VMs in the backend pool if outbound connectivity is desired. 在出站连接的上下文中,单独的 VM、可用性集中的所有 VM、VMSS 中的所有实例都是一个组。In the context of outbound connectivity, a single standalone VM, all the VM's in an Availability Set, all the instances in a VMSS behave as a group. 这意味着,如果可用性集中的单个 VM 与标准 SKU 关联,则该可用性集中的所有 VM 实例现在都遵循相同的规则,就好像这些 VM 实例与标准 SKU 相关联一样,即使单个实例与标准 SKU 没有直接关联。This means, if a single VM in an Availability Set is associated with a Standard SKU, all VM instances within this Availability Set now behave by the same rules as if they are associated with Standard SKU, even if an individual instance is not directly associated with it. 如果独立 VM 有连接到负载均衡器的多个网络接口卡,也会出现此行为。This behavior is also observed in the case of a standalone VM with multiple network interface cards attached to a load balancer. 如果将一个 NIC 添加为独立 NIC,也会有相同的行为。If one NIC is added as a standalone, it will have the same behavior. 请仔细查看整个文档以了解整体概念,查看标准负载均衡器了解 SKU 之间的差异,并查看出站规则Carefully review this entire document to understand the overall concepts, review Standard Load Balancer for differences between SKUs, and review outbound rules. 使用出站规则可以对出站连接的所有方面进行细化管理控制。Using outbound rules allows you fine grained control over all aspects of outbound connectivity.

方案概述Scenario overview

Azure 负载均衡器和相关资源是使用 Azure 资源管理器时显式定义的。Azure Load Balancer and related resources are explicitly defined when you're using Azure Resource Manager. Azure 目前提供三种不同的方法实现 Azure 资源管理器资源的出站连接。Azure currently provides three different methods to achieve outbound connectivity for Azure Resource Manager resources.

SKUSKUs 方案Scenario 方法Method IP 协议IP protocols 说明Description
标准、基本Standard, Basic 1.具有实例级公共 IP 地址的 VM(有或没有负载均衡器)1. VM with an Instance Level Public IP address (with or without Load Balancer) SNAT,不使用端口伪装SNAT, port masquerading not used TCP、UDP、ICMP、ESPTCP, UDP, ICMP, ESP Azure 使用分配实例 NIC 的 IP 配置的公共 IP。Azure uses the public IP assigned to the IP configuration of the instance's NIC. 此实例具有所有可用的临时端口。The instance has all ephemeral ports available. 使用标准负载均衡器时,如果向虚拟机分配了公共 IP,则不支持出站规则When using Standard Load Balancer, outbound rules are not supported if a public IP is assigned to the Virtual Machine.
标准、基本Standard, Basic 2.与 VM 关联的公共负载均衡器(实例上没有公共 IP 地址)2. Public Load Balancer associated with a VM (no Public IP address on the instance) 使用负载均衡器前端进行端口伪装 (PAT) 的 SNATSNAT with port masquerading (PAT) using the Load Balancer frontends TCP、UDPTCP, UDP Azure 与多个专用 IP 地址共享公共负载均衡器前端的公共 IP 地址。Azure shares the public IP address of the public Load Balancer frontends with multiple private IP addresses. Azure 使用前端的临时端口进行 PAT。Azure uses ephemeral ports of the frontends to PAT. 使用标准负载均衡器时,应使用出站规则显式定义出站连接。When using Standard Load Balancer, you should use outbound rules to explicitly define outbound connectivity.
无或基本none or Basic 3.独立 VM(无负载均衡器,无公共 IP 地址)3. Standalone VM (no Load Balancer, no Public IP address) 使用端口伪装 (PAT) 的 SNATSNAT with port masquerading (PAT) TCP、UDPTCP, UDP Azure 自动指定用于 SNAT 的公共 IP 地址,与可用性集的多个专用 IP 地址共享此公共 IP 地址,并使用此公共 IP 地址的临时端口。Azure automatically designates a public IP address for SNAT, shares this public IP address with multiple private IP addresses of the availability set, and uses ephemeral ports of this public IP address. 此方案是前述方案的回退方案。This scenario is a fallback for the preceding scenarios. 如果需要可见性和控制,则我们不建议采用。We don't recommend it if you need visibility and control.

如果不希望 VM 与 Azure 外部的公共 IP 地址空间中的终结点通信,则可以根据需要使用网络安全组 (NSG) 来阻止访问。If you don't want a VM to communicate with endpoints outside Azure in public IP address space, you can use network security groups (NSGs) to block access as needed. 阻止出站连接部分详细介绍了 NSG。The section Preventing outbound connectivity discusses NSGs in more detail. 本文不会介绍有关在无任何出站访问权限的情况下,如何设计和管理虚拟网络的设计和实施指导。Guidance on designing, implementing, and managing a virtual network without any outbound access is outside the scope of this article.

场景 1:使用公共 IP 地址的 VMScenario 1: VM with Public IP address

在此场景中,向 VM 分配了公共 IP。In this scenario, the VM has a Public IP assigned to it. 就出站连接而言,VM 是否经过负载均衡并不重要。As far as outbound connections are concerned, it doesn't matter whether the VM is load balanced or not. 此方案优先于其他方案。This scenario takes precedence over the others. 使用公共 IP 地址时,VM 将该公共 IP 地址用于所有出站流。When a Public IP address is used, the VM uses the Public IP address for all outbound flows.

分配到 VM 的公共 IP 属于 1 对 1 关系(而不是 1 对多关系),并实现为无状态的 1 对 1 NAT。A public IP assigned to a VM is a 1:1 relationship (rather than 1: many) and implemented as a stateless 1:1 NAT. 不使用端口伪装 (PAT),并且 VM 具有所有可供使用的临时端口。Port masquerading (PAT) is not used, and the VM has all ephemeral ports available for use.

如果应用程序启动很多出站流,并且遇到 SNAT 端口耗尽的情况,可以考虑分配公共 IP 地址以缓解 SNAT 约束If your application initiates many outbound flows and you experience SNAT port exhaustion, consider assigning a Public IP address to mitigate SNAT constraints. 请查看管理 SNAT 耗尽Review Managing SNAT exhaustion in its entirety.

场景 2:无公共 IP 地址的负载均衡 VMScenario 2: Load-balanced VM without a Public IP address

在此方案中,VM 是公共负载均衡器池的一部分。In this scenario, the VM is part of a public Load Balancer backend pool. 没有分配给 VM 的公共 IP 地址。The VM does not have a public IP address assigned to it. 必须为负载均衡器资源配置一个负载均衡器规则,以在公共 IP 前端与后端池之间创建链接。The Load Balancer resource must be configured with a load balancer rule to create a link between the public IP frontend with the backend pool.

