Azure 中的出站连接Outbound connections in Azure

Azure 负载均衡器可通过各种机制提供出站连接。Azure Load Balancer provides outbound connectivity through different mechanisms. 本文介绍了各种方案以及如何管理它们。This article describes the scenarios and how to manage them. 如果通过 Azure 负载均衡器进行出站连接时遇到问题,请参阅出站连接故障排除指南If you are experiencing issue with outbound connectivity through an Azure Load Balancer, see the troubleshooting guide for outbound connections.

备注

本文涵盖了资源管理器部署。This article covers Resource Manager deployments. Azure 建议为生产工作负荷使用资源管理器。Azure recommends Resource Manager for production workloads.

术语Terminology

术语Term 适用的协议Applicable protocol(s) 详细信息Details
源网络地址转换 (SNAT)Source network address translation (SNAT) TCP、UDPTCP, UDP Azure 中的部署可与 Azure 外部的公共 IP 地址空间中的终结点进行通信。A deployment in Azure can communicate with endpoints outside Azure in the public IP address space. 当实例启动到公共 IP 地址空间中的目标的出站流时,Azure 会动态将专用 IP 地址映射到公共 IP 地址。When an instance initiates an outbound flow to a destination in the public IP address space, Azure dynamically maps the private IP address to a public IP address. 创建此映射后,此出站发起流的返回流量还可以抵达发起流的专用 IP 地址。After this mapping is created, return traffic for this outbound originated flow can also reach the private IP address where the flow originated. Azure 使用源网络地址转换 (SNAT) 来执行此功能。Azure uses source network address translation (SNAT) to perform this function.
端口伪装 SNAT (PAT)Port masquerading SNAT (PAT) TCP、UDPTCP, UDP 当多个专用 IP 地址伪装成单个公共 IP 地址时,Azure 将使用端口地址转换 (PAT) 来伪装/隐藏专用 IP 地址。When multiple private IP addresses are masquerading behind a single public IP address, Azure uses port address translation (PAT) to masquerade/hide private IP addresses. 临时端口用于 PAT,是基于池大小预先分配的。Ephemeral ports are used for PAT and are preallocated based on pool size. 当公共负载均衡器资源与没有专用公共 IP 地址的 VM 实例关联时,将重写每个出站连接源。When a public Load Balancer resource is associated with VM instances, which do not have dedicated Public IP addresses, each outbound connection source is rewritten. 出站连接源从虚拟网络专用 IP 地址空间重新写入负载均衡器的前端公共 IP 地址。The source is rewritten from the virtual network private IP address space to the frontend Public IP address of the load balancer. 在公共 IP 地址空间中,流的 5 元组(源 IP 地址、源端口、IP 转换协议、目标 IP 地址、目标端口)必须唯一。In the public IP address space, the 5-tuple of the flow (source IP address, source port, IP transport protocol, destination IP address, destination port) must be unique. 端口伪装 SNAT 可与 TCP 或 UDP IP 协议一起使用。Port masquerading SNAT can be used with either TCP or UDP IP protocols. 重写专用源 IP 地址后,临时端口(SNAT 端口)用于实现此目的,因为多个流源自单个公共 IP 地址。Ephemeral ports (SNAT ports) are used to achieve this after rewriting the private source IP address, because multiple flows originate from a single public IP address. 伪装 SNAT 算法的端口为 UDP 与 TCP 分配不同的 SNAT 端口。The port masquerading SNAT algorithm allocates SNAT ports differently for UDP versus TCP.
SNAT 端口SNAT Ports TCPTCP SNAT 端口是可用于特定公共 IP 源地址的临时端口。SNAT ports are ephemeral ports available for a particular public IP source address. 每个到单个目标 IP 地址、端口的流使用一个 SNAT 端口。One SNAT port is consumed per flow to a single destination IP address, port. 对于到相同的目标 IP 地址、端口和协议的多个 TCP 流,每个 TCP 流使用一个 SNAT 端口。For multiple TCP flows to the same destination IP address, port, and protocol, each TCP flow consumes a single SNAT port. 这可以确保源自相同的公共 IP 地址,并到相同的目标 IP 地址、端口和协议的流的唯一性。This ensures that the flows are unique when they originate from the same public IP address and go to the same destination IP address, port, and protocol. 每个流均流到不同目标 IP 地址、端口和协议的多个流共用一个 SNAT 端口。Multiple flows, each to a different destination IP address, port, and protocol, share a single SNAT port. 目标 IP 地址、端口和协议使流保持唯一,无需使用其他源端口来区分公共 IP 地址空间中的流。The destination IP address, port, and protocol make flows unique without the need for additional source ports to distinguish flows in the public IP address space.
SNAT 端口SNAT Ports UDPUDP UDP SNAT 端口由与 TCP SNAT 端口不同的算法管理。UDP SNAT ports are managed by a different algorithm than TCP SNAT ports. 负载均衡器对 UDP 使用称为“端口受限锥形 NAT”的算法。Load Balancer uses an algorithm known as "port-restricted cone NAT" for UDP. 无论目标 IP 地址、端口如何,每个流都会使用一个 SNAT 端口。One SNAT port is consumed for each flow, irrespective of destination IP address, port.
耗尽Exhaustion - 如果 SNAT 端口资源已经耗尽,那么在现有流释放 SNAT 端口之前出站流会失败。When SNAT port resources are exhausted, outbound flows fail until existing flows release SNAT ports. 当流关闭时,负载均衡器将回收 SNAT 端口,并使用 4 分钟空闲超时回收空闲流中的 SNAT 端口。Load Balancer reclaims SNAT ports when the flow closes and uses a 4-minute idle timeout for reclaiming SNAT ports from idle flows. 由于使用的算法不同,UDP SNAT端口的耗尽速度通常比 TCP SNAT 端口快得多。UDP SNAT ports generally exhaust much faster than TCP SNAT ports due to the difference in algorithm used. 在进行设计和规模测试时必须考虑到这种差异。You must design and scale test with this difference in mind.
SNAT 端口释放行为SNAT port release behavior TCPTCP 如果服务器/客户端均发送 FINACK,则 SNAT 端口在 240 秒后释放。If either server/client sends FINACK, SNAT port will be released after 240 seconds. 如果出现 RST,则 SNAT 端口在 15 秒后释放。If a RST is seen, SNAT port will be released after 15 seconds. 如果已达到空闲超时,则会释放端口。If idle timeout has been reached, port is released.
SNAT 端口释放行为SNAT port release behavior UDPUDP 如果已达到空闲超时,则会释放端口。If idle timeout has been reached, port is released.
SNAT 端口重用SNAT port reuse TCP、UDPTCP, UDP 释放某个端口以后,即可根据需要重复使用该端口。Once a port has been released, the port is available for reuse as needed. 可以将 SNAT 端口视为一个适用于给定场景的从低到高的序列,第一个可用 SNAT 端口用于新的连接。You can think of SNAT ports as a sequence from lowest to highest available for a given scenario, and the first available SNAT port is used for new connections.

