使用源网络地址转换 (SNAT) 实现出站连接Using Source Network Address Translation (SNAT) for outbound connections

可使用 Azure 公共负载均衡器的前端 IP 为后端实例提供到 Internet 的出站连接。The frontend IPs of an Azure public load balancer can be used to provide outbound connectivity to the internet for backend instances. 此配置使用源网络地址转换 (SNAT)。This configuration uses source network address translation (SNAT). SNAT 将后端的 IP 地址重写为负载均衡器的公共 IP 地址。SNAT rewrites the IP address of the backend to the public IP address of your load balancer.

SNAT 启用后端实例的 IP 伪装。SNAT enables IP masquerading of the backend instance. 此伪装可以防止外部源直接访问后端实例。This masquerading prevents outside sources from having a direct address to the backend instances. 在后端实例之间共享的 IP 地址降低了静态公共 IP 的成本。An IP address shared between backend instances reduces the cost of static public IPs. 已知 IP 地址支持一些方案,例如,使用来自已知公共 IP 的流量简化 IP 允许列表。A known IP address supports scenarios such as simplifying IP allowlist with traffic from known public IPs.

备注

对于需要大量出站连接的应用程序或需要从给定虚拟网络使用一组 IP 的企业客户,虚拟网络 NAT 是推荐的解决方案。For applications that require large numbers of outbound connections or enterprise customers who require a single set of IPs to be used from a given virtual network, Virtual Network NAT is the recommended solution. 通过它的动态分配,可进行简单配置,并最有效地使用每个 IP 地址的 SNAT 端口。It's dynamic allocation allows for simple configuration and the most efficient use of SNAT ports from each IP address. 该方案允许虚拟网络中的所有资源共享一组 IP 地址,而无需共享负载均衡器。It allows all resources in the virtual network to share a set of IP addresses without a need for them to share a load balancer.

重要

即使未配置出站 SNAT,仍可以访问同一区域内的 Azure 存储帐户,后端资源也仍然可以访问 Microsoft 服务(如 Windows 更新)。Even without outbound SNAT configured, Azure storage accounts within the same region will still be accessible and backend resources will still have access to Microsoft services such as Windows Updates.

备注

本文仅涵盖了 Azure 资源管理器部署。This article covers Azure Resource Manager deployments only. 有关 Azure 中的所有经典部署方案,请查看出站连接(经典)Review Outbound connections (Classic) for all Classic deployment scenarios in Azure.

跨后端资源共享前端 IP 地址Sharing frontend IP address across backend resources

如果负载均衡器的后端资源没有实例级别公共 IP (ILPIP) 地址,则它们会通过公共负载均衡器的前端 IP 建立出站连接。If the backend resources of a load balancer don't have instance-level public IP (ILPIP) addresses, they establish outbound connectivity via the frontend IP of the public load balancer. 端口用于生成用于维护不同流的唯一标识符。Ports are used to generate unique identifiers used to maintain distinct flows. Internet 使用五元组来提供这种区别。The internet uses a five-tuple to provide this distinction.

5 元组包含:The five-tuple consists of:

  • 目标 IPDestination IP
  • 目标端口Destination port
  • 源 IPSource IP
  • 源端口和协议可以提供这种区别。Source port and protocol to provide this distinction.

如果一个端口用于入站连接,它将有一个用于该端口上入站连接请求的侦听器。If a port is used for inbound connections, it has a listener for inbound connection requests on that port. 此端口不能用于出站连接。That port can't be used for outbound connections. 若要建立出站连接,使用临时端口为目标提供一个端口,在该端口上进行通信并维护不同的通信流。To establish an outbound connection, an ephemeral port is used to provide the destination with a port on which to communicate and maintain a distinct traffic flow. 当这些临时端口用于执行 SNAT 时,它们称为 SNAT 端口When these ephemeral ports are used for SNAT, they're called SNAT ports

根据定义,每个 IP 地址具有 65,535 个端口。By definition, every IP address has 65,535 ports. 每个端口都可以用于 TCP(传输控制协议)和 UDP(用户数据报协议)的入站或出站连接。Each port can either be used for inbound or outbound connections for TCP(Transmission Control Protocol) and UDP(User Datagram Protocol).

将公共 IP 地址作为前端 IP 添加到负载均衡器时,Azure 会提供 64,000 个可用作 SNAT 的端口。When a public IP address is added as a frontend IP to a load balancer, Azure gives 64,000 ports that are eligible for SNAT.

备注

用于负载均衡或入站 NAT 规则的每个端口将使用这 64,000 个端口中的 8 个端口,从而减少可用于 SNAT 的端口数量。Each port used for a load-balancing or inbound NAT rule will consume a range of eight ports from these 64,000 ports, reducing the number of ports eligible for SNAT. 如果负载均衡或 NAT 规则与其他规则使用相同的八个端口,则不会使用额外的端口。If a load-balancing or nat rule is in the same range of eight as another it will consume no additional ports.

通过出站规则和负载均衡规则,可以将这些 SNAT 端口分发到后端实例,使它们能够共享负载均衡器的公共 IP,实现出站连接。Through outbound rules and load-balancing rules, these SNAT ports can be distributed to backend instances to enable them to share the public IPs of the load balancer for outbound connections.

如果配置了下面的方案 2,则每个后端实例的主机都将对出站连接中的数据包执行 SNAT。When scenario 2 below is configured, the host for each backend instance will SNAT packets that are part of an outbound connection.

当对来自后端实例的出站连接执行 SNAT 时,主机会将源 IP 重写为其中一个前端 IP。When doing SNAT on an outbound connection from a backend instance, the host rewrites the source IP to one of the frontend IPs.

为维护唯一流,主机将每个出站数据包的源端口重写为后端实例上的 SNAT 端口。To maintain unique flows, the host rewrites the source port of each outbound packet to a SNAT port on the backend instance.

不同方案的出站连接行为Outbound connection behavior for different scenarios

  • 具有公共 IP 的虚拟机。Virtual machine with public IP.
  • 没有公共 IP 的虚拟机。Virtual machine without public IP.
  • 没有公共 IP 且没有标准负载均衡器的虚拟机。Virtual machine without public IP and without standard load balancer.

场景 1:具有公共 IP 且使用或不使用负载均衡器的虚拟机。Scenario 1: Virtual machine with public IP either with or without a load balancer.

关联Associations 方法Method IP 协议IP protocols
公共负载均衡器或独立Public load balancer or stand-alone SNAT(源网络地址转换)SNAT (Source Network Address Translation)
未使用。is not used.
TCP(传输控制协议)TCP (Transmission Control Protocol)
UDP(用户数据报协议)UDP (User Datagram Protocol)
ICMP(Internet 控制消息协议)ICMP (Internet Control Message Protocol)
ESP(封装安全有效负载)ESP (Encapsulating Security Payload)

描述Description

所有流量都将从虚拟机的公共 IP 地址(实例级别 IP)返回请求客户端。All traffic will return to the requesting client from the virtual machine's public IP address (Instance Level IP).

Azure 将分配给实例 NIC 的 IP 配置的公共 IP 用于所有出站流。Azure uses the public IP assigned to the IP configuration of the instance's NIC for all outbound flows. 此实例具有所有可用的临时端口。The instance has all ephemeral ports available. VM 是否负载均衡无关紧要。It doesn't matter whether the VM is load balanced or not. 此方案优先于其他方案。This scenario takes precedence over the others.

分配到 VM 的公共 IP 属于 1 对 1 关系(而不是 1 对多关系),并实现为无状态的 1 对 1 NAT。A public IP assigned to a VM is a 1:1 relationship (rather than 1: many) and implemented as a stateless 1:1 NAT.

场景 2:没有公共 IP 且在标准公共负载均衡器之后的虚拟机Scenario 2: Virtual machine without public IP and behind Standard public Load Balancer

关联Associations 方法Method IP 协议IP protocols
标准公共负载均衡器Standard public load balancer 将负载均衡器前端 IP 用于 SNATUse of load balancer frontend IPs for SNAT. TCPTCP
UDPUDP

描述Description

负载均衡器资源配置有出站规则或启用 SNAT 的负载均衡规则。The load balancer resource is configured with an outbound rule or a load-balancing rule that enables SNAT. 此规则用于在公共 IP 前端与后端池之间创建链接。This rule is used to create a link between the public IP frontend with the backend pool.