如果没有完成此规则配置,则行为将如适用于没有公共 IP 的独立 VM 方案中所述。If you do not complete this rule configuration, the behavior is as described in the scenario for Standalone VM with no Public IP. 不需要在规则中添加后端池的正常运行的侦听器或者运行状况探测就能成功实现。It is not necessary for the rule to have a working listener in the backend pool for the health probe to succeed.

当负载均衡的 VM 创建出站流时,Azure 将此出站流的专用源 IP 地址转换为公共负载均衡器前端的公共 IP 地址。When the load-balanced VM creates an outbound flow, Azure translates the private source IP address of the outbound flow to the public IP address of the public Load Balancer frontend. Azure 使用 (SNAT) 来执行此功能。Azure uses SNAT to perform this function. Azure 还使用 PAT 来伪装公共 IP 地址后面的多个专用 IP 地址。Azure also uses PAT to masquerade multiple private IP addresses behind a public IP address.

使用负载均衡器的公共 IP 地址前端的临时端口区分由 VM 产生的各个流。Ephemeral ports of the load balancer's public IP address frontend are used to distinguish individual flows originated by the VM. 创建出站流后,SNAT 动态使用预先分配的临时端口SNAT dynamically uses preallocated ephemeral ports when outbound flows are created. 在此情况下,用于 SNAT 的临时端口被称为 SNAT 端口。In this context, the ephemeral ports used for SNAT are called SNAT ports.

SNAT 端口是按照了解 SNAT 和 PAT 部分中所述预先分配的。SNAT ports are pre-allocated as described in the Understanding SNAT and PAT section. 它们是可能会耗尽的有限资源。They're a finite resource that can be exhausted. 因此了解它们的使用方式很重要。It's important to understand how they are consumed. 请查看管理 SNAT 耗尽,了解如何根据需要进行设计和缓解。To understand how to design for this consumption and mitigate as necessary, review Managing SNAT exhaustion.

如果多个公共 IP 地址与负载均衡器基本版相关联,则所有这些公共 IP 地址都是出站流的候选项,并且会随机选择其中一个。When multiple public IP addresses are associated with Load Balancer Basic, any of these public IP addresses are a candidate for outbound flows, and one is selected at random.

若要监视负载均衡器基本版的出站连接运行状况,可以使用用于负载均衡器的 Azure Monitor 日志警报事件日志来监视 SNAT 端口耗尽消息。To monitor the health of outbound connections with Load Balancer Basic, you can use Azure Monitor logs for Load Balancer and alert event logs to monitor for SNAT port exhaustion messages.

场景 3:无公共 IP 地址的独立 VMScenario 3: Standalone VM without a Public IP address

在此场景中,VM 不是公共负载均衡器池的一部分(也不是内部标准负载均衡器池的一部分),并且没有分配给它的公共 IP 地址。In this scenario, the VM is not part of a public Load Balancer pool (and not part of an internal Standard Load Balancer pool) and does not have a Public IP address assigned to it. 当 VM 创建出站流时,Azure 将此出站流的专用源 IP 地址转换为公共源 IP 地址。When the VM creates an outbound flow, Azure translates the private source IP address of the outbound flow to a public source IP address. 用于此出站流的公共 IP 地址是不可配置的,并且不会影响订阅的公共 IP 资源限制。The public IP address used for this outbound flow is not configurable and does not count against the subscription's public IP resource limit. 此公共 IP 地址不属于你,不能保留。This public IP address does not belong to you and cannot be reserved. 如果重新部署 VM、可用性集或虚拟机规模集,则将释放此公共 IP 地址并请求新的公共 IP 地址。If you redeploy the VM or Availability Set or virtual machine scale set, this public IP address will be released and a new public IP address requested. 请不要使用此方案将 IP 地址加入允许列表。Do not use this scenario for whitelisting IP addresses. 而是使用其他两个方案之一,其中你显式声明出站方案和要用于出站连接的公共 IP 地址。Instead, use one of the other two scenarios where you explicitly declare the outbound scenario and the public IP address to be used for outbound connectivity.

Important

仅当附加了内部基本负载均衡器时,此场景才适用。This scenario also applies when only an internal Basic Load Balancer is attached. 如果已将内部标准负载均衡器附加到 VM,则场景 3 不适用。Scenario 3 is not available when an internal Standard Load Balancer is attached to a VM. 除了使用内部标准负载均衡器以外,还必须显式创建场景 1场景 2You must explicitly create scenario 1 or scenario 2 in addition to using an internal Standard Load Balancer.

Azure 结合端口伪装 (PAT) 使用 SNAT 来执行此功能。Azure uses SNAT with port masquerading (PAT) to perform this function. 此方案类似于方案 2,但无法控制使用的 IP 地址。This scenario is similar to scenario 2, except there is no control over the IP address used. 这是方案 1 和方案 2 不存在时的回退方案。This is a fallback scenario for when scenarios 1 and 2 do not exist. 如果需要控制出站地址,则我们不建议使用此方案。We don't recommend this scenario if you want control over the outbound address. 如果出站连接是应用程序的关键部分,应该选择另一种方案。If outbound connections are a critical part of your application, you should choose another scenario.

SNAT 端口是根据了解 SNAT 和 PAT 部分中所述预先分配的。SNAT ports are preallocated as described in the Understanding SNAT and PAT section. 共享可用性集的 VM 数目决定了适用的预分配层。The number of VMs sharing an Availability Set determines which preallocation tier applies. 没有可用性集的独立 VM 实际上是用于确定预分配(1024 SNAT 端口)的、包含 1 个 VM 的池。A standalone VM without an Availability Set is effectively a pool of 1 for the purposes of determining preallocation (1024 SNAT ports). SNAT 端口是可能会被耗尽的有限资源。SNAT ports are a finite resource that can be exhausted. 因此了解它们的使用方式很重要。It's important to understand how they are consumed. 请查看管理 SNAT 耗尽,了解如何根据需要进行设计和缓解。To understand how to design for this consumption and mitigate as necessary, review Managing SNAT exhaustion.

多个组合方案Multiple, combined scenarios

可以结合前面部分中所述的方案来实现特定的效果。You can combine the scenarios described in the preceding sections to achieve a particular outcome. 存在多个方案时,优先顺序如下:方案 1 优先于方案 23When multiple scenarios are present, an order of precedence applies: scenario 1 takes precedence over scenario 2 and 3. 方案 2 优先于方案 3Scenario 2 overrides scenario 3.

例如,在 Azure 资源管理器部署中,应用程序严重依赖于与有限数量的目标建立出站连接,但也通过负载均衡器前端接收入站流。An example is an Azure Resource Manager deployment where the application relies heavily on outbound connections to a limited number of destinations but also receives inbound flows over a Load Balancer frontend. 在此情况下,可以结合方案 1 和 2 来缓解问题。In this case, you can combine scenarios 1 and 2 for relief. 有关其他模式,请查看管理 SNAT 耗尽For additional patterns, review Managing SNAT exhaustion.

