Azure 标准负载均衡器概述Azure Standard Load Balancer overview

使用 Azure 负载均衡器可以缩放应用程序,并为服务提供高可用性。Azure Load Balancer allows you to scale your applications and create high availability for your services. 负载均衡器可用于入站和出站方案、提供低延迟和高吞吐量,以及为所有 TCP 和 UDP 应用程序纵向扩展到数以百万计的流。Load Balancer can be used for inbound as well as outbound scenarios and provides low latency, high throughput, and scales up to millions of flows for all TCP and UDP applications.

本文着重介绍标准负载均衡器。This article is focused on Standard Load Balancer. 有关 Azure 负载均衡器的详细常规概述,还可以查看负载均衡器概述For a more general overview for Azure Load Balancer, review Load Balancer Overview as well.

什么是标准负载均衡器?What is Standard Load Balancer?

标准负载均衡器是适用于所有 TCP 和 UDP 应用程序的新型负载均衡器产品,与基本负载均衡器相比拥有更广泛和精细的功能集。Standard Load Balancer is a new Load Balancer product for all TCP and UDP applications with an expanded and more granular feature set over Basic Load Balancer. 尽管两者有许多相似之处,但请务必熟悉本文中所述的差异。While there are many similarities, it is important to familiarize yourself with the differences as outlined in this article.

可将标准负载均衡器用作公共或内部负载均衡器。You can use Standard Load Balancer as a public or internal Load Balancer. 虚拟机可以连接到一个公共负载均衡器资源和一个内部负载均衡器资源。And a virtual machine can be connected to one public and one internal Load Balancer resource.

负载均衡器资源的功能始终表示为前端、规则、运行状况探测和后端池定义。The Load Balancer resource's functions are always expressed as a frontend, a rule, a health probe, and a backend pool definition. 资源可以包含多项规则。A resource can contain multiple rules. 可通过从虚拟机的 NIC 资源指定后端池,将虚拟机放入其中。You can place virtual machines into the backend pool by specifying the backend pool from the virtual machine's NIC resource. 此参数通过网络配置文件传递,并在使用虚拟机规模集时进行扩展。This parameter is passed through the network profile and expanded when using virtual machine scale sets.

资源的虚拟网络范围是一个重要方面。One key aspect is the scope of the virtual network for the resource. 尽管基本负载均衡器存在于可用性集范围内部,但标准负载均衡器与虚拟网络范围完全集成,且所有虚拟网络概念均适用。While Basic Load Balancer exists within the scope of an availability set, a Standard Load Balancer is fully integrated with the scope of a virtual network and all virtual network concepts apply.

负载均衡器资源是一些对象,可在其中表述 Azure 应如何设定其多租户基础结构,以实现想要创建的场景。Load Balancer resources are objects within which you can express how Azure should program its multi-tenant infrastructure to achieve the scenario you wish to create. 负载均衡器资源与实际基础结构之间不存在直接的关系,创建负载均衡器不会创建实例,可始终使用容量,且无需考虑启动或缩放延迟。There is no direct relationship between Load Balancer resources and actual infrastructure; creating a Load Balancer doesn't create an instance, capacity is always available, and there are no start-up or scaling delays to consider.

后端池Backend pool

标准负载均衡器的后端池扩展到虚拟网络中的任何虚拟机资源。Standard Load Balancer backend pools expand to any virtual machine resource in a virtual network. 可包含多达 1000 个后端实例。It can contain up to 1000 backend instances. 后端实例是 IP 配置(NIC 资源的属性)。A backend instance is an IP configuration, which is a property of a NIC resource.

后端池可以包含独立的虚拟机、可用性集或虚拟机规模集。The backend pool can contain standalone virtual machines, availability sets, or virtual machine scale sets. 还可以在后端池中混合资源。You can also blend resources in the backend pool. 按每个负载均衡器资源计算,最多可以在后端池中混合 150 个资源。You can combine up to 150 resources in the backend pool per Load Balancer resource.

