负载均衡器出站规则Load Balancer outbound rules

除了入站连接以外,Azure 负载均衡器还提供从虚拟网络的出站连接。Azure Load Balancer provides outbound connectivity from a virtual network in addition to inbound. 使用出站规则可以更方便地配置公共标准负载均衡器的出站网络地址转换。Outbound rules make it simple to configure public Standard Load Balancer's outbound network address translation. 你可以根据具体的需求,以完全声明性的方式控制出站连接,以缩放和优化此功能。You have full declarative control over outbound connectivity to scale and tune this ability to your specific needs.

负载均衡器出站规则

使用负载均衡器的出站规则可以:With outbound rules, you can use Load Balancer to:

  • 从头开始定义出站 NAT。define outbound NAT from scratch.
  • 缩放和优化现有出站 NAT 的行为。scale and tune the behavior of existing outbound NAT.

使用出站规则可以控制:Outbound rules allow you to control:

  • 哪些虚拟机应转换为哪些公共 IP 地址。which virtual machines should be translated to which public IP addresses.
  • 应如何分配出站 SNAT 端口how outbound SNAT ports should be allocated.
  • 要为哪些协议提供出站转换。which protocols to provide outbound translation for.
  • 用于出站连接空闲超时的持续时间(4-120 分钟)。what duration to use for outbound connection idle timeout (4-120 minutes).
  • 空闲超时时是否要发送 TCP 重置(公共预览版功能)。whether to send a TCP Reset on idle timeout (in Public Preview).

出站规则扩展了出站连接一文中所述的方案 2,方案优先顺序保持不变。Outbound rules expand scenario 2 in described in the outbound connections article and the scenario precedence remains as-is.

出站规则Outbound rule

与所有负载均衡器规则一样,出站规则遵循负载均衡和入站 NAT 规则的类似语法:Like all Load Balancer rules, outbound rules follow the same familiar syntax as load balancing and inbound NAT rules:

前端 + 参数 + 后端池frontend + parameters + backend pool

出站规则为后端池识别的、要转换为前端的所有虚拟机配置出站 NAT。 An outbound rule configures outbound NAT for all virtual machines identified by the backend pool to be translated to the frontend. 参数针对出站 NAT 算法提供更精细的控制。 And parameters provide additional fine grained control over the outbound NAT algorithm.

API 版本“2018-07-01”允许按如下所示构建出站规则定义:API version "2018-07-01" permits an outbound rule definition structured as follows:

      "outboundRules": [
        {
          "frontendIPConfigurations": [ list_of_frontend_ip_configuations ],
          "allocatedOutboundPorts": number_of_SNAT_ports,
          "idleTimeoutInMinutes": 4 through 66,
          "enableTcpReset": true | false,
          "protocol": "Tcp" | "Udp" | "All",
          "backendAddressPool": backend_pool_reference,
        }
      ]

Note

有效出站 NAT 配置是所有出站规则与负载均衡规则的组合。The effective outbound NAT configuration is a composite of all outbound rules and load balancing rules. 出站规则是对负载均衡规则的补充。Outbound rules are incremental to load balancing rules. 请查看禁用负载均衡规则的出站 NAT,了解如何在将多个规则应用到 VM 时管理有效出站 NAT 转换。Review disabling outbound NAT for a load balancing rule to manage the effective outbound NAT translation when multiple rules apply to a VM. 在定义使用与负载均衡规则相同的公共 IP 地址的出站规则时,必须禁用出站 SNATYou must disable outbound SNAT when defining an outbound rule which is using the same public IP address as a load balancing rule.

使用多个 IP 地址缩放出站 NATScale outbound NAT with multiple IP addresses

尽管出站规则只能配合单个公共 IP 地址使用,但出站规则减轻了缩放出站 NAT 的负担。While an outbound rule can be used with just a single public IP address, outbound rules ease the configuration burden for scaling outbound NAT. 规划大规模方案时可以使用多个 IP 地址,并可以使用出站规则来缓解容易出现 SNAT 耗尽的模式。You can use multiple IP addresses to plan for large-scale scenarios and you can use outbound rules to mitigate SNAT exhaustion prone patterns.

前端提供的每个附加 IP 地址可提供 51,200 个临时端口,供负载均衡器用作 SNAT 端口。Each additional IP address provided by a frontend provides 51,200 ephemeral ports for Load Balancer to use as SNAT ports. 尽管负载均衡规则或入站 NAT 规则具有单个前端,但出站规则可以扩展前端的概念,并允许为每个规则使用多个前端。While load balancing or inbound NAT rules have a single frontend, the outbound rule expands the frontend notion and allows multiple frontends per rule. 为每个规则使用多个前端时,可用 SNAT 端口的数量将与每个公共 IP 地址相乘,因此可以支持大型方案。With multiple frontends per rule, the quantity of available SNAT ports is multiplied with each public IP address, and large scenarios can be supported.