对出站流使用多个前端Multiple frontends for outbound flows

标准负载均衡器Standard Load Balancer

存在多个(公共)IP 前端时,标准负载均衡器同时使用出站流的所有候选项。Standard Load Balancer uses all candidates for outbound flows at the same time when multiple (public) IP frontends is present. 如果对出站连接启用了负载均衡规则,则每个前端的可用预分配 SNAT 端口数将会倍增。Each frontend multiplies the number of available preallocated SNAT ports if a load balancing rule is enabled for outbound connections.

可以使用一个新的负载均衡规则选项,来禁止对出站连接使用某个前端 IP 地址:You can choose to suppress a frontend IP address from being used for outbound connections with a new load balancing rule option:

      "loadBalancingRules": [
        {
          "disableOutboundSnat": false
        }
      ]

通常,disableOutboundSnat 选项默认为 false,表示此规则将为负载均衡规则的后端池中关联的 VM 编制出站 SNAT。Normally, the disableOutboundSnat option defaults to false and signifies that this rule programs outbound SNAT for the associated VMs in the backend pool of the load balancing rule. 可将 disableOutboundSnat 更改为 true,防止负载均衡器对此负载均衡规则的后端池中 VM 的出站连接使用关联的前端 IP 地址。The disableOutboundSnat can be changed to true to prevent Load Balancer from using the associated frontend IP address for outbound connections for the VMs in the backend pool of this load balancing rule. 此外,仍可以根据多个组合方案中所述,为出站流指定特定的 IP 地址。And you can also still designate a specific IP address for outbound flows as described in Multiple, combined scenarios as well.

负载均衡器基本版Load Balancer Basic

多个(公共)IP 前端适用于出站流时,负载均衡器基本版将选择单个前端用于出站流。Load Balancer Basic chooses a single frontend to be used for outbound flows when multiple (public) IP frontends are candidates for outbound flows. 此项选择不可配置,应将选择算法视为随机。This selection is not configurable, and you should consider the selection algorithm to be random. 可以根据多个组合方案中所述,为出站流指定特定的 IP 地址。You can designate a specific IP address for outbound flows as described in Multiple, combined scenarios.

了解 SNAT 和 PATUnderstanding SNAT and PAT

端口伪装 SNAT (PAT)Port masquerading SNAT (PAT)

当公共负载均衡器资源与没有专用公共 IP 地址的 VM 实例关联时,将重写每个出站连接源。When a public Load Balancer resource is associated with VM instances, which do not have dedicated Public IP addresses, each outbound connection source is rewritten. 出站连接源从虚拟网络专用 IP 地址空间重新写入负载均衡器的前端公共 IP 地址。The source is rewritten from the virtual network private IP address space to the frontend Public IP address of the load balancer. 在公共 IP 地址空间中,流的 5 元组(源 IP 地址、源端口、IP 转换协议、目标 IP 地址、目标端口)必须唯一。In the public IP address space, the 5-tuple of the flow (source IP address, source port, IP transport protocol, destination IP address, destination port) must be unique. 端口伪装 SNAT 可与 TCP 或 UDP IP 协议一起使用。Port masquerading SNAT can be used with either TCP or UDP IP protocols.

重写专用源 IP 地址后,临时端口(SNAT 端口)用于实现此目的,因为多个流源自单个公共 IP 地址。Ephemeral ports (SNAT ports) are used to achieve this after rewriting the private source IP address, because multiple flows originate from a single public IP address. 伪装 SNAT 算法的端口为 UDP 与 TCP 分配不同的 SNAT 端口。The port masquerading SNAT algorithm allocates SNAT ports differently for UDP versus TCP.

TCP SNAT 端口TCP SNAT Ports

每个到单个目标 IP 地址、端口的流使用一个 SNAT 端口。One SNAT port is consumed per flow to a single destination IP address, port. 对于到相同的目标 IP 地址、端口和协议的多个 TCP 流,每个 TCP 流使用一个 SNAT 端口。For multiple TCP flows to the same destination IP address, port, and protocol, each TCP flow consumes a single SNAT port. 这可以确保源自相同的公共 IP 地址,并到相同的目标 IP 地址、端口和协议的流的唯一性。This ensures that the flows are unique when they originate from the same public IP address and go to the same destination IP address, port, and protocol.

每个流均流到不同目标 IP 地址、端口和协议的多个流共用一个 SNAT 端口。Multiple flows, each to a different destination IP address, port, and protocol, share a single SNAT port. 目标 IP 地址、端口和协议使流保持唯一,无需使用其他源端口来区分公共 IP 地址空间中的流。The destination IP address, port, and protocol make flows unique without the need for additional source ports to distinguish flows in the public IP address space.

UDP SNAT 端口UDP SNAT Ports

UDP SNAT 端口由与 TCP SNAT 端口不同的算法管理。UDP SNAT ports are managed by a different algorithm than TCP SNAT ports. 负载均衡器对 UDP 使用称为“端口受限锥形 NAT”的算法。Load Balancer uses an algorithm known as "port-restricted cone NAT" for UDP. 无论目标 IP 地址、端口如何,每个流都会使用一个 SNAT 端口。One SNAT port is consumed for each flow, irrespective of destination IP address, port.

SNAT 端口重用SNAT port reuse

释放某个端口以后,即可根据需要重复使用该端口。Once a port has been released, the port is available for reuse as needed. 可以将 SNAT 端口视为一个适用于给定场景的从低到高的序列,第一个可用 SNAT 端口用于新的连接。You can think of SNAT ports as a sequence from lowest to highest available for a given scenario, and the first available SNAT port is used for new connections.

耗尽Exhaustion

如果 SNAT 端口资源已经耗尽,那么在现有流释放 SNAT 端口之前出站流会失败。When SNAT port resources are exhausted, outbound flows fail until existing flows release SNAT ports. 当流关闭时,负载均衡器将回收 SNAT 端口,并使用 4 分钟空闲超时回收空闲流中的 SNAT 端口。Load Balancer reclaims SNAT ports when the flow closes and uses a 4-minute idle timeout for reclaiming SNAT ports from idle flows.

由于使用的算法不同,UDP SNAT端口的耗尽速度通常比 TCP SNAT 端口快得多。UDP SNAT ports generally exhaust much faster than TCP SNAT ports due to the difference in algorithm used. 在进行设计和规模测试时必须考虑到这种差异。You must design and scale test with this difference in mind.

