快速入门:创建内部负载均衡器,使用 Terraform 对 VM 的内部流量进行负载均衡

本快速入门演示如何使用 Terraform 部署标准内部负载均衡器和两个虚拟机。 其他资源包括 Azure Bastion、NAT 网关、虚拟网络和所需的子网。

使用 Terraform 可以定义、预览和部署云基础结构。 使用 Terraform 时,请使用 HCL 语法来创建配置文件。 利用 HCL 语法,可指定 Azure 这样的云提供程序和构成云基础结构的元素。 创建配置文件后,请创建一个执行计划,利用该计划,可在部署基础结构更改之前先预览这些更改。 验证了更改后,请应用该执行计划以部署基础结构。

先决条件

实现 Terraform 代码

  1. 创建用于测试和运行示例 Terraform 代码的目录,并将其设为当前目录。

  2. 创建名为 providers.tf 的文件并插入下列代码:

    terraform {
      required_version = ">=0.12"
    
      required_providers {
        azapi = {
          source = "azure/azapi"
          version = "~>1.5"
        }
        azurerm = {
          source = "hashicorp/azurerm"
          version = "~>2.0"
        }
        random = {
          source = "hashicorp/random"
          version = "~>3.0"
        }
      }
    }
    
    provider "azurerm" {
      features {}
    }
    
  3. 创建名为 main.tf 的文件并插入下列代码:

    resource "random_string" "my_resource_group" {
      length  = 8
      upper   = false
     special = false
    }
    
    # Create Resource Group
    resource "azurerm_resource_group" "my_resource_group" {
     name     = "${var.public_ip_name}-${random_string.my_resource_group.result}"
     location = var.resource_group_location
    }
    
    # Create Virtual Network
    resource "azurerm_virtual_network" "my_virtual_network" {
      name = var.virtual_network_name
      address_space = ["10.0.0.0/16"]
      location = azurerm_resource_group.my_resource_group.location
      resource_group_name = azurerm_resource_group.my_resource_group.name
    }
    
    # Create a subnet in the Virtual Network
    resource "azurerm_subnet" "my_subnet" {
      name = var.subnet_name
      resource_group_name = azurerm_resource_group.my_resource_group.name
      virtual_network_name = azurerm_virtual_network.my_virtual_network.name
      address_prefixes = ["10.0.1.0/24"]
    }
    
    # Create a subnet named as "AzureBastionSubnet" in the Virtual Network for creating Azure Bastion
    resource "azurerm_subnet" "my_bastion_subnet" {
      name = "AzureBastionSubnet"
      resource_group_name = azurerm_resource_group.my_resource_group.name
      virtual_network_name = azurerm_virtual_network.my_virtual_network.name
      address_prefixes = ["10.0.2.0/24"]
    }
    
    # Create Network Security Group and rules
    resource "azurerm_network_security_group" "my_nsg" {
      name = var.network_security_group_name
      location = azurerm_resource_group.my_resource_group.location
      resource_group_name = azurerm_resource_group.my_resource_group.name
    
      security_rule {
        name = "ssh"
        priority = 1022
        direction = "Inbound"
        access = "Allow"
        protocol = "Tcp"
        source_port_range = "*"
        destination_port_range = "22"
        source_address_prefix = "*"
        destination_address_prefix = "10.0.1.0/24"
      }
    
      security_rule {
        name = "web"
        priority = 1080
        direction = "Inbound"
        access = "Allow"
        protocol = "Tcp"
        source_port_range = "*"
        destination_port_range = "80"
        source_address_prefix = "*"
        destination_address_prefix = "10.0.1.0/24"
      }
    }
    
    # Associate the Network Security Group to the subnet
    resource "azurerm_subnet_network_security_group_association" "my_nsg_association" {
      subnet_id = azurerm_subnet.my_subnet.id
      network_security_group_id = azurerm_network_security_group.my_nsg.id
    }
    
    # Create Public IPs
    resource "azurerm_public_ip" "my_public_ip" {
      count = 2
      name = "${var.public_ip_name}-${count.index}"
      location = azurerm_resource_group.my_resource_group.location
      resource_group_name = azurerm_resource_group.my_resource_group.name
      allocation_method = "Static"
      sku = "Standard"
    }
    
    # Create a NAT Gateway for outbound internet access of the Virtual Machines in the Backend Pool of the Load Balancer
    resource "azurerm_nat_gateway" "my_nat_gateway" {
      name = var.nat_gateway
      location = azurerm_resource_group.my_resource_group.location
      resource_group_name = azurerm_resource_group.my_resource_group.name
      sku_name = "Standard"
    }
    
    # Associate one of the Public IPs to the NAT Gateway
    resource "azurerm_nat_gateway_public_ip_association" "my_nat_gateway_ip_association" {
      nat_gateway_id = azurerm_nat_gateway.my_nat_gateway.id
      public_ip_address_id = azurerm_public_ip.my_public_ip[0].id
    }
    
