使用 Azure 负载均衡器配置出站规则Outbound rules Azure Load Balancer

通过出站规则,可以为公共标准负载均衡器显式定义 SNAT(源网络地址转换)。Outbound rules allow you to explicitly define SNAT(source network address translation) for a public standard load balancer. 借助此配置,可以使用负载均衡器的公共 IP 为后端实例提供出站 Internet 连接。This configuration allows you to use the public IP(s) of your load balancer to provide outbound internet connectivity for your backend instances.

此配置可实现:This configuration enables:

  • IP 伪装IP masquerading
  • 简化允许列表。Simplifying your allow lists.
  • 减少用于部署的公共 IP 资源的数量。Reduces the number of public IP resources for deployment.

使用出站规则,你可以完全声明性地控制出站 Internet 连接。With outbound rules, you have full declarative control over outbound internet connectivity. 通过出站规则,你可以根据特定需要微调和调整此功能。Outbound rules allow you to scale and tune this ability to your specific needs.

仅当后端 VM 没有实例级公共 IP 地址 (ILPIP) 时,才会遵循出站规则。Outbound rules will only be followed if the backend VM doesn't have an instance-level public IP address (ILPIP).

负载均衡器出站规则

可以使用出站规则显式定义出站 SNAT 行为。With outbound rules, you can explicitly define outbound SNAT behavior.

使用出站规则可以控制:Outbound rules allow you to control:

  • 哪些虚拟机应转换为哪些公共 IP 地址。Which virtual machines are translated to which public IP addresses.
    • 有两个规则,后端池 A 使用 IP 地址 A 和 B,后端池 B 使用 IP 地址 C 和 D。Two rules were backend pool A uses IP address A and B, backend pool B uses IP address C and D.
  • 如何分配出站 SNAT 端口。How outbound SNAT ports are allocated.
    • 后端池 B 是唯一建立出站连接的池,将所有 SNAT 端口提供给后端池 B,而无 SNAT 端口提供给后端池 A。Backend pool B is the only pool making outbound connections, give all SNAT ports to backend pool B and none to backend pool A.
  • 要为哪些协议提供出站转换。Which protocols to provide outbound translation for.
    • 后端池 B 需要 UDP 端口才能建立出站连接。Backend pool B needs UDP ports for outbound. 后端池 A 需要 TCP。Backend pool A needs TCP. 把 TCP 端口提供给 A,把 UDP 端口提供给 B。Give TCP ports to A and UDP ports to B.
  • 用于出站连接空闲超时的持续时间(4-120 分钟)。What duration to use for outbound connection idle timeout (4-120 minutes).
    • 如果有长时间运行的带有 keepalives 的连接,请为长时间运行的连接保留空闲端口,空闲时间最长可达 120 分钟。If there are long running connections with keepalives, reserve idle ports for long running connections for up to 120 minutes. 假设放弃过时连接,并在 4 分钟内为新连接释放端口Assume stale connections are abandoned and release ports in 4 minutes for fresh connections
  • 是否要在空闲超时时发送 TCP 重置。Whether to send a TCP Reset on idle timeout.
    • 当空闲连接超时时,我们是否会向客户端和服务器发送 TCP RST,以便它们知道已放弃流?When timing out idle connections, do we send a TCP RST to the client and server so they know the flow is abandoned?

出站规则定义Outbound rule definition

出站规则遵循用户熟悉的与负载均衡和入站 NAT 规则相同的语法:前端 + 参数 + 后端池Outbound rules follow the same familiar syntax as load balancing and inbound NAT rules: frontend + parameters + backend pool.

出站规则为后端池识别的、要转换为前端的所有虚拟机配置出站 NAT。 An outbound rule configures outbound NAT for all virtual machines identified by the backend pool to be translated to the frontend.

参数针对出站 NAT 算法提供更精细的控制。The parameters provide additional fine grained control over the outbound NAT algorithm.

使用多个 IP 地址缩放出站 NATScale outbound NAT with multiple IP addresses

前端提供的每个附加 IP 地址可提供额外的 64,000 个临时端口,供负载均衡器用作 SNAT 端口。Each additional IP address provided by a frontend provides additional 64,000 ephemeral ports for load balancer to use as SNAT ports.

使用多个 IP 地址来规划大规模方案。Use multiple IP addresses to plan for large-scale scenarios. 使用出站规则来缓解 SNAT 耗尽的情况。Use outbound rules to mitigate SNAT exhaustion.