有关可以使用哪些模式来缓解通常导致 SNAT 端口耗尽的状态,请查看管理 SNAT 部分。For patterns to mitigate conditions that commonly lead to SNAT port exhaustion, review the Managing SNAT section.

端口伪装 SNAT (PAT) 的临时端口预先分配Ephemeral port preallocation for port masquerading SNAT (PAT)

使用端口伪装 SNAT (PAT) 时,Azure 使用某种算法根据后端池的大小来确定可用的预先分配 SNAT 端口数目。Azure uses an algorithm to determine the number of preallocated SNAT ports available based on the size of the backend pool when using port masquerading SNAT (PAT). SNAT 端口是可用于特定公共 IP 源地址的临时端口。SNAT ports are ephemeral ports available for a particular public IP source address. 对于与负载均衡器关联的每个公共 IP 地址,有 64,000 个端口可用作每个 IP 传输协议的 SNAT 端口。For each Public IP address associated with a load balancer there are 64,000 ports available as SNAT ports for each IP transport protocol.

将分别为 UDP 和 TCP 预分配相同数量的 SNAT 端口,并根据 IP 传输协议独立地使用这些端口。The same number of SNAT ports are preallocated for UDP and TCP respectively and consumed independently per IP transport protocol. 但是,SNAT 端口使用情况会因流是 UDP 还是 TCP 而有所不同。However, the SNAT port usage is different depending on whether the flow is UDP or TCP.

Important

标准 SKU SNAT 编程依据 IP 传输协议并且派生自负载均衡规则。Standard SKU SNAT programming is per IP transport protocol and derived from the load balancing rule. 如果只存在一个 TCP 负载均衡规则,则 SNAT 仅可用于 TCP。If only a TCP load balancing rule exists, SNAT is only available for TCP. 如果只有一个 TCP 负载均衡规则并且 UDP 需要出站 SNAT,请创建从同一个前端到同一个后端池的 UDP 负载均衡规则。If you have only a TCP load balancing rule and need outbound SNAT for UDP, create a UDP load balancing rule from the same frontend to the same backend pool. 这将触发针对 UDP 的 SNAT 编程。This will trigger SNAT programming for UDP. 不需要采用工作规则或运行状况探测。A working rule or health probe is not required. 无论在负载均衡规则中指定了什么传输协议,基本 SKU SNAT 都始终针对 IP 传输协议编写 SNAT 程序。Basic SKU SNAT always programs SNAT for both IP transport protocol, irrespective of the transport protocol specified in the load balancing rule.

Azure 向每个 VM 的 NIC IP 配置预先分配 SNAT 端口。Azure preallocates SNAT ports to the IP configuration of the NIC of each VM. 将 IP 配置添加到池后,将会根据后端池的大小预先分配此 IP 配置的 SNAT 端口。When an IP configuration is added to the pool, the SNAT ports are preallocated for this IP configuration based on the backend pool size. 创建出站流后,当流关闭或空闲超时时,PAT 动态使用(不超过预先分配的限制)和释放这些端口。When outbound flows are created, PAT dynamically consumes (up to the preallocated limit) and releases these ports when the flow closes or idle timeouts happen.

下表显示了针对后端池大小层的 SNAT 端口预分配:The following table shows the SNAT port preallocations for tiers of backend pool sizes:

池大小(VM 实例)Pool size (VM instances) 每个 IP 配置的预先分配 SNAT 端口Preallocated SNAT ports per IP configuration
1-501-50 1,0241,024
51-10051-100 512512
101-200101-200 256256
201-400201-400 128128
401-800401-800 6464
801-1,000801-1,000 3232

Note

结合多个前端使用标准负载均衡器时,上表中每个前端 IP 地址的可用 SNAT 端口数目将会倍增。When using Standard Load Balancer with multiple frontends, each frontend IP address multiplies the number of available SNAT ports in the previous table. 例如,如果某个后端池包含 50 个 VM 和 2 个负载均衡规则,并且每个 VM 具有不同的前端 IP 地址,则该后端池将根据规则使用 2048 (2 x 1024) 个 SNAT 端口。For example, a backend pool of 50 VM's with 2 load balancing rules, each with a separate frontend IP address, will use 2048 (2x 1024) SNAT ports per rule. 参阅有关多个前端的详细信息。See details for multiple frontends.

请记住,可用的 SNAT 端口数不会直接转换为流数。Remember that the number of SNAT ports available does not translate directly to number of flows. 可以针对多个唯一目标重用单个 SNAT 端口。A single SNAT port can be reused for multiple unique destinations. 仅当需要使流保持唯一时,才使用端口。Ports are consumed only if it's necessary to make flows unique. 有关设计和缓解指导,请参阅如何管理这项可耗尽的资源;另请参阅介绍 PAT 的部分。For design and mitigation guidance, refer to the section about how to manage this exhaustible resource and the section that describes PAT.

更改后端池大小可能会影响建立的某些流。Changing the size of your backend pool might affect some of your established flows. 如果后端池大小递增并转换为下一层,则在转换为下一个更大的后端池层期间,一半的预先分配 SNAT 端口将被回收。If the backend pool size increases and transitions into the next tier, half of your preallocated SNAT ports are reclaimed during the transition to the next larger backend pool tier. 与回收的 SNAT 端口关联的流会超时,必须重新建立连接。Flows that are associated with a reclaimed SNAT port will time out and must be reestablished. 如果尝试新流,则只要预先分配的端口可用,则该流就能立即成功。If a new flow is attempted, the flow will succeed immediately as long as preallocated ports are available.

如果后端池减小并转换到更低层级,可用的 SNAT 端口数会增多。If the backend pool size decreases and transitions into a lower tier, the number of available SNAT ports increases. 在这种情况下,现有的分配 SNAT 端口及其相应的流不会受到影响。In this case, existing allocated SNAT ports and their respective flows are not affected.

SNAT 端口分配特定于 IP 传输协议(TCP 和 UDP 是分别维护的),并在以下条件下释放:SNAT ports allocations are IP transport protocol specific (TCP and UDP are maintained separately) and are released under the following conditions:

TCP SNAT 端口释放TCP SNAT port release

  • 如果服务器/客户端均发送 FINACK,则 SNAT 端口在 240 秒后释放。If either server/client sends FINACK, SNAT port will be released after 240 seconds.
  • 如果出现 RST,则 SNAT 端口在 15 秒后释放。If a RST is seen, SNAT port will be released after 15 seconds.
  • 如果已达到空闲超时,则会释放端口。If idle timeout has been reached, port is released.

UDP SNAT 端口释放UDP SNAT port release

  • 如果已达到空闲超时,则会释放端口。If idle timeout has been reached, port is released.