考虑后端池的设计方式时,可针对单个后端池资源的最小数字进行设计,从而进一步优化管理操作的持续时间。When considering how to design your backend pool, you can design for the least number of individual backend pool resources to further optimize the duration of management operations. 在数据平面性能或规模中不存在任何差异。There is no difference in data plane performance or scale.

运行状况探测Health probes

标准负载均衡器增加了对 HTTPS 运行状况探测(具有传输层安全 (TLS) 包装程序的 HTTP 探测)的支持来准确地监视 HTTPS 应用程序。Standard Load Balancer adds support for HTTPS health probes (HTTP probe with Transport Layer Security (TLS) wrapper) to accurately monitor your HTTPS applications.

此外,当整个后端池探测关闭时,标准负载均衡器允许所有已建立的 TCP 连接继续运行。In addition, when the entire backend pool probes down, Standard Load Balancer allows all established TCP connections to continue. (基本负载均衡器会终止所有实例的所有 TCP 连接)。(Basic Load Balancer will terminate all TCP connections to all instances).

有关详细信息,请查看负载均衡器运行状况探测Review Load Balancer health probes for details.


标准负载均衡器通过 Azure Monitor 提供多维度指标。Standard Load Balancer provides multi-dimensional metrics through Azure Monitor. 可以就给定维度对这些指标进行筛选、分组和细分。These metrics can be filtered, grouped, and broken out for a given dimension. 可便于深入了解服务的当前及历史性能和运行状况。They provide current and historic insights into performance and health of your service. 以下是支持的诊断的简要概述:Following is a brief overview of supported diagnostics:

指标Metric 说明Description
VIP 可用性VIP availability 标准负载均衡器持续运用从区域内部到负载均衡器前端,直到支持 VM 的 SDN 堆栈的数据路径。Standard Load Balancer continuously exercises the data path from within a region to the Load Balancer front-end all the way to the SDN stack that supports your VM. 只要保留正常实例,这种度量就会遵循应用程序负载均衡的流量所用的相同路径。As long as healthy instances remain, the measurement follows the same path as your application's load-balanced traffic. 此外,还会验证客户使用的数据路径。The data path that is used by your customers is also validated. 度量对于应用程序不可见,且不会干扰其他操作。The measurement is invisible to your application and does not interfere with other operations.
DIP 可用性DIP availability 标准负载均衡器使用分布式运行状况探测服务,根据配置设置监视应用程序终结点的运行状况。Standard Load Balancer uses a distributed health probing service that monitors your application endpoint's health according to your configuration settings. 此指标提供负载均衡器池中每个实例终结点的聚合视图或按终结点筛选的视图。This metric provides an aggregate or per endpoint filtered-view of each individual instance endpoint in the Load Balancer pool. 可以查看负载均衡器如何根据运行状况探测配置的指示了解应用程序的运行状况。You can see how Load Balancer views the health of your application as indicated by your health probe configuration.
SYN 数据包SYN packets 标准负载均衡器不会终止 TCP 连接,也不会与 TCP 或 UDP 数据包流交互。Standard Load Balancer does not terminate TCP connections or interact with TCP or UDP packet flows. 流及其握手始终位于源和 VM 实例之间。Flows and their handshakes are always between the source and the VM instance. 若要更好地排查 TCP 协议方案的问题,可以使用 SYN 数据包计数器了解进行了多少次 TCP 连接尝试。To better troubleshoot your TCP protocol scenarios, you can make use of SYN packets counters to understand how many TCP connection attempts are made. 该指标将报告接收到的 TCP SYN 数据包数目。The metric reports the number of TCP SYN packets that were received.
SNAT 连接SNAT connections 标准负载均衡器报告公共 IP 地址前端上伪装的出站流数。Standard Load Balancer reports the number of outbound flows that are masqueraded to the Public IP address front-end. SNAT 端口是可耗竭性资源。SNAT ports are an exhaustible resource. 此指标可以指出应用程序依赖于 SNAT 获取出站发起流的程度有多高。This metric can give an indication of how heavily your application is relying on SNAT for outbound originated flows. 将报告成功和失败的出站 SNAT 流的计数器,可使用这些计数器排查和了解出站流的运行状况。Counters for successful and failed outbound SNAT flows are reported and can be used to troubleshoot and understand the health of your outbound flows.
字节计数器Byte counters 标准负载均衡器按前端报告处理的数据。Standard Load Balancer reports the data processed per front-end.
数据包计数器Packet counters 标准负载均衡器按前端报告处理的数据包。Standard Load Balancer reports the packets processed per front-end.