你还可以直接在出站规则中使用公共 IP 前缀You can also use a public IP prefix directly with an outbound rule.

公共 IP 前缀增强了部署的缩放。A public IP prefix increases scaling of your deployment. 可以将前缀添加到源自 Azure 资源的流的允许列表中。The prefix can be added to the allow list of flows originating from your Azure resources. 可以在负载均衡器中配置引用公共 IP 前缀所需的前端 IP 配置。You can configure a frontend IP configuration within the load balancer to reference a public IP prefix.

负载均衡器可控制公共 IP 前缀。The load balancer has control over the public IP prefix. 出站规则会自动使用公共 IP 前缀中包含的所有公共 IP 地址来建立出站连接。The outbound rule will automatically use all public IP addresses contained within the public IP prefix for outbound connections.

公共 IP 前缀范围内的每个 IP 地址可提供额外的 64,000 个临时端口,供负载均衡器用作 SNAT 端口。Each of the IP addresses within public IP prefix provides an additional 64,000 ephemeral ports per IP address for load balancer to use as SNAT ports.

出站流空闲超时和 TCP 重置Outbound flow idle timeout and TCP reset

出站规则提供一个配置参数用于控制出站流空闲超时,并使该超时符合应用程序的需求。Outbound rules provide a configuration parameter to control the outbound flow idle timeout and match it to the needs of your application. 出站空闲超时默认为 4 分钟。Outbound idle timeouts default to 4 minutes. 有关详细信息,请参阅配置空闲超时For more information, see configure idle timeouts.

负载均衡器的默认行为是在达到了出站空闲超时时以静默方式丢弃流。The default behavior of load balancer is to drop the flow silently when the outbound idle timeout has been reached. enableTCPReset 参数可以让应用程序的行为和控制更具可预测性。The enableTCPReset parameter enables a predictable application behavior and control. 此参数指示在发生出站空闲超时时是否要发送双向 TCP 重置 (TCP RST)。The parameter dictates whether to send bidirectional TCP Reset (TCP RST) at the timeout of the outbound idle timeout.

查看在空闲超时时 TCP 重置,了解详细信息,包括区域可用性。Review TCP Reset on idle timeout for details including region availability.

显式保护和控制出站连接Securing and controlling outbound connectivity explicitly

负载均衡规则提供出站 NAT 的自动编程。Load-balancing rules provide automatic programming of outbound NAT. 某些方案受益于或者要求通过负载均衡规则禁用出站 NAT 的自动编程。Some scenarios benefit or require you to disable the automatic programming of outbound NAT by the load-balancing rule. 通过该规则进行禁用可以控制或优化行为。Disabling via the rule allows you to control or refine the behavior.

可通过两种方式使用此参数:You can use this parameter in two ways:

  1. 禁止将入站 IP 地址用于出站 SNAT。Prevention of the inbound IP address for outbound SNAT. 在负载均衡规则中禁用出站 SNAT。Disable outbound SNAT in the load-balancing rule.

  2. 对同时用于入站和出站连接的 IP 地址的出站 SNAT 参数进行优化。Tune the outbound SNAT parameters of an IP address used for inbound and outbound simultaneously. 必须禁用自动出站 NAT 才能让出站规则掌管控制权。The automatic outbound NAT must be disabled to allow an outbound rule to take control. 若要更改也用于入站连接的某个地址的 SNAT 端口分配,则必须将 disableOutboundSnat 参数设置为 true。To change the SNAT port allocation of an address also used for inbound, the disableOutboundSnat parameter must be set to true.

如果尝试重新定义用于入站连接的 IP 地址,则配置出站规则的操作会失败。The operation to configure an outbound rule will fail if you attempt to redefine an IP address that is used for inbound. 请先禁用负载均衡规则的出站 NAT。Disable the outbound NAT of the load-balancing rule first.

重要

如果将此参数设置为 true,但没有任何出站规则来定义出站连接,则虚拟机将不会建立出站连接。Your virtual machine will not have outbound connectivity if you set this parameter to true and do not have an outbound rule to define outbound connectivity. VM或应用程序的某些操作可能依赖于公网连接。Some operations of your VM or your application may depend on having outbound connectivity available. 请务必了解方案的依赖关系,并考虑此项更改造成的影响。Make sure you understand the dependencies of your scenario and have considered impact of making this change.