发现 VM 使用的公共 IPDiscovering the public IP that a VM uses

有多种方法来确定出站连接的公共源 IP 地址。There are many ways to determine the public source IP address of an outbound connection. OpenDNS 提供了一种服务可以向你显示 VM 的公共 IP 地址。OpenDNS provides a service that can show you the public IP address of your VM.

使用 nslookup 命令,可以将名称 myip.opendns.com 的 DNS 查询发送到 OpenDNS 解析程序。By using the nslookup command, you can send a DNS query for the name myip.opendns.com to the OpenDNS resolver. 该服务返回用于发送此查询的源 IP 地址。The service returns the source IP address that was used to send the query. 在 VM 中运行以下查询时,返回的是用于该 VM 的公共 IP。When you run the following query from your VM, the response is the public IP used for that VM:

nslookup myip.opendns.com resolver1.opendns.com

阻止出站连接Preventing outbound connectivity

有时允许 VM 创建出站流是不可取的。Sometimes it's undesirable for a VM to be allowed to create an outbound flow. 或者,可能需要管理哪些目标可以通过出站流访问或哪些目标可以启动入站流。Or there might be a requirement to manage which destinations can be reached with outbound flows, or which destinations can begin inbound flows. 在此情况下,可以使用网络安全组管理 VM 可访问的目标。In this case, you can use network security groups to manage the destinations that the VM can reach. 还可以使用 NSG 来管理可启动入站流的公共目标。You can also use NSGs to manage which public destination can initiate inbound flows.

将 NSG 应用于负载均衡的 VM 时,需要注意服务标记默认安全规则When you apply an NSG to a load-balanced VM, pay attention to the service tags and default security rules. 必须确保 VM 可以接收来自 Azure 负载均衡器的运行状况探测请求。You must ensure that the VM can receive health probe requests from Azure Load Balancer.

如果 NSG 阻止来自 AZURE_LOADBALANCER 默认标记的运行状况探测请求,那么 VM 的运行状况探测程序将失败,并且 VM 被标记为停机。If an NSG blocks health probe requests from the AZURE_LOADBALANCER default tag, your VM health probe fails and the VM is marked down. 负载均衡器停止向此 VM 发送新流。Load Balancer stops sending new flows to that VM.

连接到同一区域中的 Azure 存储Connections to Azure Storage in the same region

通过上述方案进行出站连接时不一定要连接到与 VM 位于同一区域的存储。Having outbound connectivity via the scenarios above is not necessary to connect to Storage in the same region as the VM. 如果不想这样做,请按上述说明使用网络安全组 (NSG)。If you do not want this, use network security groups (NSGs) as explained above. 若要连接到其他区域的存储,则需要使用出站连接。For connectivity to Storage in other regions, outbound connectivity is required. 请注意,当从同一区域中的虚拟机连接到存储时,存储诊断日志中的源 IP 地址将是内部提供程序地址,而不是虚拟机的公共 IP 地址。Please note that when connecting to Storage from a VM in the same region, the source IP address in the Storage diagnostic logs will be an internal provider address, and not the public IP address of your VM. 如果要将对存储帐户的访问限制至同一区域中一个或多个虚拟网络子网中的 VM,请在配置存储帐户防火墙时使用虚拟网络服务终结点,而不是公共 IP 地址。If you wish to restrict access to your Storage account to VMs in one or more Virtual Network subnets in the same region, use Virtual Network service endpoints and not your public IP address when configuring your storage account firewall. 配置了服务终结点后,将在存储诊断日志中看到虚拟网络专用 IP 地址,而不是内部提供程序地址。Once service endpoints are configured, you will see your Virtual Network private IP address in your Storage diagnostic logs and not the internal provider address.

Azure 负载均衡器出站规则Azure Load Balancer outbound rules

除了入站连接以外,Azure 负载均衡器还提供从虚拟网络的出站连接。Azure Load Balancer provides outbound connectivity from a virtual network in addition to inbound. 使用出站规则可以更方便地配置公共标准负载均衡器的出站网络地址转换。Outbound rules make it simple to configure public Standard Load Balancer's outbound network address translation. 你可以根据具体的需求,以完全声明性的方式控制出站连接,以缩放和优化此功能。You have full declarative control over outbound connectivity to scale and tune this ability to your specific needs.

负载均衡器出站规则

使用负载均衡器的出站规则可以:With outbound rules, you can use Load Balancer to:

  • 从头开始定义出站 NAT。define outbound NAT from scratch.
  • 缩放和优化现有出站 NAT 的行为。scale and tune the behavior of existing outbound NAT.

使用出站规则可以控制:Outbound rules allow you to control:

  • 哪些虚拟机应转换为哪些公共 IP 地址。which virtual machines should be translated to which public IP addresses.
  • 应如何分配出站 SNAT 端口how outbound SNAT ports should be allocated.
  • 要为哪些协议提供出站转换。which protocols to provide outbound translation for.
  • 用于出站连接空闲超时的持续时间(4-120 分钟)。what duration to use for outbound connection idle timeout (4-120 minutes).
  • 是否要在空闲超时时发送 TCP Resetwhether to send a TCP Reset on idle timeout

出站规则扩展了出站连接一文中所述的方案 2,方案优先顺序保持不变。Outbound rules expand scenario 2 in described in the outbound connections article and the scenario precedence remains as-is.

出站规则Outbound rule

与所有负载均衡器规则一样,出站规则遵循负载均衡和入站 NAT 规则的类似语法:Like all Load Balancer rules, outbound rules follow the same familiar syntax as load balancing and inbound NAT rules:

前端 + 参数 + 后端池frontend + parameters + backend pool

出站规则为后端池识别的、要转换为前端的所有虚拟机配置出站 NAT。 An outbound rule configures outbound NAT for all virtual machines identified by the backend pool to be translated to the frontend. 参数针对出站 NAT 算法提供更精细的控制。And parameters provide additional fine grained control over the outbound NAT algorithm.

API 版本“2018-07-01”允许按如下所示构建出站规则定义:API version "2018-07-01" permits an outbound rule definition structured as follows:

      "outboundRules": [
        {
          "frontendIPConfigurations": [ list_of_frontend_ip_configuations ],
          "allocatedOutboundPorts": number_of_SNAT_ports,
          "idleTimeoutInMinutes": 4 through 66,
          "enableTcpReset": true | false,
          "protocol": "Tcp" | "Udp" | "All",
          "backendAddressPool": backend_pool_reference,
        }
      ]

Note

有效出站 NAT 配置是所有出站规则与负载均衡规则的组合。The effective outbound NAT configuration is a composite of all outbound rules and load balancing rules. 出站规则是对负载均衡规则的补充。Outbound rules are incremental to load balancing rules. 请查看禁用负载均衡规则的出站 NAT,了解如何在将多个规则应用到 VM 时管理有效出站 NAT 转换。Review disabling outbound NAT for a load balancing rule to manage the effective outbound NAT translation when multiple rules apply to a VM. 在定义使用与负载均衡规则相同的公共 IP 地址的出站规则时,必须禁用出站 SNATYou must disable outbound SNAT when defining an outbound rule which is using the same public IP address as a load balancing rule.

使用多个 IP 地址缩放出站 NATScale outbound NAT with multiple IP addresses

尽管出站规则只能配合单个公共 IP 地址使用,但出站规则减轻了缩放出站 NAT 的负担。While an outbound rule can be used with just a single public IP address, outbound rules ease the configuration burden for scaling outbound NAT. 规划大规模方案时可以使用多个 IP 地址,并可以使用出站规则来缓解容易出现 SNAT 耗尽的模式。You can use multiple IP addresses to plan for large-scale scenarios and you can use outbound rules to mitigate SNAT exhaustion prone patterns.

前端提供的每个附加 IP 地址可提供 64,000 个临时端口,供负载均衡器用作 SNAT 端口。Each additional IP address provided by a frontend provides 64,000 ephemeral ports for Load Balancer to use as SNAT ports. 尽管负载均衡规则或入站 NAT 规则具有单个前端,但出站规则可以扩展前端的概念,并允许为每个规则使用多个前端。While load balancing or inbound NAT rules have a single frontend, the outbound rule expands the frontend notion and allows multiple frontends per rule. 为每个规则使用多个前端时,可用 SNAT 端口的数量将与每个公共 IP 地址相乘,因此可以支持大型方案。With multiple frontends per rule, the quantity of available SNAT ports is multiplied with each public IP address, and large scenarios can be supported.

此外,可以直接对出站规则使用公共 IP 前缀Additionally, you can use a public IP prefix directly with an outbound rule. 使用公共 IP 前缀可以更轻松地缩放,并可简化将源自 Azure 部署的流加入允许列表的操作。Using public IP prefix provides for easier scaling and simplified white-listing of flows originating from your Azure deployment. 可以在负载均衡器资源中配置直接引用公共 IP 地址前缀的前端 IP 配置。You can configure a frontend IP configuration within the Load Balancer resource to reference a public IP address prefix directly. 这样,负载均衡器将以独占方式控制公共 IP 前缀,而出站规则将自动使用公共 IP 前缀中包含的所有公共 IP 地址来建立出站连接。This allows Load Balancer exclusive control over the public IP prefix and the outbound rule will automatically use all public IP addresses contained within the public IP prefix for outbound connections. 公共 IP 前缀范围内的每个 IP 地址提供 64,000 个临时端口,供负载均衡器用作 SNAT 端口。Each of the IP addresses within the range of the public IP prefix provide 64,000 ephemeral ports per IP address for Load Balancer to use as SNAT ports.

使用此选项时,无法从公共 IP 前缀创建单个公共 IP 地址资源,因为出站规则必须拥有公共 IP 前缀的完全控制权。You cannot have individual public IP address resources created from the public IP prefix when using this option as the outbound rule must have complete control of the public IP prefix. 如果需要更精细的控制,可以从公共 IP 前缀创建单个公共 IP 地址资源,并将多个公共 IP 地址单独分配到出站规则的前端。If you need more fine grained control, you can create individual public IP address resource from the public IP prefix and assign multiple public IP addresses individually to the frontend of an outbound rule.

优化 SNAT 端口分配Tune SNAT port allocation

可以使用出站规则基于后端池大小优化自动 SNAT 端口分配,并分配多于或少于自动 SNAT 端口分配所提供的端口数。You can use outbound rules to tune the automatic SNAT port allocation based on backend pool size and allocate more or less than the automatic SNAT port allocation provides.

使用以下参数可为每个 VM 分配 10,000 个 SNAT 端口(NIC IP 配置)。Use the following parameter to allocate 10,000 SNAT ports per VM (NIC IP configuration).

      "allocatedOutboundPorts": 10000

出站规则的所有前端中的每个公共 IP 地址最多提供 64,000 个可用作 SNAT 端口的临时端口。Each public IP address from all frontends of an outbound rule contributes up to 64,000 ephemeral ports for use as SNAT ports. 负载均衡器以 8 的倍数分配 SNAT 端口。Load Balancer allocates SNAT ports in multiples of 8. 如果提供的值不能被 8 整除,则会拒绝配置操作。If you provide a value not divisible by 8, the configuration operation is rejected. 如果尝试分配的 SNAT 端口数超过了可用端口数(基于公共 IP 地址数确定),则会拒绝配置操作。If you attempt to allocate more SNAT ports than are available based on the number of public IP addresses, the configuration operation is rejected. 例如,如果为每个 VM 分配 10,000 个端口,并且后端池中的 7 个 VM 共享单个公共 IP 地址,则会拒绝该配置(7 x 10,000 个 SNAT 端口 > 64,000 个 SNAT 端口)。For example, if you allocate 10,000 ports per VM and 7 VMs in a backend pool would share a single public IP address, the configuration is rejected (7 x 10,000 SNAT ports > 64,000 SNAT ports). 将更多的公共 IP 地址添加到出站规则的前端即可实现该方案。You can add more public IP addresses to the frontend of the outbound rule to enable the scenario.

可以通过将端口数指定为 0,恢复为基于后端池大小的自动 SNAT 端口分配You can revert back to automatic SNAT port allocation based on backend pool size by specifying 0 for number of ports. 在这种情况下,根据该表,前 50 个 VM 实例将获得 1024 个端口,而 51-100 个 VM 实例将获得 512 个端口,依此类推。In that case the first 50 VM instances will get 1024 ports, 51-100 VM instances will get 512 and so on according to the table.

控制出站流空闲超时Control outbound flow idle timeout

出站规则提供一个配置参数用于控制出站流空闲超时,并使该超时符合应用程序的需求。Outbound rules provide a configuration parameter to control the outbound flow idle timeout and match it to the needs of your application. 出站空闲超时默认为 4 分钟。Outbound idle timeouts default to 4 minutes. 该参数接受从 4 到 120 的值用于指定与此特定规则匹配的流的空闲超时分钟数。The parameter accepts a value from 4 to 120 to specific the number of minutes for the idle timeout for flows matching this particular rule.

使用以下参数可将出站空闲超时设置为 1 小时:Use the following parameter to set the outbound idle timeout to 1 hour:

      "idleTimeoutInMinutes": 60

在空闲超时时启用 TCP 重置 Enable TCP Reset on idle timeout

负载均衡器的默认行为是在达到出站空闲超时时以静默方式丢弃流。The default behavior of Load Balancer is to drop the flow silently when the outbound idle timeout has been reached. 使用 enableTCPReset 参数可以启用更有预测性的应用程序行为,并控制在发生出站空闲超时时,是否要发送双向 TCP 重置 (TCP RST)。With the enableTCPReset parameter, you can enable a more predictable application behavior and control whether to send bidirectional TCP Reset (TCP RST) at the time out of outbound idle timeout.