如果没有完成此规则配置,则行为将如方案 3 所述。If you don't complete this rule configuration, the behavior is as described in scenario 3.

不需要使用包含侦听器的规则即可成功进行运行状况探测。A rule with a listener isn't required for the health probe to succeed.

当 VM 创建出站流时,Azure 会将源 IP 地址转换为公共负载均衡器前端的公共 IP 地址。When a VM creates an outbound flow, Azure translates the source IP address to the public IP address of the public load balancer frontend. 此转换通过 SNAT 完成。This translation is done via SNAT.

负载均衡器的前端公共 IP 地址的临时端口用于区分源自 VM 的各个流。Ephemeral ports of the load balancer frontend public IP address are used to distinguish individual flows originated by the VM. 创建出站流后,SNAT 动态使用预先分配的临时端口SNAT dynamically uses preallocated ephemeral ports when outbound flows are created.

在此情况下,用于 SNAT 的临时端口被称为 SNAT 端口。In this context, the ephemeral ports used for SNAT are called SNAT ports. 强烈建议显式配置出站规则It's highly recommended that an outbound rule is explicitly configured. 如果通过负载均衡规则使用默认 SNAT,则按照默认 SNAT 端口分配表中所述预先分配 SNAT 端口。If using default SNAT through a load-balancing rule, SNAT ports are pre-allocated as described in the Default SNAT ports allocation table.

备注

Azure 虚拟网络 NAT 可以为虚拟机提供出站连接,无需使用负载均衡器。Azure Virtual Network NAT can provide outbound connectivity for virtual machines without the need for a load balancer. 有关详细信息,请参阅什么是 Azure 虚拟网络 NAT?See What is Azure Virtual Network NAT? for more information.

场景 3:没有公共 IP 且在标准内部负载均衡器之后的虚拟机Scenario 3: Virtual machine without public IP and behind Standard internal Load Balancer

关联Associations 方法Method IP 协议IP protocols
标准内部负载均衡器Standard internal load balancer 未建立 Internet 连接。No internet connectivity. None

说明Description

使用标准内部负载均衡器时,不会使用临时 IP 地址用于 SNAT。When using a Standard internal load balancer, there isn't use of ephemeral IP addresses for SNAT. 默认情况下,此功能支持安全性。This feature supports security by default. 此功能可确保资源使用的所有 IP 地址都可配置并可保留。This feature ensures all IP addresses used by resources are configurable and can be reserved.

若要在使用标准内部负载均衡器时实现到 Internet 的出站连接,请配置实例层级公共 IP 地址配置,以遵循方案 1 中的行为。To achieve outbound connectivity to the internet when using a Standard internal load balancer, configure an instance level public IP address to follow the behavior in scenario 1.

另一种方法是将后端实例添加到配置了出站规则的标准公共负载均衡器。Another option is to add the backend instances to a Standard public load balancer with an outbound rule configured. 将后端实例添加到内部负载均衡器以进行内部负载均衡。The backend instances are added to an internal load balancer for internal load balancing. 此部署遵循方案 2 中的行为。This deployment follows the behavior in scenario 2.

备注

Azure 虚拟网络 NAT 可以为虚拟机提供出站连接,无需使用负载均衡器。Azure Virtual Network NAT can provide outbound connectivity for virtual machines without the need for a load balancer. 有关详细信息,请参阅什么是 Azure 虚拟网络 NAT?See What is Azure Virtual Network NAT? for more information.

应用场景 4:没有公共 IP 且在基本负载均衡器之后的虚拟机Scenario 4: Virtual machine without public IP and behind Basic Load Balancer

关联Associations 方法Method IP 协议IP protocols
None
基本负载均衡器Basic load balancer
具有实例级动态 IP 地址的 SNATSNAT with instance-level dynamic IP address TCPTCP
UDPUDP

描述Description

当 VM 创建出站流时,Azure 将源 IP 地址转换为动态给定的公共源 IP 地址。When the VM creates an outbound flow, Azure translates the source IP address to a dynamically given public source IP address. 此公共 IP 地址不可配置且无法保留。This public IP address isn't configurable and can't be reserved. 针对订阅的公共 IP 资源限制进行计数时,不会计入此地址。This address doesn't count against the subscription's public IP resource limit.

如果你重新部署以下项,系统会释放此公共 IP 地址并请求新的公共 IP:The public IP address will be released and a new public IP requested if you redeploy the:

  • 虚拟机Virtual Machine
  • 可用性集Availability set
  • 虚拟机规模集Virtual machine scale set

不要将此方案用于向允许列表添加 IP。Don't use this scenario for adding IPs to an allowlist. 请使用方案 1 或 2,你可以在其中显式声明出站行为。Use scenario 1 or 2 where you explicitly declare outbound behavior. SNAT 端口是预先分配的,如默认 SNAT 端口分配表所述。SNAT ports are preallocated as described in the Default SNAT ports allocation table.

大量消耗端口Exhausting ports

每个连接到同一目标 IP 和目标端口的连接都将使用 SNAT 端口。Every connection to the same destination IP and destination port will use a SNAT port. 此连接维护从后端实例或从客户端到服务器的不同流量 。This connection maintains a distinct traffic flow from the backend instance or client to a server. 这个过程为服务器提供了一个不同的端口来处理流量。This process gives the server a distinct port on which to address traffic. 如果没有此过程,客户端计算机将无法知道数据包属于哪个流。Without this process, the client machine is unaware of which flow a packet is part of.

假设有多个浏览器将访问 https://www.microsoft.com ,即:Imagine having multiple browsers going to https://www.microsoft.com, which is:

  • 目标 IP = 23.53.254.142Destination IP = 23.53.254.142
  • 目标端口 = 443Destination Port = 443
  • 协议 = TCPProtocol = TCP

如果返回流量的目标端口(用于建立连接的 SNAT 端口)都相同,客户端将无法将一个查询结果与另一个查询结果分开。Without different destination ports for the return traffic (the SNAT port used to establish the connection), the client will have no way to separate one query result from another.

出站连接可能会突发。Outbound connections can burst. 后端实例可能无法分配到足够的端口。A backend instance can be allocated insufficient ports. 如果未启用连接重用,则会增加 SNAT 端口耗尽的风险 。Without connection reuse enabled, the risk of SNAT port exhaustion is increased.

当端口耗尽时,与目标 IP 的新出站连接将失败。New outbound connections to a destination IP will fail when port exhaustion occurs. 当端口变为可用时,连接将成功。Connections will succeed when a port becomes available. 当来自 IP 地址的 64,000 个端口在许多后端实例上分散分布时,就会发生这种耗尽。This exhaustion occurs when the 64,000 ports from an IP address are spread thin across many backend instances. 有关缓解 SNAT 端口耗尽的指导,请参阅故障排除指南For guidance on mitigation of SNAT port exhaustion, see the troubleshooting guide.

对于 TCP 连接,负载均衡器将为每个目标 IP 和端口使用一个 SNAT 端口。For TCP connections, the load balancer will use a single SNAT port for every destination IP and port. 这种多用途允许使用相同 SNAT 端口建立与相同目标 IP 的多个连接。This multiuse enables multiple connections to the same destination IP with the same SNAT port. 如果连接不是指向不同的目标端口,那么这种多用途是有限的。This multiuse is limited if the connection isn't to different destination ports.

对于 UDP 连接,负载均衡器使用端口受限的 cone NAT 算法,无论目标端口是什么,每个目标 IP 都会消耗一个 SNAT 端口。For UDP connections, the load balancer uses a port-restricted cone NAT algorithm, which consumes one SNAT port per destination IP whatever the destination port.

可以在无限数量的连接中重复使用端口。A port is reused for an unlimited number of connections. 仅当目标 IP 或端口不同时,才可重复使用端口。The port is only reused if the destination IP or port is different.