有时,让 VM 创建出站流是不合需要的。Sometimes it's undesirable for a VM to create an outbound flow. 可能需要对哪些目标接收出站流或哪些目标启动入站流进行管理。There might be a requirement to manage which destinations receive outbound flows, or which destinations begin inbound flows. 使用网络安全组可管理 VM 访问的目标。Use network security groups to manage the destinations that the VM reaches. 使用 NSG 可对哪些公共目标启动入站流进行管理。Use NSGs to manage which public destinations start inbound flows.

将 NSG 应用于负载均衡的 VM 时,需要注意服务标记默认安全规则When you apply an NSG to a load-balanced VM, pay attention to the service tags and default security rules.

请确保 VM 可以接收来自 Azure 负载均衡器的运行状况探测请求。Ensure that the VM can receive health probe requests from Azure Load Balancer.

如果 NSG 阻止来自 AZURE_LOADBALANCER 默认标记的运行状况探测请求,那么 VM 的运行状况探测程序将失败,并且 VM 被标记为不可用。If an NSG blocks health probe requests from the AZURE_LOADBALANCER default tag, your VM health probe fails and the VM is marked unavailable. 负载均衡器停止向此 VM 发送新流。The load balancer stops sending new flows to that VM.

具有出站规则的方案Scenarios with outbound rules

出站规则方案Outbound rules scenarios

  • 将出站连接配置为源自一组特定的公共 IP 或前缀。Configure outbound connections to a specific set of public IPs or prefix.
  • 修改 SNAT 端口分配。Modify SNAT port allocation.
  • 仅启用出站连接。Enable outbound only.
  • 仅对 VM 使用出站 NAT(无入站连接)。Outbound NAT for VMs only (no inbound).
  • 内部标准负载均衡器的出站 NAT。Outbound NAT for internal standard load balancer.
  • 使用公共标准负载均衡器为出站 NAT 启用 TCP 和 UDP 协议。Enable both TCP & UDP protocols for outbound NAT with a public standard load balancer.

场景 1:将出站连接配置为源自一组特定的公共 IP 或前缀Scenario 1: Configure outbound connections to a specific set of public IPs or prefix

详细信息Details

使用此方案将出站连接调整成源自一组公共 IP 地址。Use this scenario to tailor outbound connections to originate from a set of public IP addresses. 根据来源向允许列表或拒绝列表添加公共 IP 或前缀。Add public IPs or prefixes to an allow or deny list based on origination.

此公共 IP 或前缀可与负载均衡规则使用的相同。This public IP or prefix can be the same as used by a load-balancing rule.

若要使用与负载均衡规则使用的公共 IP 或前缀不同的公共 IP 或前缀,请执行以下操作:To use a different public IP or prefix than used by a load-balancing rule:

  1. 创建公共 IP 前缀或公共 IP 地址。Create public IP prefix or public IP address.
  2. 创建公共标准负载均衡器Create a public standard load balancer
  3. 创建一个前端,用于引用所要使用的公共 IP 前缀或公共 IP 地址。Create a frontend referencing the public IP prefix or public IP address you wish to use.
  4. 重复使用某个后端池或创建一个后端池,并将 VM 放入公共负载均衡器的后端池Reuse a backend pool or create a backend pool and place the VMs into a backend pool of the public load balancer
  5. 在公共负载均衡器上配置出站规则,以使用前端为这些 VM 启用出站 NAT。Configure an outbound rule on the public load balancer to enable outbound NAT for the VMs using the frontend. 不建议将负载均衡规则用于出站连接,请在负载均衡规则中禁用出站 SNAT。It is not recommended to use a load-balancing rule for outbound, disable outbound SNAT on the load-balancing rule.

场景 2:修改 SNAT 端口分配Scenario 2: Modify SNATport allocation

详细信息Details

可以使用出站规则基于后端池大小优化自动 SNAT 端口分配You can use outbound rules to tune the automatic SNAT port allocation based on backend pool size.

如果遇到 SNAT 耗尽的情况,请增加给定的 SNAT 端口数(默认值为 1024)。If you experience SNAT exhaustion, increase the number of SNATports given from the default of 1024.

每个公共 IP 地址最多提供 64,000 个临时端口。Each public IP address contributes up to 64,000 ephemeral ports. 后端池中的 VM 数决定了分配给每个 VM 的端口数。The number of VMs in the backend pool determines the number of ports distributed to each VM. 后端池中的一个 VM 最多可以访问 64,000 个端口。One VM in the backend pool has access to the maximum of 64,000 ports. 对于两个 VM 的情况,可以使用出站规则为每个 VM 最多指定 32,000 个 SNAT 端口 (2x 32,000 = 64,000)。For two VMs, a maximum of 32,000 SNATports can be given with an outbound rule (2x 32,000 = 64,000).

可以使用出站规则来优化默认情况下给定的 SNAT 端口。You can use outbound rules to tune the SNAT ports given by default. 你指定的端口数可以多于或少于默认 SNAT 端口分配提供的端口数。You give more or less than the default SNATport allocation provides. 出站规则的前端中的每个公共 IP 地址最多提供 64,000 个可用作 SNAT 端口的临时端口。Each public IP address from a frontend of an outbound rule contributes up to 64,000 ephemeral ports for use as SNATports.

负载均衡器以 8 的倍数提供 SNAT 端口。Load balancer gives SNATports in multiples of 8. 如果提供的值不能被 8 整除,则会拒绝配置操作。If you provide a value not divisible by 8, the configuration operation is rejected. 每个负载均衡规则和入站 NAT 规则将占用 8 个端口。Each load balancing rule and inbound NAT rule will consume a range of 8 ports. 如果负载均衡或入站 NAT 规则与其他规则共享相同的 8 个端口,则不会再使用其他端口。If a load balancing or inbound NAT rule shares the same range of 8 as another, no additional ports will be consumed.

如果你尝试指定的 SNAT 端口数超出了系统所能提供的端口数(具体取决于公共 IP 地址数),系统会拒绝该配置操作。If you attempt to give more SNATports than are available based on the number of public IP addresses, the configuration operation is rejected. 例如,如果你为每个 VM 指定 10,000 个端口,而后端池中 7 个 VM 共享 1 个公共 IP 地址,系统会拒绝该配置。For example, if you give 10,000 ports per VM and seven VMs in a backend pool share a single public IP, the configuration is rejected. 7 乘以 10,000 超出了 64,000 个端口的限制。Seven multiplied by 10,000 exceeds the 64,000 port limit. 将更多的公共 IP 地址添加到出站规则的前端即可实现该方案。Add more public IP addresses to the frontend of the outbound rule to enable the scenario.

将端口数指定为 0 即可恢复到默认端口分配Revert to the default port allocation by specifying 0 for the number of ports. 前 50 个 VM 实例会获得 1024 个端口,而 51-100 个 VM 实例会获得 512 个端口,以此类推,直到最大实例数。The first 50 VM instances will get 1024 ports, 51-100 VM instances will get 512 up to the maximum instances. 有关默认 SNAT 端口分配的详细信息,请参阅 SNAT 端口分配表For more information on default SNAT port allocation, see SNAT ports allocation table.

场景 3:仅启用出站连接Scenario 3: Enable outbound only

详细信息Details

使用公共标准负载均衡器为一组 VM 提供出站 NAT。Use a public standard load balancer to provide outbound NAT for a group of VMs. 在此方案中,可以单独使用出站规则,而无需配置其他规则。In this scenario, use an outbound rule by itself, without any additional rules configured.

备注

Azure 虚拟网络 NAT 可以为虚拟机提供出站连接,无需使用负载均衡器。Azure Virtual Network NAT can provide outbound connectivity for virtual machines without the need for a load balancer. 有关详细信息,请参阅什么是 Azure 虚拟网络 NAT?See What is Azure Virtual Network NAT? for more information.

方案 4:仅对 VM 使用出站 NAT(无入站连接)Scenario 4: Outbound NAT for VMs only (no inbound)

备注

Azure 虚拟网络 NAT 可以为虚拟机提供出站连接,无需使用负载均衡器。Azure Virtual Network NAT can provide outbound connectivity for virtual machines without the need for a load balancer. 有关详细信息,请参阅什么是 Azure 虚拟网络 NAT?See What is Azure Virtual Network NAT? for more information.

详细信息Details

对于此方案,请执行以下操作:Azure 负载均衡器出站规则和虚拟网络 NAT 是用于虚拟网络流出量的选项。For this scenario: Azure Load Balancer outbound rules and Virtual Network NAT are options available for egress from a virtual network.