请查看有关标准负载均衡器诊断的详细讨论Review detailed discussion of Standard Load Balancer Diagnostics.

HA 端口HA Ports

标准负载均衡器支持一种新型规则。Standard Load Balancer supports a new type of rule.

可以配置负载均衡规则,让应用程序具有缩放性,并且变得高度可靠。You can configure load-balancing rules to make your application scale and be highly reliable. 使用 HA 端口负载均衡规则时,在内部标准负载均衡器的前端 IP 地址的每个临时端口上,标准负载均衡器对每个流提供负载均衡。When you use an HA Ports load-balancing rule, Standard Load Balancer will provide per flow load balancing on every ephemeral port of an internal Standard Load Balancer's frontend IP address. 该功能对无法或不需要指定单个端口的其他方案也很有用。The feature is useful for other scenarios where it is impractical or undesirable to specify individual ports.

使用 HA 端口负载均衡规则,可以为网络虚拟设备以及任何需要大范围入站端口的应用程序创建主动-被动或主动-被动 n+1 方案。An HA Ports load-balancing rule allows you to create active-passive or active-active n+1 scenarios for Network Virtual Appliances and any application, which requires large ranges of inbound ports. 运行状况探测可用于确定接收新流的后端。A health probe can be used to determine which backends should be receiving new flows. 可使用网络安全组模拟端口范围方案。You can use a Network Security Group to emulate a port range scenario.


如果计划使用网络虚拟设备,请咨询供应商以获取指南,了解他们的产品是否测试了 HA 端口,然后按照他们提供的特定指南进行实现。If you are planning to use a Network Virtual Appliance, check with your vendor for guidance on whether their product has been tested with HA Ports and follow their specific guidance for implementation.

请查看有关 HA 端口的详细讨论Review detailed discussion of HA Ports.

默认保护Secure by default

标准负载均衡器已完全载入虚拟网络。Standard Load Balancer is fully onboarded to the virtual network. 虚拟网络是封闭的专用网络。The virtual network is a private, closed network. 标准负载均衡器和标准公共 IP 地址旨在允许从虚拟网络外部访问该虚拟网络,因此,这些资源现在默认处于关闭状态,除非手动打开。Because Standard Load Balancers and Standard public IP addresses are designed to allow this virtual network to be accessed from outside of the virtual network, these resources now default to closed unless you open them. 这意味着网络安全组 (NSG) 现在可用于显式允许并将允许的流量添加到允许列表。This means Network Security Groups (NSGs) are now used to explicitly permit and whitelist allowed traffic. 可以创建整个虚拟数据中心,并通过 NSG 决定其提供的内容和可用的时间。You can create your entire virtual data center and decide through NSG what and when it should be available. 如果虚拟机资源的子网或 NIC 上没有 NSG,禁止流量到达此资源。If you do not have an NSG on a subnet or NIC of your virtual machine resource, traffic is not allowed to reach this resource.

若要详细了解 NSG 以及如何将其应用于自己的方案,请参阅网络安全组To learn more about NSGs and how to apply them for your scenario, see Network Security Groups.

出站连接Outbound connections

负载均衡器支持入站和出站方案。Load Balancer supports inbound and outbound scenarios. 对于出站连接,标准负载均衡器与基本负载均衡器之间存在明显差异。Standard Load Balancer is significantly different than Basic Load Balancer with respect to outbound connections.