默认端口分配Default port allocation

作为负载均衡器的前端 IP 分配的每个公共 IP 都会为其后端池成员分配 64,000 个 SNAT 端口。Each public IP assigned as a frontend IP of your load balancer is given 64,000 SNAT ports for its backend pool members. 这些端口无法与后端池成员共享。Ports can't be shared with backend pool members. 一系列的 SNAT 端口只能由单个后端实例使用,这样才可确保正确路由返回包。A range of SNAT ports can only be used by a single backend instance to ensure return packets are routed correctly.

建议使用显式出站规则来配置 SNAT 端口分配。It's recommended you use an explicit outbound rule to configure SNAT port allocation. 此规则将使每个后端实例可用于出站连接的 SNAT 端口数最多。This rule will maximize the number of SNAT ports each backend instance has available for outbound connections.

如果选择通过负载均衡规则自动分配出站 SNAT,则分配表将定义端口分配。Should you use the automatic allocation of outbound SNAT through a load-balancing rule, the allocation table will define your port allocation.

下表显示了针对后端池大小的层级的 SNAT 端口预分配情况:The following table shows the SNAT port preallocations for tiers of backend pool sizes:

池大小(VM 实例)Pool size (VM instances) 每个 IP 配置的预先分配 SNAT 端口Preallocated SNAT ports per IP configuration
1-501-50 1,0241,024
51-10051-100 512512
101-200101-200 256256
201-400201-400 128128
401-800401-800 6464
801-1,000801-1,000 3232

备注

如果你有一个最大大小为 10 的后端池,且定义了一个显式出站规则,则每个实例可以有 64,000/10 = 6,400 个端口。If you have a backend pool with a max size of 10, each instance can have 64,000/10 = 6,400 ports if you define an explicit outbound rule. 根据上表,如果选择自动分配,则每个实例只有 1,024 个端口。According to the above table each will only have 1,024 if you choose automatic allocation.

出站规则和虚拟网络 NATOutbound rules and Virtual Network NAT

Azure 负载均衡器出站规则和虚拟网络 NAT 是用于虚拟网络流出量的选项。Azure Load Balancer outbound rules and Virtual Network NAT are options available for egress from a virtual network.

有关出站规则的详细信息,请参阅出站规则For more information about outbound rules, see Outbound rules.

有关 Azure 虚拟网络 NAT 的详细信息,请参阅什么是 Azure 虚拟网络 NATFor more information about Azure Virtual Network NAT, see What is Azure Virtual Network NAT.

约束Constraints

  • 如果连接处于闲置状态且没有发送新的数据包,则将在 4 - 120 分钟后释放端口。When a connection is idle with no new packets being sent, the ports will be released after 4 - 120 minutes.
  • 可以通过出站规则配置此阈值。This threshold can be configured via outbound rules.
  • 每个 IP 地址提供 64,000 个端口,这些端口可用于 SNAT。Each IP address provides 64,000 ports that can be used for SNAT.
  • 每个端口都可以用于到目标 IP 地址的 TCP 和 UDP 连接Each port can be used for both TCP and UDP connections to a destination IP address
  • 无论目标端口是否唯一,都需要 UDP SNAT 端口。A UDP SNAT port is needed whether the destination port is unique or not. 对于每个到目标 IP 的 UDP 连接,将使用一个 UDP SNAT 端口。For every UDP connection to a destination IP, one UDP SNAT port is used.
  • 如果目标端口不同,则可以将一个 TCP SNAT 端口用于到同一目标 IP 的多个连接。A TCP SNAT port can be used for multiple connections to the same destination IP provided the destination ports are different.
  • 当后端实例用完给定的 SNAT 端口时,会发生 SNAT 耗尽。SNAT exhaustion occurs when a backend instance runs out of given SNAT Ports. 负载均衡器仍然可以有未使用的 SNAT 端口。A load balancer can still have unused SNAT ports. 如果后端实例的已用 SNAT 端口超过其给定的 SNAT 端口,它将无法建立新的出站连接。If a backend instance’s used SNAT ports exceed its given SNAT ports, it will be unable to establish new outbound connections.

后续步骤Next steps