此外,可以直接对出站规则使用公共 IP 前缀Additionally, you can use a public IP prefix directly with an outbound rule. 使用公共 IP 前缀可以更轻松地缩放,并可简化将源自 Azure 部署的流加入允许列表的操作。Using public IP prefix provides for easier scaling and simplified white-listing of flows originating from your Azure deployment. 可以在负载均衡器资源中配置直接引用公共 IP 地址前缀的前端 IP 配置。You can configure a frontend IP configuration within the Load Balancer resource to reference a public IP address prefix directly. 这样,负载均衡器将以独占方式控制公共 IP 前缀,而出站规则将自动使用公共 IP 前缀中包含的所有公共 IP 地址来建立出站连接。This allows Load Balancer exclusive control over the public IP prefix and the outbound rule will automatically use all public IP addresses contained within the public IP prefix for outbound connections. 公共 IP 前缀范围内的每个 IP 地址提供 51,200 个临时端口,供负载均衡器用作 SNAT 端口。Each of the IP addresses within the range of the public IP prefix provide 51,200 ephemeral ports per IP address for Load Balancer to use as SNAT ports.

使用此选项时,无法从公共 IP 前缀创建单个公共 IP 地址资源,因为出站规则必须拥有公共 IP 前缀的完全控制权。You cannot have individual public IP address resources created from the public IP prefix when using this option as the outbound rule must have complete control of the public IP prefix. 如果需要更精细的控制,可以从公共 IP 前缀创建单个公共 IP 地址资源,并将多个公共 IP 地址单独分配到出站规则的前端。If you need more fine grained control, you can create individual public IP address resource from the public IP prefix and assign multiple public IP addresses individually to the frontend of an outbound rule.

优化 SNAT 端口分配Tune SNAT port allocation

可以使用出站规则基于后端池大小优化自动 SNAT 端口分配,并分配多于或少于自动 SNAT 端口分配所提供的端口数。You can use outbound rules to tune the automatic SNAT port allocation based on backend pool size and allocate more or less than the automatic SNAT port allocation provides.

使用以下参数可为每个 VM 分配 10,000 个 SNAT 端口(NIC IP 配置)。Use the following parameter to allocate 10,000 SNAT ports per VM (NIC IP configuration).

      "allocatedOutboundPorts": 10000

出站规则的所有前端中的每个公共 IP 地址最多提供 51,200 个可用作 SNAT 端口的临时端口。Each public IP address from all frontends of an outbound rule contributes up to 51,200 ephemeral ports for use as SNAT ports. 负载均衡器以 8 的倍数分配 SNAT 端口。Load Balancer allocates SNAT ports in multiples of 8. 如果提供的值不能被 8 整除,则会拒绝配置操作。If you provide a value not divisible by 8, the configuration operation is rejected. 如果尝试分配的 SNAT 端口数超过了可用端口数(基于公共 IP 地址数确定),则会拒绝配置操作。If you attempt to allocate more SNAT ports than are available based on the number of public IP addresses, the configuration operation is rejected. 例如,如果为每个 VM 分配 10,000 个端口,并且后端池中的 7 个 VM 共享单个公共 IP 地址,则会拒绝该配置(7 x 10,000 个 SNAT 端口 > 51,200 个 SNAT 端口)。For example, if you allocate 10,000 ports per VM and 7 VMs in a backend pool would share a single public IP address, the configuration is rejected (7 x 10,000 SNAT ports > 51,200 SNAT ports). 将更多的公共 IP 地址添加到出站规则的前端即可实现该方案。You can add more public IP addresses to the frontend of the outbound rule to enable the scenario.

可以通过将端口数指定为 0,恢复为基于后端池大小的自动 SNAT 端口分配You can revert back to automatic SNAT port allocation based on backend pool size by specifying 0 for number of ports.

控制出站流空闲超时Control outbound flow idle timeout

出站规则提供一个配置参数用于控制出站流空闲超时,并使该超时符合应用程序的需求。Outbound rules provide a configuration parameter to control the outbound flow idle timeout and match it to the needs of your application. 出站空闲超时默认为 4 分钟。Outbound idle timeouts default to 4 minutes. 该参数接受从 4 到 120 的值用于指定与此特定规则匹配的流的空闲超时分钟数。The parameter accepts a value from 4 to 120 to specific the number of minutes for the idle timeout for flows matching this particular rule.