源网络地址转换 (SNAT) 用于将虚拟网络上的内部专用 IP 地址映射到负载均衡器前端的公共 IP 地址。Source Network Address Translation (SNAT) is used to map internal, private IP addresses on your virtual network to public IP addresses on Load Balancer frontends.

标准负载均衡器为实现更可靠、可缩放且可预测的 SNAT 算法引入了新算法,并启用新功能、去除多义性并强制实现显式配置,不会产生副作用。Standard Load Balancer introduces a new algorithm for a more robust, scalable, and predictable SNAT algorithm and enables new abilities, removes ambiguity, and forces explicit configurations rather side effects. 若要允许新功能的出现,这些更改是必要的。These changes are necessary to allow for new features to emerge.

使用标准负载均衡器时,请牢记以下关键原则:These are the key tenets to remember when working with Standard Load Balancer:

  • 驱动负载均衡器资源的是规则完成。the completion of a rule drives the Load Balancer resource. Azure 的所有编程均派生自其配置。all programming of Azure derives from its configuration.
  • 多个前端可用时,会使用所有前端,每个前端成倍增加可用的 SNAT 端口数。when multiple frontends are available, all frontends are used and each frontend multiplies the number of available SNAT ports
  • 如果不希望某特定前端用于出站连接,可进行选择和控制。you can choose and control if you do not wish for a particular frontend to be used for outbound connections.
  • 出站方案处于显式状态,指定出站连接后,该连接才会存在。outbound scenarios are explicit and outbound connectivity does not exist until it has been specified.
  • 负载均衡规则推断 SNAT 的编程方式。load-balancing rules infer how SNAT is programmed. 负载均衡规则特定于协议。Load balancing rules are protocol specific. SNAT 特定于协议,配置应反映这一点,而不是产生副作用。SNAT is protocol specific and configuration should reflect this rather than create a side effect.

多个前端Multiple frontends

希望出现或已遇到出站连接的高需求时,如果想要更多 SNAT 端口,还可以通过配置其他前端、规则和后端池,将增量 SNAT 端口库存添加到相同的虚拟机资源。If you want more SNAT ports because you are expecting or are already experiencing a high demand for outbound connections, you can also add incremental SNAT port inventory by configuring additional frontends, rules, and backend pools to the same virtual machine resources.

控制用于出站的前端Control which frontend is used for outbound

如果要将出站连接限制为仅来自于特定前端 IP 地址,可以按需在表示出站映射的规则上禁用出站 SNAT。If you want to constrain outbound connections to only originate from a specific frontend IP address, you can optionally disable outbound SNAT on the rule that expresses the outbound mapping.

控制出站连接Control outbound connectivity

标准负载均衡器存在于虚拟网络的上下文中。Standard Load Balancer exists within the context of the virtual network. 虚拟网络是独立的专用网络。A virtual network is an isolated, private network. 除非存在与公共 IP 地址的关联,否则不允许公共连接。Unless an association with a public IP address exists, public connectivity is not allowed. 可以访问 VNet 服务终结点,因为它们在虚拟网络内部并位于本地。You can reach VNet Service Endpoints because they are inside of and local to your virtual network. 若要对虚拟网络外部的目标建立出站连接,可执行以下两个选项:If you want to establish outbound connectivity to a destination outside of your virtual network, you have two options:

  • 将标准 SKU 公共 IP 地址作为实例层级公共 IP 地址分配到虚拟机资源;assign a Standard SKU public IP address as an Instance-Level Public IP address to the virtual machine resource or
  • 或者,将虚拟机资源放入公共标准负载均衡器的后端池中。place the virtual machine resource in the backend pool of a public Standard Load Balancer.

上述两个选项均允许通过出站连接从虚拟网络访问虚拟网络的外部。Both will allow outbound connectivity from the virtual network to outside of the virtual network.

如果只有 一个内部标准负载均衡器与虚拟机资源所在的后端池关联,虚拟机仅可以访问虚拟网络资源和 VNet 终结点If you only have an internal Standard Load Balancer associated with the backend pool in which your virtual machine resource is located, your virtual machine can only reach virtual network resources and VNet Service Endpoints. 可以按照上一段描述的步骤创建出站连接。You can follow the steps described in the preceding paragraph to create outbound connectivity.

未与标准 SKU 关联的虚拟机资源的出站连接保持不变。Outbound connectivity of a virtual machine resource not associated with Standard SKUs remains as before.

请查看有关出站连接的详细讨论Review detailed discussion of Outbound Connections.

多个前端Multiple frontends

负载均衡器使用多个前端支持多项规则。Load Balancer supports multiple rules with multiple frontends. 标准负载均衡器将其扩展到出站方案。Standard Load Balancer expands this to outbound scenarios. 出站方案与入站负载均衡规则实质上存在逆反关系。Outbound scenarios are essentially the inverse of an inbound load-balancing rule. 入站负载均衡规则还创建了出站连接的关联。The inbound load-balancing rule also creates an associate for outbound connections. 标准负载均衡器通过负载均衡规则使用与虚拟机资源关联的所有前端。Standard Load Balancer uses all frontends associated with a virtual machine resource through a load-balancing rule. 此外,使用负载均衡规则上的参数可以为了出站连接取消负载均衡规则,并允许选择特定前端(包括无前端)。Additionally, a parameter on the load-balancing rule and allows you to suppress a load-balancing rule for the purposes of outbound connectivity, which allows the selection of specific frontends including none.

为进行比较,基本负载均衡器随机选择一个前端,且无法控制选择哪一个前端。For comparison, Basic Load Balancer selects a single frontend at random and there is no ability to control which one was selected.

请查看有关出站连接的详细讨论Review detailed discussion of Outbound Connections.

管理操作Management Operations

标准负载均衡器资源存在于全新的基础结构平台中。Standard Load Balancer resources exist on an entirely new infrastructure platform. 这使得标准 SKU 可以提高管理操作的速度,对于每个标准 SKU 资源,完成时间通常少于 30 秒。This enables faster management operations for Standard SKUs and completion times are typically less than 30 seconds per Standard SKU resource. 当后端池增大时,其更改所需的持续时间也随之延长。As backend pools increase in size, the duration required for backend pool changes also increase.

可以修改标准负载均衡器资源,显著提高在虚拟机之间移动标准公共 IP 地址的速度。You can modify Standard Load Balancer resources and move a Standard public IP address from one virtual machine to another much faster.

SKU 之间的迁移Migration between SKUs

SKU 不可变。SKUs are not mutable. 按照本部分中的步骤从一个资源 SKU 移动到另一个资源 SKU。Follow the steps in this section to move from one resource SKU to another.


全面查看本文档,了解 SKU 之间的差异并仔细检查你的方案。Review this document in its entirety to understand the differences between SKUs and have carefully examined your scenario. 可能需要进行其他更改,以与你的方案一致。You may need to make additional changes to align your scenario.

从基本 SKU 迁移到标准 SKUMigrate from Basic to Standard SKU

  1. 根据需要创建新的标准版资源(负载均衡器和公共 IP)。Create a new Standard resource (Load Balancer and Public IPs, as needed). 重新创建规则和探测定义。Recreate your rules and probe definitions. 如果之前在使用针对 443/tcp 的 TCP 探测,请考虑将此探测协议更改为 HTTPS 探测并添加路径。If you were using a TCP probe to 443/tcp previously, consider changing this probe protocol to an HTTPS probe and add a path.

  2. 为 NIC 或子网创建新的 NSG 或更新现有 NSG,以便将负载均衡流量、探测以及你想要允许的任何其他流量加入允许列表。Create new or update existing NSG on NIC or subnet to whitelist load balanced traffic, probe, as well as any other traffic you wish to permit.

  3. 如果适用,从所有 VM 实例中删除基本 SKU 资源(负载均衡器和公共 IP)。Remove the Basic SKU resources (Load Balancer and Public IPs, as applicable) from all VM instances. 确保还会删除可用性集的所有 VM 实例。Be sure to also remove all VM instances of an availability set.

  4. 将所有 VM 实例附加到新的标准 SKU 资源。Attach all VM instances to the new Standard SKU resources.


必须对负载均衡器和公共 IP 资源使用匹配的 SKU。Matching SKUs must be used for Load Balancer and Public IP resources. 不能混合使用基本 SKU 资源和标准 SKU 资源。You can't have a mixture of Basic SKU resources and Standard SKU resources. 无法将独立的虚拟机、可用性集资源中的虚拟机或虚拟机规模集资源同时附加到两个 SKU。You can't attach standalone virtual machines, virtual machines in an availability set resource, or a virtual machine scale set resources to both SKUs simultaneously.

上市区域Region availability

标准负载均衡器目前在所有 Azure 区域中均可用。Standard Load Balancer is currently available in all Azure regions.


可以使用标准负载均衡器,其 SLA 为 99.99%。Standard Load Balancers are available with a 99.99% SLA. 有关详细信息,请查看标准负载均衡器 SLAReview the Standard Load Balancer SLA for details.


使用标准负载均衡器是收费的。Standard Load Balancer usage is charged.

  • 已配置的负载均衡规则和出站规则的数量(入站 NAT 规则不计入规则总数)Number of configured load-balancing and outbound rules (inbound NAT rules do not count against the total number of rules)
  • 处理的入站和出站数据的数量,与规则无关。Amount of data processed inbound and outbound irrespective of rule.

有关标准负载均衡器的定价信息,请访问负载均衡器定价页。For Standard Load Balancer pricing information, go to the Load Balancer pricing page.