  1. 创建公共 IP 或前缀。Create a public IP or prefix.
  2. 创建公共标准负载均衡器。Create a public standard load balancer.
  3. 创建一个与专用于出站的公共 IP 或前缀关联的前端。Create a frontend associated with the public IP or prefix dedicated for outbound.
  4. 为 VM 创建后端池。Create a backend pool for the VMs.
  5. 将 VM 置于后端池。Place the VMs into the backend pool.
  6. 配置启用出站 NAT 所需的出站规则。Configure an outbound rule to enable outbound NAT.

使用前缀或公共 IP 来缩放 SNAT 端口。Use a prefix or public IP to scale SNATports. 将出站连接的源添加到允许列表或拒绝列表。Add the source of outbound connections to an allow or deny list.

方案 5:内部标准负载均衡器的出站 NATScenario 5: Outbound NAT for internal standard load balancer

备注

Azure 虚拟网络 NAT 可以利用内部标准负载均衡器为虚拟机提供出站连接。Azure Virtual Network NAT can provide outbound connectivity for virtual machines utilizing an internal standard load balancer. 有关详细信息,请参阅什么是 Azure 虚拟网络 NAT?See What is Azure Virtual Network NAT? for more information.

详细信息Details

除非已通过实例级公共 IP 或虚拟网络 NAT 明确声明,或通过将后端池成员与仅限出站的负载均衡器配置相关联,否则内部标准负载均衡器无法使用出站连接。Outbound connectivity isn't available for an internal standard load balancer until it has been explicitly declared through instance-level public IPs or Virtual Network NAT, or by associating the backend pool members with an outbound-only load balancer configuration.

有关详细信息,请参阅仅出站的负载均衡器配置For more information, see Outbound-only load balancer configuration.

方案 6:使用公共标准负载均衡器为出站 NAT 启用 TCP 和 UDP 协议Scenario 6: Enable both TCP & UDP protocols for outbound NAT with a public standard load balancer

详细信息Details

使用公共标准负载均衡器时,提供的自动出站 NAT 与负载均衡规则的传输协议相匹配。When using a public standard load balancer, the automatic outbound NAT provided matches the transport protocol of the load-balancing rule.

  1. 在负载均衡规则中禁用出站 SNATDisable outbound SNATon the load-balancing rule.
  2. 在同一个负载均衡器上配置出站规则。Configure an outbound rule on the same load balancer.
  3. 重复使用 VM 已用的后端池。Reuse the backend pool already used by your VMs.
  4. 指定“协议”:“所有”作为出站规则的一部分。Specify "protocol": "All" as part of the outbound rule.

只使用入站 NAT 规则时,不会提供出站 NAT。When only inbound NAT rules are used, no outbound NAT is provided.

  1. 将 VM 放入后端池。Place VMs in a backend pool.
  2. 使用公共 IP 地址或公共 IP 前缀定义一个或多个前端 IP 配置Define one or more frontend IP configurations with public IP address(es) or public IP prefix
  3. 在同一个负载均衡器上配置出站规则。Configure an outbound rule on the same load balancer.
  4. 指定“协议”:“所有”作为出站规则的一部分Specify "protocol": "All" as part of the outbound rule

限制Limitations

  • 每个前端 IP 地址的最大可用临时端口数为 64,000。The maximum number of usable ephemeral ports per frontend IP address is 64,000.
  • 可配置的出站空闲超时范围为 4 到 120 分钟(240 到 7200 秒)。The range of the configurable outbound idle timeout is 4 to 120 minutes (240 to 7200 seconds).
  • 负载均衡器不支持将 ICMP 用于出站 NAT。Load balancer doesn't support ICMP for outbound NAT.
  • 出站规则只能应用于 NIC 的主 IP 配置。Outbound rules can only be applied to primary IP configuration of a NIC. 不能为 VM 或 NVA 的辅助 IP 创建出站规则。You can't create an outbound rule for the secondary IP of a VM or NVA. 支持多个 NIC。Multiple NICs are supported.
  • 可用性集中的所有虚拟机都必须添加到后端池以进行出站连接。All virtual machines within an availability set must be added to the backend pool for outbound connectivity.
  • 虚拟机规模集中的所有虚拟机都必须添加到后端池以进行出站连接。All virtual machines within a virtual machine scale set must be added to the backend pool for outbound connectivity.

后续步骤Next steps