使用以下参数可将出站空闲超时设置为 1 小时:Use the following parameter to set the outbound idle timeout to 1 hour:

      "idleTimeoutInMinutes": 60

启用空闲超时时的 TCP 重置(预览版) Enable TCP Reset on idle timeout (Preview)

负载均衡器的默认行为是在达到出站空闲超时时以静默方式丢弃流。The default behavior of Load Balancer is to drop the flow silently when the outbound idle timeout has been reached. 使用 enableTCPReset 参数可以启用更有预测性的应用程序行为,并控制在发生出站空闲超时时,是否要发送双向 TCP 重置 (TCP RST)。With the enableTCPReset parameter, you can enable a more predictable application behavior and control whether to send bidirectional TCP Reset (TCP RST) at the time out of outbound idle timeout.

使用以下参数可在出站规则中启用 TCP 重置:Use the following parameter to enable TCP Reset on an outbound rule:

       "enableTcpReset": true

查看空闲超时时的 TCP 重置(预览版)了解详细信息,包括区域可用性。Review TCP Reset on idle timeout (Preview) for details including region availability.

支持具有单个规则的 TCP 和 UDP 传输协议Support both TCP and UDP transport protocols with a single rule

可以对出站规则的传输协议使用“所有”,但也可以根据需要将出站规则应用到特定的传输协议。You will likely want to use "All" for the transport protocol of the outbound rule, but you can also apply the outbound rule to a specific transport protocol as well if there is a need to do so.

使用以下参数可将协议设置为 TCP 和 UDP:Use the following parameter to set the protocol to TCP and UDP:

      "protocol": "All"

禁用负载均衡规则的出站 NATDisable outbound NAT for a load balancing rule

如前所述,负载均衡规则提供出站 NAT 的自动编程。As stated previously, load balancing rules provide automatic programming of outbound NAT. 但是,某些方案受益于或者要求通过负载均衡规则禁用出站 NAT 的自动编程,以便能够控制或优化行为。However, some scenarios benefit or require you to disable the automatic programming of outbound NAT by the load balancing rule to allow you to control or refine the behavior. 在某些出站规则方案中,必须停止自动出站 NAT 编程。Outbound rules have scenarios where it is important to stop the automatic outbound NAT programming.

可通过两种方式使用此参数:You can use this parameter in two ways:

  • (可选)禁止将入站 IP 地址用于出站 NAT。Optional suppression of using the inbound IP address for outbound NAT. 出站规则是对负载均衡规则的补充,如果设置此参数,则出站规则将会受控。Outbound rules are incremental to load balancing rules and with this parameter set, the outbound rule is in control.

  • 优化同时用于入站和出站连接的 IP 地址的出站 NAT 参数。Tune the outbound NAT parameters of an IP address used for inbound and outbound simultaneously. 必须禁用自动出站 NAT 编程才能让出站规则接管控制权。The automatic outbound NAT programming must be disabled to allow an outbound rule to take control. 例如,若要更改同时用于入站连接的某个地址的 SNAT 端口分配,则必须将此参数设置为 true。For example, in order to change the SNAT port allocation of an address also used for inbound, this parameter must be set to true. 如果尝试使用出站规则来重新定义同时用于入站连接的某个 IP 地址的参数,但尚未释放负载均衡规则的出站 NAT 编程,则配置出站规则的操作将会失败。If you attempt to use an outbound rule to redefine the parameters of an IP address also used for inbound and have not released outbound NAT programming of the load balancing rule, the operation to configure an outbound rule will fail.

Important

如果将此参数设置为 true,但没有任何出站规则(或实例级公共 IP 方案)定义出站连接,则虚拟机不会建立出站连接。Your virtual machine will not have outbound connectivity if you set this parameter to true and do not have an outbound rule (or instance-level public IP scenario to define outbound connectivity. VM 或应用程序的某些操作可能依赖于可用的出站连接。Some operations of your VM or your application may depend on having outbound connectivity available. 请务必了解方案的依赖关系,并考虑此项更改造成的影响。Make sure you understand the dependencies of your scenario and have considered impact of making this change.

可以使用以下配置参数在负载均衡规则中禁用出站 SNAT:You can disable outbound SNAT on the load balancing rule with this configuration parameter:

      "loadBalancingRules": [
        {
          "disableOutboundSnat": true
        }
      ]

disableOutboundSNAT 参数默认为 false,这意味着,负载均衡规则确实会提供自动出站 NAT 作为负载均衡规则配置的镜像。The disableOutboundSNAT parameter defaults to false, which means the load balancing rule does provide automatic outbound NAT as a mirror image of the load balancing rule configuration.