    # Associate the NAT Gateway to subnet
    resource "azurerm_subnet_nat_gateway_association" "my_nat_gateway_subnet_association" {
      subnet_id = azurerm_subnet.my_subnet.id
      nat_gateway_id = azurerm_nat_gateway.my_nat_gateway.id
    }
    
    # Create Network Interfaces
    resource "azurerm_network_interface" "my_nic" {
      count = 3
      name = "${var.network_interface_name}-${count.index}"
      location = azurerm_resource_group.my_resource_group.location
      resource_group_name = azurerm_resource_group.my_resource_group.name
    
      ip_configuration {
        name = "ipconfig-${count.index}"
        subnet_id = azurerm_subnet.my_subnet.id
        private_ip_address_allocation = "Dynamic"
        primary = true
      }
    }
    
    # Create Azure Bastion for accessing the Virtual Machines
    resource "azurerm_bastion_host" "my_bastion" {
      name = var.bastion_name
      location = azurerm_resource_group.my_resource_group.location
      resource_group_name = azurerm_resource_group.my_resource_group.name
      sku = "Standard"
    
      ip_configuration {
        name = "ipconfig"
        subnet_id = azurerm_subnet.my_bastion_subnet.id
        public_ip_address_id = azurerm_public_ip.my_public_ip[1].id
      }
    }
    
    # Associate Network Interface to the Backend Pool of the Load Balancer
    resource "azurerm_network_interface_backend_address_pool_association" "my_nic_lb_pool" {
      count = 2
      network_interface_id = azurerm_network_interface.my_nic[count.index].id
      ip_configuration_name = "ipconfig-${count.index}"
      backend_address_pool_id = azurerm_lb_backend_address_pool.my_lb_pool.id
    }
    
    # Create Virtual Machine
    resource "azurerm_linux_virtual_machine" "my_vm" {
      count = 3
      name = "${var.virtual_machine_name}-${count.index}"
      location = azurerm_resource_group.my_resource_group.location
      resource_group_name = azurerm_resource_group.my_resource_group.name
      network_interface_ids = [azurerm_network_interface.my_nic[count.index].id]
      size = var.virtual_machine_size
    
      os_disk {
        name = "${var.disk_name}-${count.index}"
        caching = "ReadWrite"
        storage_account_type = var.redundancy_type
      }
    
      source_image_reference {
        publisher = "Canonical"
        offer = "0001-com-ubuntu-server-jammy"
        sku = "22_04-lts-gen2"
        version = "latest"
      }
    
      admin_username = var.username
      admin_password = var.password
      disable_password_authentication = false
    
    }
    
    # Enable virtual machine extension and install Nginx
    resource "azurerm_virtual_machine_extension" "my_vm_extension" {
      count = 2
      name = "Nginx"
      virtual_machine_id = azurerm_linux_virtual_machine.my_vm[count.index].id
      publisher = "Microsoft.Azure.Extensions"
      type = "CustomScript"
      type_handler_version = "2.0"
    
      settings = <<SETTINGS
     {
      "commandToExecute": "sudo apt-get update && sudo apt-get install nginx -y && echo \"Hello World from $(hostname)\" > /var/www/html/index.html && sudo systemctl restart nginx"
     }
    SETTINGS
    
    }
    
    # Create an Internal Load Balancer
    resource "azurerm_lb" "my_lb" {
      name = var.load_balancer_name
      location = azurerm_resource_group.my_resource_group.location
      resource_group_name = azurerm_resource_group.my_resource_group.name
      sku = "Standard"
    
      frontend_ip_configuration {
        name = "frontend-ip"
        subnet_id = azurerm_subnet.my_subnet.id
        private_ip_address_allocation = "Dynamic"
      }
    }
    
    resource "azurerm_lb_backend_address_pool" "my_lb_pool" {
      loadbalancer_id = azurerm_lb.my_lb.id
      name = "test-pool"
    }
    
    resource "azurerm_lb_probe" "my_lb_probe" {
      resource_group_name = azurerm_resource_group.my_resource_group.name
      loadbalancer_id = azurerm_lb.my_lb.id
      name = "test-probe"
      port = 80
    }
    
    resource "azurerm_lb_rule" "my_lb_rule" {
      resource_group_name = azurerm_resource_group.my_resource_group.name
      loadbalancer_id = azurerm_lb.my_lb.id
      name = "test-rule"
      protocol = "Tcp"
      frontend_port = 80
      backend_port = 80
      disable_outbound_snat = true
      frontend_ip_configuration_name = "frontend-ip"
      probe_id = azurerm_lb_probe.my_lb_probe.id
      backend_address_pool_ids = [azurerm_lb_backend_address_pool.my_lb_pool.id]
    }
    