使用以下参数可在出站规则中启用 TCP 重置:Use the following parameter to enable TCP Reset on an outbound rule:

       "enableTcpReset": true

查看在空闲超时时 TCP 重置,了解详细信息,包括区域可用性。Review TCP Reset on idle timeout for details including region availability.

支持具有单个规则的 TCP 和 UDP 传输协议Support both TCP and UDP transport protocols with a single rule

可以对出站规则的传输协议使用“所有”,但也可以根据需要将出站规则应用到特定的传输协议。You will likely want to use "All" for the transport protocol of the outbound rule, but you can also apply the outbound rule to a specific transport protocol as well if there is a need to do so.

使用以下参数可将协议设置为 TCP 和 UDP:Use the following parameter to set the protocol to TCP and UDP:

      "protocol": "All"

禁用负载均衡规则的出站 NATDisable outbound NAT for a load balancing rule

如前所述,负载均衡规则提供出站 NAT 的自动编程。As stated previously, load balancing rules provide automatic programming of outbound NAT. 但是,某些方案受益于或者要求通过负载均衡规则禁用出站 NAT 的自动编程,以便能够控制或优化行为。However, some scenarios benefit or require you to disable the automatic programming of outbound NAT by the load balancing rule to allow you to control or refine the behavior. 在某些出站规则方案中,必须停止自动出站 NAT 编程。Outbound rules have scenarios where it is important to stop the automatic outbound NAT programming.

可通过两种方式使用此参数:You can use this parameter in two ways:

  • (可选)禁止将入站 IP 地址用于出站 NAT。Optional suppression of using the inbound IP address for outbound NAT. 出站规则是对负载均衡规则的补充,如果设置此参数,则出站规则将会受控。Outbound rules are incremental to load balancing rules and with this parameter set, the outbound rule is in control.

  • 优化同时用于入站和出站连接的 IP 地址的出站 NAT 参数。Tune the outbound NAT parameters of an IP address used for inbound and outbound simultaneously. 必须禁用自动出站 NAT 编程才能让出站规则接管控制权。The automatic outbound NAT programming must be disabled to allow an outbound rule to take control. 例如,若要更改同时用于入站连接的某个地址的 SNAT 端口分配,则必须将此参数设置为 true。For example, in order to change the SNAT port allocation of an address also used for inbound, this parameter must be set to true. 如果尝试使用出站规则来重新定义同时用于入站连接的某个 IP 地址的参数,但尚未释放负载均衡规则的出站 NAT 编程,则配置出站规则的操作将会失败。If you attempt to use an outbound rule to redefine the parameters of an IP address also used for inbound and have not released outbound NAT programming of the load balancing rule, the operation to configure an outbound rule will fail.

Important

如果将此参数设置为 true,但没有任何出站规则(或实例级公共 IP 方案)定义出站连接,则虚拟机将无法访问公网。Your virtual machine will not have outbound connectivity if you set this parameter to true and do not have an outbound rule (or instance-level public IP scenario to define outbound connectivity. VM或应用程序的某些操作可能依赖于公网连接。Some operations of your VM or your application may depend on having outbound connectivity available. 请务必了解方案的依赖关系,并考虑此项更改造成的影响。Make sure you understand the dependencies of your scenario and have considered impact of making this change.

可以使用以下配置参数在负载均衡规则中禁用出站 SNAT:You can disable outbound SNAT on the load balancing rule with this configuration parameter:

      "loadBalancingRules": [
        {
          "disableOutboundSnat": true
        }
      ]

disableOutboundSNAT 参数默认为 false,这意味着,负载均衡规则确实会提供自动出站 NAT 作为负载均衡规则配置的镜像。The disableOutboundSNAT parameter defaults to false, which means the load balancing rule does provide automatic outbound NAT as a mirror image of the load balancing rule configuration.

如果在负载均衡规则中将 disableOutboundSnat 设置为 true,则负载均衡规则将释放其他自动出站 NAT 编程的控制权。If you set disableOutboundSnat to true on the load balancing rule, the load balancing rule releases control of the otherwise automatic outbound NAT programming. 出站 SNAT 随着负载均衡规则的启用而禁用。Outbound SNAT as a result of the load balancing rule is disabled.

重复使用现有后端池或定义新的后端池Reuse existing or define new backend pools

出站规则没有引入有关定义要应用规则的 VM 组的新概念,Outbound rules do not introduce a new concept for defining the group of VMs to which the rule should apply. 而重复使用后端池的概念(同样用于负载均衡规则)。Instead, they reuse the concept of a backend pool, which is also used for load balancing rules. 可以通过重复使用现有后端池定义或者为出站规则专门创建一个后端池,使用此概念来简化配置。You can use this to simplify the configuration by either reusing an existing backend pool definition or creating one specifically for an outbound rule.

方案Scenarios

将出站连接整理成一组特定的公共 IP 地址Groom outbound connections to a specific set of public IP addresses

可以使用出站规则来整理出站连接,使之看上去像是源自一组特定的公共 IP 地址,以简化允许列表方案。You can use an outbound rule to groom outbound connections to appear to originate from a specific set of public IP addresses to ease whitelisting scenarios. 此源公共 IP 地址可与负载均衡规则使用的 IP 地址相同,也可以是与负载均衡规则使用的 IP 地址不同的一组公共 IP 地址。This source public IP address can be the same as used by a load balancing rule or a different set of public IP addresses than used by a load balancing rule.

  1. 创建公共 IP 前缀(或者从公共 IP 前缀创建公共 IP 地址)Create public IP prefix (or public IP addresses from public IP prefix)
  2. 创建公共标准负载均衡器Create a public Standard Load Balancer
  3. 创建引用所要使用的公共 IP 前缀(或公共 IP 地址)的前端Create frontends referencing the public IP prefix (or public IP addresses) you wish to use
  4. 重复使用某个后端池或创建一个后端池,并将 VM 放入公共负载均衡器的后端池Reuse a backend pool or create a backend pool and place the VMs into a backend pool of the public Load Balancer
  5. 在公共负载均衡器中配置出站规则,以使用前端为这些 VM 的出站 NAT 编程Configure an outbound rule on the public Load Balancer to program outbound NAT for these VMs using the frontends

如果不希望将负载均衡规则用于出站连接,则需要在负载均衡规则中禁用出站 SNATIf you do not wish for the load balancing rule to be used for outbound, you need to disable outbound SNAT on the load balancing rule.