如果在负载均衡规则中将 disableOutboundSnat 设置为 true,则负载均衡规则将释放其他自动出站 NAT 编程的控制权。If you set disableOutboundSnat to true on the load balancing rule, the load balancing rule releases control of the otherwise automatic outbound NAT programming. 出站 SNAT 随着负载均衡规则的启用而禁用。Outbound SNAT as a result of the load balancing rule is disabled.

重复使用现有后端池或定义新的后端池Reuse existing or define new backend pools

出站规则没有引入有关定义要应用规则的 VM 组的新概念,Outbound rules do not introduce a new concept for defining the group of VMs to which the rule should apply. 而重复使用后端池的概念(同样用于负载均衡规则)。Instead, they reuse the concept of a backend pool, which is also used for load balancing rules. 可以通过重复使用现有后端池定义或者为出站规则专门创建一个后端池,使用此概念来简化配置。You can use this to simplify the configuration by either reusing an existing backend pool definition or creating one specifically for an outbound rule.

方案Scenarios

将出站连接整理成一组特定的公共 IP 地址Groom outbound connections to a specific set of public IP addresses

可以使用出站规则来整理出站连接,使之看上去像是源自一组特定的公共 IP 地址,以简化允许列表方案。You can use an outbound rule to groom outbound connections to appear to originate from a specific set of public IP addresses to ease whitelisting scenarios. 此源公共 IP 地址可与负载均衡规则使用的 IP 地址相同,也可以是与负载均衡规则使用的 IP 地址不同的一组公共 IP 地址。This source public IP address can be the same as used by a load balancing rule or a different set of public IP addresses than used by a load balancing rule.

  1. 创建公共 IP 前缀(或者从公共 IP 前缀创建公共 IP 地址)Create public IP prefix (or public IP addresses from public IP prefix)
  2. 创建公共标准负载均衡器Create a public Standard Load Balancer
  3. 创建引用所要使用的公共 IP 前缀(或公共 IP 地址)的前端Create frontends referencing the public IP prefix (or public IP addresses) you wish to use
  4. 重复使用某个后端池或创建一个后端池,并将 VM 放入公共负载均衡器的后端池Reuse a backend pool or create a backend pool and place the VMs into a backend pool of the public Load Balancer
  5. 在公共负载均衡器中配置出站规则,以使用前端为这些 VM 的出站 NAT 编程Configure an outbound rule on the public Load Balancer to program outbound NAT for these VMs using the frontends

如果不希望将负载均衡规则用于出站连接,则需要在负载均衡规则中禁用出站 SNATIf you do not wish for the load balancing rule to be used for outbound, you need to disable outbound SNAT on the load balancing rule.

修改 SNAT 端口分配Modify SNAT port allocation

可以使用出站规则基于后端池大小优化自动 SNAT 端口分配You can use outbound rules to tune the automatic SNAT port allocation based on backend pool size.

例如,如果你的两个虚拟机共享用于出站 NAT 的单个公共 IP 地址,则在遇到 SNAT 耗尽时,你可能希望增加分配的 SNAT 端口数,而不再使用默认的 1024 个端口。For example, if you have two virtual machines sharing a single public IP address for outbound NAT, you may wish to increase the number of SNAT ports allocated from the default 1024 ports if you are experiencing SNAT exhaustion. 每个公共 IP 地址最多可以提供 51,200 个临时端口。Each public IP address can contribute up to 51,200 ephemeral ports. 如果使用单个公共 IP 地址前端配置出站规则,则总共可以向后端池中的 VM 分配 51,200 个 SNAT 端口。If you configure an outbound rule with a single public IP address frontend, you can distribute a total of 51,200 SNAT ports to VMs in the backend pool. 对于两个 VM,可以使用出站规则最多分配 25,600 个 SNAT 端口 (2x 25,600 = 51,200)。For two VMs, a maximum of 25,600 SNAT ports can be allocated with an outbound rule (2x 25,600 = 51,200).

查看出站连接,以及有关如何分配和使用 SNAT 端口的详细信息。Review outbound connections and the details on how SNAT ports are allocated and used.

仅启用出站连接Enable outbound only

可以使用公共标准负载均衡器为一组 VM 提供出站 NAT。You can use a public Standard Load Balancer to provide outbound NAT for a group of VMs. 在此方案中,可以单独使用出站规则,而无需其他任何规则。In this scenario, you can use an outbound rule by itself, without the need for any additional rules.