端口分配算法Port allocation algorithm

使用 PAT 时,Azure 使用某种算法根据后端池的大小来确定可用的预先分配的 SNAT 端口数目。Azure uses an algorithm to determine the number of preallocated SNAT ports available based on the size of the backend pool when using PAT. 对于与负载均衡器关联的每个公共 IP 地址,有 64,000 个端口可用作每个 IP 传输协议的 SNAT 端口。For each Public IP address associated with a load balancer there are 64,000 ports available as SNAT ports for each IP transport protocol. 将分别为 UDP 和 TCP 预分配相同数量的 SNAT 端口,并根据 IP 传输协议独立地使用这些端口。The same number of SNAT ports are preallocated for UDP and TCP respectively and consumed independently per IP transport protocol. 但是,SNAT 端口使用情况会因流是 UDP 还是 TCP 而有所不同。However, the SNAT port usage is different depending on whether the flow is UDP or TCP. 创建出站流时,将动态消耗这些端口(直至达到预先分配的限制),当流关闭或达到空闲超时时将释放这些端口。When outbound flows are created, these ports are consumed dynamically (up to the preallocated limit) and released when the flow closes or idle timeouts happen. 仅当需要使流保持唯一时,才使用端口。Ports are consumed only if it's necessary to make flows unique.

分配的动态 SNAT 端口Dynamic SNAT ports allocated

下表显示了针对后端池大小层的 SNAT 端口预分配:The following table shows the SNAT port preallocations for tiers of backend pool sizes:

池大小(VM 实例)Pool size (VM instances) 每个 IP 配置的预先分配 SNAT 端口Preallocated SNAT ports per IP configuration
1-501-50 1,0241,024
51-10051-100 512512
101-200101-200 256256
201-400201-400 128128
401-800401-800 6464
801-1,000801-1,000 3232

更改后端池大小可能会影响建立的某些流:Changing the size of your backend pool might affect some of your established flows:

  • 如果后端池大小递增并转换为下一层,则在转换为下一个更大的后端池层期间,一半的预先分配 SNAT 端口将被回收。If the backend pool size increases and transitions into the next tier, half of your preallocated SNAT ports are reclaimed during the transition to the next larger backend pool tier. 与回收的 SNAT 端口关联的流会超时,必须重新建立连接。Flows that are associated with a reclaimed SNAT port will time out and must be reestablished. 如果尝试新流,则只要预先分配的端口可用,则该流就能立即成功。If a new flow is attempted, the flow will succeed immediately as long as preallocated ports are available.
  • 如果后端池减小并转换到更低层级,可用的 SNAT 端口数会增多。If the backend pool size decreases and transitions into a lower tier, the number of available SNAT ports increases. 在这种情况下,现有的分配 SNAT 端口及其相应的流不会受到影响。In this case, existing allocated SNAT ports and their respective flows are not affected.

出站连接方案概述Outbound connections scenario overview

方案Scenario 方法Method IP 协议IP protocols 说明Description
1.具有公共 IP 地址的 VM(有或没有 Azure 负载均衡器)1. VM with a Public IP address (with or without Azure Load Balancer SNAT,不使用端口伪装SNAT, port masquerading not used TCP、UDP、ICMP、ESPTCP, UDP, ICMP, ESP Azure 将分配给实例 NIC 的 IP 配置的公共 IP 用于所有出站流。Azure uses the public IP assigned to the IP configuration of the instance's NIC for all outbound flows. 此实例具有所有可用的临时端口。The instance has all ephemeral ports available. VM 是否负载均衡无关紧要。It doesn't matter whether the VM is load balanced or not. 此方案优先于其他方案。This scenario takes precedence over the others. 分配到 VM 的公共 IP 属于 1 对 1 关系(而不是 1 对多关系),并实现为无状态的 1 对 1 NAT。A public IP assigned to a VM is a 1:1 relationship (rather than 1: many) and implemented as a stateless 1:1 NAT.
2.与 VM 关联的公共负载均衡器(VM/实例上没有公共 IP 地址)2. Public Load Balancer associated with a VM (no Public IP address on the VM/instance) 使用负载均衡器前端进行端口伪装 (PAT) 的 SNATSNAT with port masquerading (PAT) using the Load Balancer frontends TCP、UDPTCP, UDP 在此方案中,必须为负载均衡器资源配置一项负载均衡器规则,以在公共 IP 前端与后端池之间创建链接。In this scenario, the Load Balancer resource must be configured with a load balancer rule to create a link between the public IP frontend with the backend pool. 如果没有完成此规则配置,则行为将如方案 3 所述。If you do not complete this rule configuration, the behavior is as described in scenario 3. 不需要在规则中添加后端池的正常运行的侦听器或者运行状况探测就能成功实现。It is not necessary for the rule to have a working listener in the backend pool for the health probe to succeed. 当 VM 创建出站流时,Azure 会通过 SNAT 将此出站流的专用源 IP 地址转换为公共负载均衡器前端的公共 IP 地址。When VM creates an outbound flow, Azure translates the private source IP address of the outbound flow to the public IP address of the public Load Balancer frontend via SNAT. 使用负载均衡器的前端公共 IP 地址的临时端口区分由 VM 产生的各个流。Ephemeral ports of the load balancer's frontend public IP address are used to distinguish individual flows originated by the VM. 创建出站流后,SNAT 动态使用预先分配的临时端口SNAT dynamically uses preallocated ephemeral ports when outbound flows are created. 在此情况下,用于 SNAT 的临时端口被称为 SNAT 端口。In this context, the ephemeral ports used for SNAT are called SNAT ports. SNAT 端口是预先分配的,如“分配的默认 SNAT 端口”表中所述。SNAT ports are pre-allocated as described in the Default SNAT ports allocated table.
3.VM(无负载均衡器,无公共 IP 地址)或与基本内部负载均衡器关联的 VM3. VM (no Load Balancer, no Public IP address) or VM associated with Basic Internal Load Balancer 使用端口伪装 (PAT) 的 SNATSNAT with port masquerading (PAT) TCP、UDPTCP, UDP 当 VM 创建出站流时,Azure 将此出站流的专用源 IP 地址转换为公共源 IP 地址。When the VM creates an outbound flow, Azure translates the private source IP address of the outbound flow to a public source IP address. 此公共 IP 地址不可配置,无法保留,并且不计入订阅的公共 IP 资源限制。This public IP address is not configurable, cannot be reserved, and does not count against the subscription's public IP resource limit. 如果重新部署 VM、可用性集或虚拟机规模集,则将释放此公共 IP 地址并请求新的公共 IP 地址。If you redeploy the VM or Availability Set or virtual machine scale set, this public IP address will be released and a new public IP address requested. 请不要使用此方案将 IP 地址加入允许列表。Do not use this scenario for whitelisting IP addresses. 请改用方案 1 或 2,在其中显式声明出站行为。Instead, use scenario 1 or 2 where you explicitly declare outbound behavior. SNAT 端口是预先分配的,如“分配的默认 SNAT 端口”表中所述。SNAT ports are preallocated as described in the Default SNAT ports allocated table.

出站规则Outbound rules

使用出站规则可以更方便地配置公共标准负载均衡器的出站网络地址转换。Outbound rules make it simple to configure public Standard Load Balancer's outbound network address translation. 你可以根据具体的需求,以完全声明性的方式控制出站连接,以缩放和优化此功能。You have full declarative control over outbound connectivity to scale and tune this ability to your specific needs. 本部分扩展了上面所述的方案 2 (B)。This section expand scenario 2 (B) in described above.

负载均衡器出站规则

使用出站规则,你可以使用负载均衡器从头开始定义出站 NAT。With outbound rules, you can use Load Balancer to define outbound NAT from scratch. 你还可以缩放和优化现有出站 NAT 的行为。You can also scale and tune the behavior of existing outbound NAT.

使用出站规则可以控制:Outbound rules allow you to control:

  • 哪些虚拟机应转换为哪些公共 IP 地址。which virtual machines should be translated to which public IP addresses.
  • 应如何分配出站 SNAT 端口。how outbound SNAT ports should be allocated.
  • 要为哪些协议提供出站转换。which protocols to provide outbound translation for.
  • 用于出站连接空闲超时的持续时间(4-120 分钟)。what duration to use for outbound connection idle timeout (4-120 minutes).
  • 是否要在空闲超时时发送 TCP Resetwhether to send a TCP Reset on idle timeout
  • 通过单个规则同时控制 TCP 和 UDP 传输协议both TCP and UDP transport protocols with a single rule

出站规则定义Outbound rule definition

与所有负载均衡器规则一样,出站规则遵循用户熟悉的与负载均衡和入站 NAT 规则相同的语法:前端 + 参数 + 后端池Like all Load Balancer rules, outbound rules follow the same familiar syntax as load balancing and inbound NAT rules: frontend + parameters + backend pool. 出站规则为后端池识别的、要转换为前端的所有虚拟机配置出站 NAT。 An outbound rule configures outbound NAT for all virtual machines identified by the backend pool to be translated to the frontend. 参数针对出站 NAT 算法提供更精细的控制。The parameters provide additional fine grained control over the outbound NAT algorithm.

使用多个 IP 地址缩放出站 NATScale outbound NAT with multiple IP addresses

前端提供的每个附加 IP 地址可提供额外的 64,000 个临时端口,供负载均衡器用作 SNAT 端口。Each additional IP address provided by a frontend provides additional 64,000 ephemeral ports for Load Balancer to use as SNAT ports. 规划大规模方案时可以使用多个 IP 地址,并可以使用出站规则来缓解容易出现 SNAT 耗尽的模式。You can use multiple IP addresses to plan for large-scale scenarios and you can use outbound rules to mitigate SNAT exhaustion prone patterns.

你还可以直接在出站规则中使用公共 IP 前缀You can also use a public IP prefix directly with an outbound rule. 使用公共 IP 前缀可以更轻松地缩放,并可简化将源自 Azure 部署的流加入允许列表的操作。Using public IP prefix provides for easier scaling and simplified white-listing of flows originating from your Azure deployment. 可以在负载均衡器资源中配置直接引用公共 IP 地址前缀的前端 IP 配置。You can configure a frontend IP configuration within the Load Balancer resource to reference a public IP address prefix directly. 这样,负载均衡器将以独占方式控制公共 IP 前缀,而出站规则将自动使用公共 IP 前缀中包含的所有公共 IP 地址来建立出站连接。This allows Load Balancer exclusive control over the public IP prefix and the outbound rule will automatically use all public IP addresses contained within the public IP prefix for outbound connections. 公共 IP 前缀范围内的每个 IP 地址可提供额外的 64,000 个临时端口,供负载均衡器用作 SNAT 端口。Each of the IP addresses within public IP prefix provide an additional 64,000 ephemeral ports per IP address for Load Balancer to use as SNAT ports.

出站流空闲超时和 TCP 重置Outbound flow idle timeout and TCP reset

出站规则提供一个配置参数用于控制出站流空闲超时,并使该超时符合应用程序的需求。Outbound rules provide a configuration parameter to control the outbound flow idle timeout and match it to the needs of your application. 出站空闲超时默认为 4 分钟。Outbound idle timeouts default to 4 minutes. 你可以了解如何配置空闲超时You can learn to configure idle timeouts. 负载均衡器的默认行为是在达到出站空闲超时时以静默方式丢弃流。The default behavior of Load Balancer is to drop the flow silently when the outbound idle timeout has been reached. 使用 enableTCPReset 参数可以启用更有预测性的应用程序行为,并控制在发生出站空闲超时时是否要发送双向 TCP 重置 (TCP RST)。With the enableTCPReset parameter, you can enable a more predictable application behavior and control whether to send bidirectional TCP Reset (TCP RST) at the time out of outbound idle timeout. 查看在空闲超时时 TCP 重置,了解详细信息,包括区域可用性。Review TCP Reset on idle timeout for details including region availability.

阻止出站连接Preventing outbound connectivity

负载均衡规则提供出站 NAT 的自动编程。Load balancing rules provide automatic programming of outbound NAT. 但是,某些方案受益于或者要求通过负载均衡规则禁用出站 NAT 的自动编程,以便能够控制或优化行为。However, some scenarios benefit or require you to disable the automatic programming of outbound NAT by the load balancing rule to allow you to control or refine the behavior.
可通过两种方式使用此参数:You can use this parameter in two ways:

  1. 通过为负载均衡规则禁用出站 SNAT,选择禁止将入站 IP 地址用于出站 SNATOptional suppression of using the inbound IP address for outbound SNAT via disabling outbound SNAT for a load balancing rule

  2. 同时优化用于入站和出站连接的 IP 地址的出站 SNAT 参数。Tune the outbound SNAT parameters of an IP address used for inbound and outbound simultaneously. 必须禁用自动出站 NAT 编程才能让出站规则接管控制权。The automatic outbound NAT programming must be disabled to allow an outbound rule to take control. 例如,若要更改也用于入站连接的某个地址的 SNAT 端口分配,则必须将 disableOutboundSnat 参数设置为 true。For example, in order to change the SNAT port allocation of an address also used for inbound, the disableOutboundSnat parameter must be set to true. 如果尝试使用出站规则来重新定义同时用于入站连接的某个 IP 地址的参数,但尚未释放负载均衡规则的出站 NAT 编程,则配置出站规则的操作将会失败。If you attempt to use an outbound rule to redefine the parameters of an IP address also used for inbound and have not released outbound NAT programming of the load balancing rule, the operation to configure an outbound rule will fail.

重要

如果将此参数设置为 true,但没有任何出站规则来定义出站连接,则虚拟机将不会建立出站连接。Your virtual machine will not have outbound connectivity if you set this parameter to true and do not have an outbound rule to define outbound connectivity. VM或应用程序的某些操作可能依赖于公网连接。Some operations of your VM or your application may depend on having outbound connectivity available. 请务必了解方案的依赖关系,并考虑此项更改造成的影响。Make sure you understand the dependencies of your scenario and have considered impact of making this change.

有时允许 VM 创建出站流是不可取的。Sometimes it's undesirable for a VM to be allowed to create an outbound flow. 或者,可能需要管理哪些目标可以通过出站流访问或哪些目标可以启动入站流。Or there might be a requirement to manage which destinations can be reached with outbound flows, or which destinations can begin inbound flows. 在此情况下,可以使用网络安全组管理 VM 可访问的目标。In this case, you can use network security groups to manage the destinations that the VM can reach. 还可以使用 NSG 来管理可启动入站流的公共目标。You can also use NSGs to manage which public destination can initiate inbound flows.

将 NSG 应用于负载均衡的 VM 时,需要注意服务标记默认安全规则When you apply an NSG to a load-balanced VM, pay attention to the service tags and default security rules. 必须确保 VM 可以接收来自 Azure 负载均衡器的运行状况探测请求。You must ensure that the VM can receive health probe requests from Azure Load Balancer.

如果 NSG 阻止来自 AZURE_LOADBALANCER 默认标记的运行状况探测请求,那么 VM 的运行状况探测程序将失败,并且 VM 被标记为停机。If an NSG blocks health probe requests from the AZURE_LOADBALANCER default tag, your VM health probe fails and the VM is marked down. 负载均衡器停止向此 VM 发送新流。Load Balancer stops sending new flows to that VM.

具有出站规则的方案Scenarios with outbound rules

# 方案Scenario 详细信息Details
II 将出站连接整理成一组特定的公共 IP 地址Groom outbound connections to a specific set of public IP addresses 可以使用出站规则来整理出站连接,使之看上去像是源自一组特定的公共 IP 地址,以简化允许列表方案。You can use an outbound rule to groom outbound connections to appear to originate from a specific set of public IP addresses to ease whitelisting scenarios. 此源公共 IP 地址可与负载均衡规则使用的 IP 地址相同,也可以是与负载均衡规则使用的 IP 地址不同的一组公共 IP 地址。This source public IP address can be the same as used by a load balancing rule or a different set of public IP addresses than used by a load balancing rule. 1.1. 创建公共 IP 前缀(或者从公共 IP 前缀创建公共 IP 地址)2.Create public IP prefix (or public IP addresses from public IP prefix) 2. 创建公共标准负载均衡器 3.Create a public Standard Load Balancer 3. 创建引用所要使用的公共 IP 前缀(或公共 IP 地址)的前端 4.Create frontends referencing the public IP prefix (or public IP addresses) you wish to use 4. 重复使用某个后端池或创建一个后端池,并将 VM 放入公共负载均衡器的后端池 5.Reuse a backend pool or create a backend pool and place the VMs into a backend pool of the public Load Balancer 5. 在公共负载均衡器中配置出站规则,以使用前端为这些 VM 的出站 NAT 编程。Configure an outbound rule on the public Load Balancer to program outbound NAT for these VMs using the frontends. 如果不希望将负载均衡规则用于出站连接,则需要在负载均衡规则中禁用出站 SNAT。If you do not wish for the load balancing rule to be used for outbound, you need to disable outbound SNAT on the load balancing rule.
IIII 修改 SNAT 端口分配Modify SNAT port allocation 可以使用出站规则基于后端池大小优化自动 SNAT 端口分配You can use outbound rules to tune the automatic SNAT port allocation based on backend pool size. 例如,如果你的两个虚拟机共享用于出站 NAT 的单个公共 IP 地址,则在遇到 SNAT 耗尽时,你可能希望增加分配的 SNAT 端口数,而不再使用默认的 1024 个端口。For example, if you have two virtual machines sharing a single public IP address for outbound NAT, you may wish to increase the number of SNAT ports allocated from the default 1024 ports if you are experiencing SNAT exhaustion. 每个公共 IP 地址最多可以提供 64,000 个临时端口。Each public IP address can contribute up to 64,000 ephemeral ports. 如果使用单个公共 IP 地址前端配置出站规则,则总共可以向后端池中的 VM 分配 64,000 个 SNAT 端口。If you configure an outbound rule with a single public IP address frontend, you can distribute a total of 64,000 SNAT ports to VMs in the backend pool. 对于两个 VM,可以使用出站规则最多分配 32,000 个 SNAT 端口 (2x32,000 = 64,000)。For two VMs, a maximum of 32,000 SNAT ports can be allocated with an outbound rule (2x 32,000 = 64,000). 可以使用出站规则来优化默认情况下分配的 SNAT 端口。You can use outbound rules to tune the SNAT ports allocated by default. 你可以分配比默认 SNAT 端口分配提供的端口更多或更少的端口。出站规则的所有前端中的每个公共 IP 地址最多提供 64,000 个可用作 SNAT 端口的临时端口。You allocate more or less than the default SNAT port allocation provides.Each public IP address from all frontends of an outbound rule contributes up to 64,000 ephemeral ports for use as SNAT ports. 负载均衡器以 8 的倍数分配 SNAT 端口。Load Balancer allocates SNAT ports in multiples of 8. 如果提供的值不能被 8 整除,则会拒绝配置操作。If you provide a value not divisible by 8, the configuration operation is rejected. 如果尝试分配的 SNAT 端口数超过了可用端口数(基于公共 IP 地址数确定),则会拒绝配置操作。If you attempt to allocate more SNAT ports than are available based on the number of public IP addresses, the configuration operation is rejected. 例如,如果为每个 VM 分配 10,000 个端口,并且后端池中的 7 个 VM 共享单个公共 IP 地址,则会拒绝该配置(7 x 10,000 个 SNAT 端口 > 64,000 个 SNAT 端口)。For example, if you allocate 10,000 ports per VM and 7 VMs in a backend pool would share a single public IP address, the configuration is rejected (7 x 10,000 SNAT ports > 64,000 SNAT ports). 将更多的公共 IP 地址添加到出站规则的前端即可实现该方案。You can add more public IP addresses to the frontend of the outbound rule to enable the scenario. 可以通过将端口数指定为 0,恢复为基于后端池大小的默认 SNAT 端口分配You can revert back to default SNAT port allocation based on backend pool size by specifying 0 for number of ports. 在这种情况下,根据此表,前 50 个 VM 实例将获得 1024 个端口,而 51-100 个 VM 实例将获得 512 个端口,依此类推。In that case the first 50 VM instances will get 1024 ports, 51-100 VM instances will get 512 and so on according to the table.
IIIIII 仅启用出站连接Enable outbound only 可以使用公共标准负载均衡器为一组 VM 提供出站 NAT。You can use a public Standard Load Balancer to provide outbound NAT for a group of VMs. 在此方案中,可以单独使用出站规则,而无需其他任何规则。In this scenario, you can use an outbound rule by itself, without the need for any additional rules.
IVIV 仅对 VM 使用出站 NAT(无入站连接)Outbound NAT for VMs only (no inbound) 定义一个公共标准负载均衡器,将 VM 放入后端池,配置一个出站规则用来为出站 NAT 编程,并整理出站连接,使其看上去源自特定的公共 IP 地址。Define a public Standard Load Balancer, place the VMs into the backend pool, and configure an outbound rule to program outbound NAT and groom the outbound connections to originate from a specific public IP address. 还可以使用公共 IP 前缀来简化出站连接源的允许列表操作。You can also use a public IP prefix simplify white-listing the source of outbound connections. 1.1. 创建公共标准负载均衡器。Create a public Standard Load Balancer. 2.2. 创建一个后端池,并将 VM 放入公共负载均衡器的后端池。Create a backend pool and place the VMs into a backend pool of the public Load Balancer. 3.3. 在公共负载均衡器中配置出站规则,以便为这些 VM 的出站 NAT 编程。Configure an outbound rule on the public Load Balancer to program outbound NAT for these VMs.
VV 内部标准负载均衡器方案的出站 NATOutbound NAT for internal Standard Load Balancer scenarios 使用内部标准负载均衡器时,只有显式声明出站连接之后,出站 NAT 才可用。When using an internal Standard Load Balancer, outbound NAT is not available until outbound connectivity has been explicitly declared. 你可以通过以下步骤,使用出站规则为内部标准负载均衡器后面的 VM 创建出站连接,以定义出站连接:1.You can define outbound connectivity using an outbound rule to create outbound connectivity for VMs behind an internal Standard Load Balancer with these steps: 1. 创建公共标准负载均衡器。Create a public Standard Load Balancer. 2.2. 除了内部负载均衡器,还要创建一个后端池,并将 VM 放入公共负载均衡器的后端池。Create a backend pool and place the VMs into a backend pool of the public Load Balancer in addition to the internal Load Balancer. 3.3. 在公共负载均衡器中配置出站规则,以便为这些 VM 的出站 NAT 编程。Configure an outbound rule on the public Load Balancer to program outbound NAT for these VMs. 有关此方案的更多详细信息,请参阅此示例For more details on this scenario, refer to this example.
VIVI 使用公共标准负载均衡器为出站 NAT 启用 TCP 和 UDP 协议Enable both TCP & UDP protocols for outbound NAT with a public Standard Load Balancer 使用公共标准负载均衡器时,提供的自动出站 NAT 编程与负载均衡规则的传输协议相匹配。When using a public Standard Load Balancer, the automatic outbound NAT programming provided matches the transport protocol of the load balancing rule. 1.1. 在负载均衡规则中禁用出站 SNAT。Disable outbound SNAT on the load balancing rule. 2.2. 在同一个负载均衡器上配置出站规则。Configure an outbound rule on the same Load Balancer. 3.3. 重复使用 VM 已用的后端池。Reuse the backend pool already used by your VMs. 4.4. 指定“协议”:“所有”作为出站规则的一部分。Specify "protocol": "All" as part of the outbound rule. 只使用入站 NAT 规则时,不会提供出站 NAT。When only inbound NAT rules are used, no outbound NAT is provided. 1.1. 将 VM 放入后端池。Place VMs in a backend pool. 2.2. 使用公共 IP 地址或公共 IP 前缀定义一个或多个前端 IP 配置 3.Define one or more frontend IP configurations with public IP address(es) or public IP prefix 3. 在同一个负载均衡器上配置出站规则。Configure an outbound rule on the same Load Balancer. 4.4. 指定“协议”:“所有”作为出站规则的一部分Specify "protocol": "All" as part of the outbound rule

限制Limitations

  • 每个前端 IP 地址的最大可用临时端口数为 64,000。The maximum number of usable ephemeral ports per frontend IP address is 64,000.
  • 可配置的出站空闲超时范围为 4 到 120 分钟(240 到 7200 秒)。The range of the configurable outbound idle timeout is 4 to 120 minutes (240 to 7200 seconds).
  • 负载均衡器不支持将 ICMP 用于出站 NAT。Load Balancer does not support ICMP for outbound NAT.
  • 出站规则只能应用于 NIC 的主 IP 配置。Outbound rules can only be applied to primary IP configuration of a NIC. 不能为 VM 或 NVA 的辅助 IP 创建出站规则。You cannot create an outbound rule for the secondary IP of a VM or NVA. 支持多个 NIC。Multiple NICs are supported.
  • 考虑到 VNet 出现之前的服务和其他平台服务的运行方式带来的副作用,只有在使用内部标准负载均衡器的情况下,才可以访问没有 VNet 和其他 Azure 平台服务的 Web 辅助角色。Web Worker Roles without a VNet and other Azure platform services can be accessible when only an internal Standard Load Balancer is used due to a side effect from how pre-VNet services and other platform services function. 请勿依赖此副作用,因为相应的服务本身或底层平台可能会在不通知的情况下进行更改。Do not rely on this side effect as the respective service itself or the underlying platform may change without notice. 在仅使用内部标准负载均衡器时,必须始终假定需要明确创建出站连接。You must always assume you need to create outbound connectivity explicitly if desired when using an internal Standard Load Balancer only. 本文中所述的方案 3 不可用。Scenario 3 described in this article is not available.

后续步骤Next steps