修改 SNAT 端口分配Modify SNAT port allocation

可以使用出站规则基于后端池大小优化自动 SNAT 端口分配You can use outbound rules to tune the automatic SNAT port allocation based on backend pool size.

例如,如果你的两个虚拟机共享用于出站 NAT 的单个公共 IP 地址,则在遇到 SNAT 耗尽时,你可能希望增加分配的 SNAT 端口数,而不再使用默认的 1024 个端口。For example, if you have two virtual machines sharing a single public IP address for outbound NAT, you may wish to increase the number of SNAT ports allocated from the default 1024 ports if you are experiencing SNAT exhaustion. 每个公共 IP 地址最多可以提供 64,000 个临时端口。Each public IP address can contribute up to 64,000 ephemeral ports. 如果使用单个公共 IP 地址前端配置出站规则,则总共可以向后端池中的 VM 分配 64,000 个 SNAT 端口。If you configure an outbound rule with a single public IP address frontend, you can distribute a total of 64,000 SNAT ports to VMs in the backend pool. 对于两个 VM,可以使用出站规则最多分配 32,000 个 SNAT 端口 (2x32,000 = 64,000)。For two VMs, a maximum of 32,000 SNAT ports can be allocated with an outbound rule (2x 32,000 = 64,000).

查看出站连接,以及有关如何分配和使用 SNAT 端口的详细信息。Review outbound connections and the details on how SNAT ports are allocated and used.

仅启用出站连接Enable outbound only

可以使用公共标准负载均衡器为一组 VM 提供出站 NAT。You can use a public Standard Load Balancer to provide outbound NAT for a group of VMs. 在此方案中,可以单独使用出站规则,而无需其他任何规则。In this scenario, you can use an outbound rule by itself, without the need for any additional rules.

仅对 VM 使用出站 NAT(无入站连接)Outbound NAT for VMs only (no inbound)

定义一个公共标准负载均衡器,将 VM 放入后端池,配置一个出站规则用来为出站 NAT 编程,并整理出站连接,使其看上去源自特定的公共 IP 地址。Define a public Standard Load Balancer, place the VMs into the backend pool, and configure an outbound rule to program outbound NAT and groom the outbound connections to originate from a specific public IP address. 还可以使用公共 IP 前缀来简化出站连接源的允许列表操作。You can also use a public IP prefix simplify white-listing the source of outbound connections.

  1. 创建公共标准负载均衡器。Create a public Standard Load Balancer.
  2. 创建一个后端池,并将 VM 放入公共负载均衡器的后端池。Create a backend pool and place the VMs into a backend pool of the public Load Balancer.
  3. 在公共负载均衡器中配置出站规则,以便为这些 VM 的出站 NAT 编程。Configure an outbound rule on the public Load Balancer to program outbound NAT for these VMs.
内部标准负载均衡器方案的出站 NATOutbound NAT for internal Standard Load Balancer scenarios

使用内部标准负载均衡器时,只有显式声明出站连接之后,出站 NAT 才可用。When using an internal Standard Load Balancer, outbound NAT is not available until outbound connectivity has been explicitly declared. 你可以通过以下步骤,使用出站规则为内部标准负载均衡器后面的 VM 创建出站连接,以定义出站连接:You can define outbound connectivity using an outbound rule to create outbound connectivity for VMs behind an internal Standard Load Balancer with these steps:

  1. 创建公共标准负载均衡器。Create a public Standard Load Balancer.
  2. 除了内部负载均衡器,还要创建一个后端池,并将 VM 放入公共负载均衡器的后端池。Create a backend pool and place the VMs into a backend pool of the public Load Balancer in addition to the internal Load Balancer.
  3. 在公共负载均衡器中配置出站规则,以便为这些 VM 的出站 NAT 编程。Configure an outbound rule on the public Load Balancer to program outbound NAT for these VMs.
使用公共标准负载均衡器为出站 NAT 启用 TCP 和 UDP 协议Enable both TCP & UDP protocols for outbound NAT with a public Standard Load Balancer
  • 使用公共标准负载均衡器时,提供的自动出站 NAT 编程与负载均衡规则的传输协议相匹配。When using a public Standard Load Balancer, the automatic outbound NAT programming provided matches the transport protocol of the load balancing rule.

    1. 在负载均衡规则中禁用出站 SNAT。Disable outbound SNAT on the load balancing rule.
    2. 在同一个负载均衡器上配置出站规则。Configure an outbound rule on the same Load Balancer.
    3. 重复使用 VM 已用的后端池。Reuse the backend pool already used by your VMs.
    4. 指定“协议”:“所有”作为出站规则的一部分。Specify "protocol": "All" as part of the outbound rule.
  • 只使用入站 NAT 规则时,不会提供出站 NAT。When only inbound NAT rules are used, no outbound NAT is provided.

    1. 将 VM 放入后端池。Place VMs in a backend pool.
    2. 使用公共 IP 地址或公共 IP 前缀定义一个或多个前端 IP 配置。Define one or more frontend IP configurations with public IP address(es) or public IP prefix.
    3. 在同一个负载均衡器上配置出站规则。Configure an outbound rule on the same Load Balancer.
    4. 指定“协议”:“所有”作为出站规则的一部分Specify "protocol": "All" as part of the outbound rule

限制Limitations

  • 每个前端 IP 地址的最大可用临时端口数为 64,000。The maximum number of usable ephemeral ports per frontend IP address is 64,000.
  • 可配置的出站空闲超时范围为 4 到 120 分钟(240 到 7200 秒)。The range of the configurable outbound idle timeout is 4 to 120 minutes (240 to 7200 seconds).
  • 负载均衡器不支持将 ICMP 用于出站 NAT。Load Balancer does not support ICMP for outbound NAT.
  • 出站规则只能应用于 NIC 的主 IP 配置。Outbound rules can only be applied to primary IP configuration of a NIC. 支持多个 NIC。Multiple NICs are supported.
  • 考虑到 VNet 出现之前的服务和其他平台服务的运行方式带来的副作用,只有在使用内部标准负载均衡器的情况下,才可以访问没有 VNet 和其他 Azure 平台服务的 Web 辅助角色。Web Worker Roles without a VNet and other Azure platform services can be accessible when only an internal Standard Load Balancer is used due to a side effect from how pre-VNet services and other platform services function. 请勿依赖此副作用,因为相应的服务本身或底层平台可能会在不通知的情况下进行更改。Do not rely on this side effect as the respective service itself or the underlying platform may change without notice. 在仅使用内部标准负载均衡器时,必须始终假定需要明确创建出站连接。You must always assume you need to create outbound connectivity explicitly if desired when using an internal Standard Load Balancer only. 本文中所述的默认 SNAT 方案 3 不可用。The default SNAT scenario 3 described in this article is not available.

后续步骤Next steps