  • SKU 不可变。SKUs are not mutable. 无法更改现有资源的 SKU。You may not change the SKU of an existing resource.
  • 独立的虚拟机资源、可用性集资源或虚拟机规模集资源可以引用一个 SKU,绝不能同时引用两个。A standalone virtual machine resource, availability set resource, or virtual machine scale set resource can reference one SKU, never both.
  • 负载均衡器规则不能跨越两个虚拟网络。A Load Balancer rule cannot span two virtual networks. 前端及其相关的后端实例必须位于相同的虚拟网络中。Frontends and their related backend instances must be located in the same virtual network.
  • 标准 SKU LB 和 PIP 资源不支持移动订阅操作Move subscription operations are not supported for Standard SKU LB and PIP resources.
  • 由于 VNet 之前的服务和其他平台服务运行方式的副作用,没有 VNet 和其他 Azure 平台服务的 Web 辅助角色只能从内部标准负载均衡器后面的实例进行访问。Web Worker Roles without a VNet and other Azure platform services can be accessible from instances behind only an internal Standard Load Balancer due to a side effect from how pre-VNet services and other platform services function. 请勿依赖此服务,因为相应的服务本身或底层平台可能会在不通知的情况下进行更改。You must not rely on this as the respective service itself or the underlying platform can change without notice. 在仅使用内部标准负载均衡器时,必须始终假定需要明确创建出站连接You must always assume you need to create outbound connectivity explicitly if desired when using an internal Standard Load Balancer only.
  • 负载均衡器属于 TCP 或 UDP 产品,用于对这些特定的 IP 协议进行负载均衡和端口转发。Load Balancer is a TCP or UDP product for load balancing and port forwarding for these specific IP protocols. 负载均衡规则和入站 NAT 规则支持 TCP 和 UDP,但不支持其他 IP 协议(包括 ICMP)。Load balancing rules and inbound NAT rules are supported for TCP and UDP and not supported for other IP protocols including ICMP. 负载均衡器不会终止、响应 UDP 或 TCP 流的有效负载,也不与之交互。Load Balancer does not terminate, respond, or otherwise interact with the payload of a UDP or TCP flow. 它不是一个代理。It is not a proxy. 必须使用负载均衡或入站 NAT 规则(TCP 或 UDP)中所用的同一协议在带内成功验证与前端的连接,并且必须至少有一个虚拟机为客户端生成了响应,这样才能看到前端发出的响应。 Successful validation of connectivity to a front-end must take place in-band with the same protocol used in a load balancing or inbound NAT rule (TCP or UDP) and at least one of your virtual machines must generate a response for a client to see a response from a front-end. 未从前端负载均衡器收到带内响应表明没有任何虚拟机能够做出响应。Not receiving an in-band response from the Load Balancer front-end indicates no virtual machines were able to respond. 在虚拟机都不能做出响应的情况下,无法与负载均衡器前端交互。It is not possible to interact with a Load Balancer front-end without a virtual machine able to respond. 这一点也适用于出站连接,其中的端口伪装 SNAT 仅支持 TCP 和 UDP;其他任何 IP 协议(包括 ICMP)也会失败。This also applies to outbound connections where port masquerade SNAT is only supported for TCP and UDP; any other IP protocols including ICMP will also fail. 分配实例级公共 IP 地址即可缓解问题。Assign an instance-level Public IP address to mitigate.
  • 公共负载均衡器在将虚拟网络中的专用 IP 地址转换为公共 IP 地址时提供出站连接,而内部负载均衡器则与此不同,它不会将出站发起连接转换为内部负载均衡器的前端,因为两者都位于专用的 IP 地址空间中。Unlike public Load Balancers which provide outbound connections when transitioning from private IP addresses inside the virtual network to public IP addresses, internal Load Balancers do not translate outbound originated connections to the front-end of an internal Load Balancer as both are in private IP address space. 这可以避免不需要转换的唯一内部 IP 地址空间内发生 SNAT 耗尽。This avoids potential for SNAT exhaustion inside unique internal IP address space where translation is not required. 负面影响是,如果来自后端池中 VM 的出站流尝试流向该 VM 所在池中内部负载均衡器的前端,并映射回到自身,则这两个流的分支不会匹配,并且该流将会失败。 The side effect is that if an outbound flow from a VM in the back-end pool attempts a flow to front-end of the internal Load Balancer in which pool it resides and is mapped back to itself, both legs of the flow don't match and the flow will fail. 如果该流未映射回到后端池中的同一 VM(在前端中创建了流的 VM),则该流将会成功。If the flow did not map back to the same VM in the back-end pool which created the flow to the front-end, the flow will succeed. 如果流映射回到自身,则出站流显示为源自 VM 并发往前端,并且相应的入站流显示为源自 VM 并发往自身。When the flow maps back to itself the outbound flow appears to originate from the VM to the front-end and the corresponding inbound flow appears to originate from the VM to itself. 从来宾 OS 的角度看,同一流的入站和出站部分在虚拟机内部不匹配。From the guest OS's point of view, the inbound and outbound parts of the same flow don't match inside the virtual machine. TCP 堆栈不会将同一流的这两半看作是同一流的组成部分,因为源和目标不匹配。The TCP stack will not recognize these halves of the same flow as being part of the same flow as the source and destination don't match. 当流映射到后端池中的任何其他 VM 时,流的两半将会匹配,且 VM 可以成功响应流。When the flow maps to any other VM in the back-end pool, the halves of the flow will match and the VM can successfully respond to the flow. 此方案的症状是间歇性的连接超时。The symptom for this scenario is intermittent connection timeouts. 可通过几种常用解决方法来可靠地实现此方案(从后端池发起流,并将其传送到后端池的相应内部负载均衡器前端),包括在内部负载均衡器的后面插入第三方代理,或使用 DSR 式规则There are several common workarounds for reliably achieving this scenario (originating flows from a back-end pool to the back-end pools respective internal Load Balancer front-end) which include either insertion of a third-party proxy behind the internal Load Balancer or using DSR style rules. 尽管可以使用公共负载均衡器来缓解问题,但最终的方案很容易导致 SNAT 耗尽,除非有精心的管理,否则应避免这种做法。While you could use a public Load Balancer to mitigate, the resulting scenario is prone to SNAT exhaustion and should be avoided unless carefully managed.

后续步骤Next steps