仅对 VM 使用出站 NAT(无入站连接)Outbound NAT for VMs only (no inbound)

定义一个公共标准负载均衡器,将 VM 放入后端池,配置一个出站规则用来为出站 NAT 编程,并整理出站连接,使其看上去源自特定的公共 IP 地址。Define a public Standard Load Balancer, place the VMs into the backend pool, and configure an outbound rule to program outbound NAT and groom the outbound connections to originate from a specific public IP address. 还可以使用公共 IP 前缀来简化出站连接源的允许列表操作。You can also use a public IP prefix simplify white-listing the source of outbound connections.

  1. 创建公共标准负载均衡器。Create a public Standard Load Balancer.
  2. 创建一个后端池,并将 VM 放入公共负载均衡器的后端池。Create a backend pool and place the VMs into a backend pool of the public Load Balancer.
  3. 在公共负载均衡器中配置出站规则,以便为这些 VM 的出站 NAT 编程。Configure an outbound rule on the public Load Balancer to program outbound NAT for these VMs.

内部标准负载均衡器方案的出站 NATOutbound NAT for internal Standard Load Balancer scenarios

使用内部标准负载均衡器时,只有显式声明出站连接之后,出站 NAT 才可用。When using an internal Standard Load Balancer, outbound NAT is not available until outbound connectivity has been explicitly declared. 你可以通过以下步骤,使用出站规则为内部标准负载均衡器后面的 VM 创建出站连接,以定义出站连接:You can define outbound connectivity using an outbound rule to create outbound connectivity for VMs behind an internal Standard Load Balancer with these steps:

  1. 创建公共标准负载均衡器。Create a public Standard Load Balancer.
  2. 除了内部负载均衡器,还要创建一个后端池,并将 VM 放入公共负载均衡器的后端池。Create a backend pool and place the VMs into a backend pool of the public Load Balancer in addition to the internal Load Balancer.
  3. 在公共负载均衡器中配置出站规则,以便为这些 VM 的出站 NAT 编程。Configure an outbound rule on the public Load Balancer to program outbound NAT for these VMs.

使用公共标准负载均衡器为出站 NAT 启用 TCP 和 UDP 协议Enable both TCP & UDP protocols for outbound NAT with a public Standard Load Balancer

  • 使用公共标准负载均衡器时,提供的自动出站 NAT 编程与负载均衡规则的传输协议相匹配。When using a public Standard Load Balancer, the automatic outbound NAT programming provided matches the transport protocol of the load balancing rule.

    1. 在负载均衡规则中禁用出站 SNAT。Disable outbound SNAT on the load balancing rule.
    2. 在同一个负载均衡器上配置出站规则。Configure an outbound rule on the same Load Balancer.
    3. 重复使用 VM 已用的后端池。Reuse the backend pool already used by your VMs.
    4. 指定“协议”:“所有”作为出站规则的一部分。Specify "protocol": "All" as part of the outbound rule.
  • 只使用入站 NAT 规则时,不会提供出站 NAT。When only inbound NAT rules are used, no outbound NAT is provided.

    1. 将 VM 放入后端池。Place VMs in a backend pool.
    2. 使用公共 IP 地址或公共 IP 前缀定义一个或多个前端 IP 配置。Define one or more frontend IP configurations with public IP address(es) or public IP prefix.
    3. 在同一个负载均衡器上配置出站规则。Configure an outbound rule on the same Load Balancer.
    4. 指定“协议”:“所有”作为出站规则的一部分Specify "protocol": "All" as part of the outbound rule

限制Limitations

  • 每个前端 IP 地址的最大可用临时端口数为 51,200。The maximum number of usable ephemeral ports per frontend IP address is 51,200.
  • 可配置的出站空闲超时范围为 4 到 120 分钟(240 到 7200 秒)。The range of the configurable outbound idle timeout is 4 to 120 minutes (240 to 7200 seconds).
  • 负载均衡器不支持将 ICMP 用于出站 NAT。Load Balancer does not support ICMP for outbound NAT.
  • 不能使用门户来配置或查看出站规则。Portal cannot be used to configure or view outbound rules. 请改为使用模板、REST API、Az CLI 2.0 或 PowerShell。Use templates, REST API, Az CLI 2.0, or PowerShell instead.
  • 出站规则只能应用于 NIC 的主 IP 配置。Outbound rules can only be applied to primary IP configuration of a NIC. 支持多个 NIC。Multiple NICs are supported.

后续步骤Next steps