  4. 创建名为 variables.tf 的文件并插入下列代码:

    variable "resource_group_location" {
      type = string
      default = "chinaeast"
      description = "Location of the resource group."
    }
    
    variable "resource_group_name" {
      type = string
      default = "test-group"
      description = "Name of the resource group."
    }
    
    variable "username" {
      type = string
      default = "microsoft"
      description = "The username for the local account that will be created on the new VM."
    }
    
    variable "password" {
      type = string
      default = "Microsoft@123"
      description = "The password for the local account that will be created on the new VM."
    }
    
    variable "virtual_network_name" {
      type = string
      default = "test-vnet"
      description = "Name of the Virtual Network."
    }
    
    variable "subnet_name" {
      type = string
      default = "test-subnet"
      description = "Name of the subnet."
    }
    
    variable public_ip_name {
      type = string
      default = "test-public-ip"
      description = "Name of the Public IP for the NAT Gateway."
    }
    
    variable "nat_gateway" {
      type = string
      default = "test-nat"
      description = "Name of the NAT gateway."
    }
    
    variable "bastion_name" {
      type = string
      default = "test-bastion"
      description = "Name of the Bastion."
    }
    
    variable network_security_group_name {
      type = string
      default = "test-nsg"
      description = "Name of the Network Security Group."
    }
    
    variable "network_interface_name" {
      type = string
      default = "test-nic"
      description = "Name of the Network Interface."  
    }
    
    variable "virtual_machine_name" {
      type = string
      default = "test-vm"
      description = "Name of the Virtual Machine."
    }
    
    variable "virtual_machine_size" {
      type = string
      default = "Standard_B2s"
      description = "Size or SKU of the Virtual Machine."
    }
    
    variable "disk_name" {
      type = string
      default = "test-disk"
      description = "Name of the OS disk of the Virtual Machine."
    }
    
    variable "redundancy_type" {
      type = string
      default = "Standard_LRS"
      description = "Storage redundancy type of the OS disk."
    }
    
    variable "load_balancer_name" {
      type = string
      default = "test-lb"
      description = "Name of the Load Balancer."
    }
    
  5. 创建名为 outputs.tf 的文件并插入下列代码:

    output "private_ip_address" {
      value = "http://${azurerm_lb.my_lb.private_ip_address}"
    }
    

初始化 Terraform

运行 terraform init,将 Terraform 部署进行初始化。 此命令将下载管理 Azure 资源所需的 Azure 提供程序。

terraform init -upgrade

要点:

  • 参数 -upgrade 可将必要的提供程序插件升级到符合配置版本约束的最新版本。

创建 Terraform 执行计划

运行 terraform plan 以创建执行计划。

terraform plan -out main.tfplan

要点:

  • terraform plan 命令将创建一个执行计划,但不会执行它。 它会确定创建配置文件中指定的配置需要执行哪些操作。 此模式允许你在对实际资源进行任何更改之前验证执行计划是否符合预期。
  • 使用可选 -out 参数可以为计划指定输出文件。 使用 -out 参数可以确保所查看的计划与所应用的计划完全一致。

应用 Terraform 执行计划

运行 terraform apply,将执行计划应用到云基础结构。

terraform apply main.tfplan

要点:

  • 示例 terraform apply 命令假设你先前运行了 terraform plan -out main.tfplan
  • 如果为 -out 参数指定了不同的文件名,请在对 terraform apply 的调用中使用该相同文件名。
  • 如果未使用 -out 参数,请调用不带任何参数的 terraform apply

验证结果

  1. 应用执行计划时,Terraform 会显示前端专用 IP 地址。 如果已清除屏幕,则可以使用以下 Terraform 命令检索该值:

    echo $(terraform output -raw private_ip_address)
    
  2. 使用 Bastion 登录到未与负载均衡器后端池关联的 VM。

  3. 运行 curl 命令,使用负载均衡器的前端专用 IP 地址访问 Nginx Web 服务器的自定义网页。

    curl http://<Frontend IP address>
    

清理资源

不再需要通过 Terraform 创建的资源时,请执行以下步骤:

  1. 运行 terraform plan 并指定 destroy 标志。

    terraform plan -destroy -out main.destroy.tfplan
    

    要点:

    • terraform plan 命令将创建一个执行计划,但不会执行它。 它会确定创建配置文件中指定的配置需要执行哪些操作。 此模式允许你在对实际资源进行任何更改之前验证执行计划是否符合预期。
    • 使用可选 -out 参数可以为计划指定输出文件。 使用 -out 参数可以确保所查看的计划与所应用的计划完全一致。
  2. 运行 terraform apply 以应用执行计划。

    terraform apply main.destroy.tfplan
    

Azure 上的 Terraform 故障排除

排查在 Azure 上使用 Terraform 时遇到的常见问题

后续步骤

在本快速入门中,请执行以下操作:

  • 已创建内部 Azure 负载均衡器

  • 已将 2 个 VM 连接到负载均衡器

  • 已配置负载均衡器流量规则、运行状况探测,然后测试了负载均衡器

若要详细了解 Azure 负载均衡器,请继续学习: