使用 Azure CLI 创建具有加速网络的 Linux 虚拟机Create a Linux virtual machine with Accelerated Networking using Azure CLI

01/18/2021

本教程介绍如何创建具有加速网络的 Linux 虚拟机 (VM)。In this tutorial, you learn how to create a Linux virtual machine (VM) with Accelerated Networking. 若要创建具有加速网络的 Windows VM，请参阅创建具有加速网络的 Windows VM。To create a Windows VM with Accelerated Networking, see Create a Windows VM with Accelerated Networking. 使用加速网络可以实现对 VM 的单根 I/O 虚拟化 (SR-IOV)，大幅提升其网络性能。Accelerated networking enables single root I/O virtualization (SR-IOV) to a VM, greatly improving its networking performance. 这种高性能路径会绕过数据路径中的主机，降低延迟、抖动，以及受支持 VM 类型上的最苛刻网络工作负荷的 CPU 利用率。This high-performance path bypasses the host from the datapath, reducing latency, jitter, and CPU utilization, for use with the most demanding network workloads on supported VM types. 下图显示了具有和没有加速网络的两个 VM 之间的通信：The following picture shows communication between two VMs with and without accelerated networking:

在不使用加速网络的情况下，传入和传出 VM 的所有网络流量必须遍历主机和虚拟交换机。Without accelerated networking, all networking traffic in and out of the VM must traverse the host and the virtual switch. 虚拟交换机针对网络流量实施所有策略，例如网络安全组、访问控制列表、隔离和其他网络虚拟化服务。The virtual switch provides all policy enforcement, such as network security groups, access control lists, isolation, and other network virtualized services to network traffic. 若要详细了解虚拟交换机，请阅读 Hyper-V 网络虚拟化和虚拟交换机一文。To learn more about virtual switches, read the Hyper-V network virtualization and virtual switch article.

在使用加速网络的情况下，流量将抵达虚拟机的网络接口 (NIC)，然后转发到 VM。With accelerated networking, network traffic arrives at the virtual machine's network interface (NIC), and is then forwarded to the VM. 由虚拟交换机应用的所有网络策略现在都会卸载，并在硬件中应用。All network policies that the virtual switch applies are now offloaded and applied in hardware. 由于在硬件中应用策略，NIC 可以绕过主机和虚拟交换机将网络流量直接转发到 VM，同时保留它在主机中应用的所有策略。Applying policy in hardware enables the NIC to forward network traffic directly to the VM, bypassing the host and the virtual switch, while maintaining all the policy it applied in the host.

加速网络的优势仅适用于已启用该功能的 VM。The benefits of accelerated networking only apply to the VM that it is enabled on. 为获得最佳效果，最好是在连接到同一个 Azure 虚拟网络 (VNet) 的最少两个 VM 上启用此功能。For the best results, it is ideal to enable this feature on at least two VMs connected to the same Azure virtual network (VNet). 跨 VNet 通信或者在本地连接时，此功能对总体延迟的影响极小。When communicating across VNets or connecting on-premises, this feature has minimal impact to overall latency.

优点Benefits

更低的延迟/更高的每秒数据包数 (pps)： 从数据路径中去除虚拟交换机可以消除数据包在主机中进行策略处理所花费的时间，同时增大了 VM 中可处理的数据包数。Lower Latency / Higher packets per second (pps): Removing the virtual switch from the datapath removes the time packets spend in the host for policy processing and increases the number of packets that can be processed inside the VM.
减少抖动： 虚拟交换机处理取决于需要应用的策略数量，以及正在执行处理的 CPU 工作负荷。Reduced jitter: Virtual switch processing depends on the amount of policy that needs to be applied and the workload of the CPU that is doing the processing. 将策略实施卸载到硬件消除了这种可变性，因为可以将数据包直接传送到 VM，省去了主机与 VM 之间的通信，以及所有的软件中断和上下文切换。Offloading the policy enforcement to the hardware removes that variability by delivering packets directly to the VM, removing the host to VM communication and all software interrupts and context switches.
降低了 CPU 利用率： 绕过主机中的虚拟交换机可以减少用于处理流量的 CPU 资源。Decreased CPU utilization: Bypassing the virtual switch in the host leads to less CPU utilization for processing network traffic.

支持的操作系统Supported operating systems

从 Azure 库即可支持以下分发：The following distributions are supported out of the box from the Azure Gallery:

具有 linux-azure 内核的 Ubuntu 14.04Ubuntu 14.04 with the linux-azure kernel
Ubuntu 16.04 或更高版本Ubuntu 16.04 or later
SLES12 SP3 或更高版本SLES12 SP3 or later
CentOS 7.4 或更高版本CentOS 7.4 or later
CoreOS LinuxCoreOS Linux
Debian“Stretch”（backport 内核）、Debian“Buster”或更高版本Debian "Stretch" with backports kernel, Debian "Buster" or later
FreeBSD 10.4, 11.1 & 12.0 或更高版本FreeBSD 10.4, 11.1 & 12.0 or later

限制和约束Limitations and Constraints

支持的 VM 实例Supported VM instances

大多数常规用途实例以及具有 2 个或更多 vCPU 的计算优化实例都支持加速网络。Accelerated Networking is supported on most general purpose and compute-optimized instance sizes with 2 or more vCPUs. 这些受支持的系列包括：D/DSv2 和 F/FsThese supported series are: D/DSv2 and F/Fs

在支持超线程的实例上，具有 4 个或更多 vCPU 的 VM 实例支持加速网络。On instances that support hyperthreading, Accelerated Networking is supported on VM instances with 4 or more vCPUs. 受支持的系列包括：D/Dsv3、D/Dsv4、Dd/Ddv4、E/Esv3、E/Esv4、Edsv4、Fsv2 和 Ms/Mms。Supported series are: D/Dsv3, D/Dsv4, Dd/Ddv4, E/Esv3, E/Esv4, Edsv4, Fsv2, and Ms/Mms.

有关 VM 实例的详细信息，请参阅Linux VM 大小。For more information on VM instances, see Linux VM sizes.

自定义映像Custom Images

如果你使用的是自定义映像，并且映像支持加速网络，请确保在 Azure 上使用 Mellanox ConnectX-3 和 ConnectX-4 Lx NICs 所需的驱动程序。If you are using a custom image, and your image supports Accelerated Networking, please make sure to have the required drivers to work with Mellanox ConnectX-3 and ConnectX-4 Lx NICs on Azure.

区域Regions

在所有公共 Azure 区域和 Azure 中国云中均可用。Available in all public Azure regions as well as Azure China Cloud Clouds.

在正在运行的 VM 上启用加速网络Enabling Accelerated Networking on a running VM

未启用加速网络的受支持 VM 大小只有在停止和解除分配时才能启用该功能。A supported VM size without accelerated networking enabled can only have the feature enabled when it is stopped and deallocated.

通过 Azure 资源管理器部署Deployment through Azure Resource Manager

虚拟机（经典）无法部署加速网络。Virtual machines (classic) cannot be deployed with Accelerated Networking.

创建具有 Azure 加速网络的 Linux VMCreate a Linux VM with Azure Accelerated Networking

在门户中创建Portal creation

尽管本文提供了使用 Azure CLI 创建具有加速网络的虚拟机的步骤，但也可以使用 Azure 门户创建具有加速网络的虚拟机。Though this article provides steps to create a virtual machine with accelerated networking using the Azure CLI, you can also create a virtual machine with accelerated networking using the Azure portal. 在门户中创建虚拟机时，在“创建虚拟机”边栏选项卡中，选择“网络”选项卡。在此选项卡中，有“加速网络”的选项。When creating a virtual machine in the portal, in the Create a virtual machine blade, choose the Networking tab. In this tab, there is an option for Accelerated networking. 如果已选择支持的操作系统和 VM 大小，此选项将自动填充为“打开”。If you have chosen a supported operating system and VM size, this option will automatically populate to "On." 如果没有选择，它将填充加速网络的“关闭”选项，并为用户提供未启用它的原因。If not, it will populate the "Off" option for Accelerated Networking and give the user a reason why it is not be enabled.

注意： 只有受支持的操作系统才能通过门户启用。Note: Only supported operating systems can be enabled through the portal. 如果你使用的是自定义映像，并且该映像支持加速网络，请使用 CLI 或 PowerShell 创建 VM。If you are using a custom image, and your image supports Accelerated Networking, please create your VM using CLI or PowerShell.

创建虚拟机后，可以按照确认已启用加速网络中的说明确认已启用加速网络。After the virtual machine is created, you can confirm Accelerated Networking is enabled by following the instructions in the Confirm that accelerated networking is enabled.

CLI 创建CLI creation

创建虚拟网络Create a virtual network

安装最新的 Azure CLI 并使用 az login 登录到 Azure 帐户。Install the latest Azure CLI and log in to an Azure account using az login. 在以下示例中，请将示例参数名称替换成自己的值。In the following examples, replace example parameter names with your own values. 参数名称示例包括 myResourceGroup、myNic 和 myVm。 Example parameter names included myResourceGroup, myNic, and myVm.

使用 az group create 创建资源组。Create a resource group with az group create. 以下示例在“chinaeast”位置创建名为“myResourceGroup”的资源组：The following example creates a resource group named myResourceGroup in the chinaeast location:

az group create --name myResourceGroup --location chinaeast

使用 az network vnet create 创建虚拟网络。Create a virtual network with az network vnet create. 以下示例创建名为 myVnet 且具有一个子网的虚拟网络：The following example creates a virtual network named myVnet with one subnet:

az network vnet create \
    --resource-group myResourceGroup \
    --name myVnet \
    --address-prefix 192.168.0.0/16 \
    --subnet-name mySubnet \
    --subnet-prefix 192.168.1.0/24

创建网络安全组Create a network security group

使用 az network nsg create 创建网络安全组。Create a network security group with az network nsg create. 以下示例创建名为“myNetworkSecurityGroup”的网络安全组：The following example creates a network security group named myNetworkSecurityGroup:

az network nsg create \
    --resource-group myResourceGroup \
    --name myNetworkSecurityGroup

网络安全组包含多个默认规则，其中一个规则禁用了来自 Internet 的所有入站访问。The network security group contains several default rules, one of which disables all inbound access from the Internet. 打开端口，以允许使用 az network nsg rule create 对虚拟机进行 SSH 访问：Open a port to allow SSH access to the virtual machine with az network nsg rule create:

az network nsg rule create \
  --resource-group myResourceGroup \
  --nsg-name myNetworkSecurityGroup \
  --name Allow-SSH-Internet \
  --access Allow \
  --protocol Tcp \
  --direction Inbound \
  --priority 100 \
  --source-address-prefix Internet \
  --source-port-range "*" \
  --destination-address-prefix "*" \
  --destination-port-range 22

创建具有加速网络的网络接口Create a network interface with accelerated networking

使用 az network public-ip create 创建公共 IP 地址。Create a public IP address with az network public-ip create. 如果不打算从 Internet 访问虚拟机，则不需要公共 IP 地址，但必须完成本文中的步骤。A public IP address isn't required if you don't plan to access the virtual machine from the Internet, but to complete the steps in this article, it is required.

az network public-ip create \
    --name myPublicIp \
    --resource-group myResourceGroup

使用 az network nic create 创建启用加速网络的网络接口。Create a network interface with az network nic create with accelerated networking enabled. 以下示例在 myVnet 虚拟网络的 mySubnet 子网中创建名为 myNic 的网络接口，并将 myNetworkSecurityGroup 网络安全组关联到该网络接口： The following example creates a network interface named myNic in the mySubnet subnet of the myVnet virtual network and associates the myNetworkSecurityGroup network security group to the network interface:

az network nic create \
    --resource-group myResourceGroup \
    --name myNic \
    --vnet-name myVnet \
    --subnet mySubnet \
    --accelerated-networking true \
    --public-ip-address myPublicIp \
    --network-security-group myNetworkSecurityGroup

创建 VM 并附加 NICCreate a VM and attach the NIC

创建 VM 时，指定使用 --nics 创建的 NIC。When you create the VM, specify the NIC you created with --nics. 选择 Linux 加速网络中列出的大小和分发版本。Select a size and distribution listed in Linux accelerated networking.

使用 az vm create 创建 VM。Create a VM with az vm create. 以下示例创建名为 myVM 的 VM，其具有 UbuntuLTS 映像，并且大小支持加速网络 (Standard_DS4_v2) ：The following example creates a VM named myVM with the UbuntuLTS image and a size that supports Accelerated Networking (Standard_DS4_v2):

az vm create \
    --resource-group myResourceGroup \
    --name myVM \
    --image UbuntuLTS \
    --size Standard_DS4_v2 \
    --admin-username azureuser \
    --generate-ssh-keys \
    --nics myNic

若要获取所有 VM 大小和特性列表，请参阅 Linux VM 大小。For a list of all VM sizes and characteristics, see Linux VM sizes.

创建 VM 后，将返回以下类似输出。Once the VM is created, output similar to the following example output is returned. 记下 publicIpAddress。Take note of the publicIpAddress. 在后续步骤中，将使用此地址访问 VM。This address is used to access the VM in subsequent steps.

{
  "fqdns": "",
  "id": "/subscriptions/<ID>/resourceGroups/myResourceGroup/providers/Microsoft.Compute/virtualMachines/myVM",
  "location": "chinaeast",
  "macAddress": "00-0D-3A-23-9A-49",
  "powerState": "VM running",
  "privateIpAddress": "192.168.0.4",
  "publicIpAddress": "40.68.254.142",
  "resourceGroup": "myResourceGroup"
}

确认已启用加速网络Confirm that accelerated networking is enabled

使用以下命令来与 VM 建立 SSH 会话。Use the following command to create an SSH session with the VM. 将 <your-public-ip-address> 替换为分配给所创建虚拟机的公共 IP 地址，并替换 azureuser（如果在创建 VM 时使用了 --admin-username 以外的值）。Replace <your-public-ip-address> with the public IP address assigned to the virtual machine you created, and replace azureuser if you used a different value for --admin-username when you created the VM.

ssh azureuser@<your-public-ip-address>

从 Bash shell 中，输入 uname -r 并确认内核版本为以下版本之一或更高版本：From the Bash shell, enter uname -r and confirm that the kernel version is one of the following versions, or greater:

Ubuntu 16.04：4.11.0-1013Ubuntu 16.04: 4.11.0-1013
SLES SP3：4.4.92-6.18SLES SP3: 4.4.92-6.18
CentOS:7.4.20171206CentOS: 7.4.20171206

使用 lspci 命令确认向 VM 公开了 Mellanox VF 设备。Confirm the Mellanox VF device is exposed to the VM with the lspci command. 返回的输出与以下输出类似：The returned output is similar to the following output:

0000:00:00.0 Host bridge: Intel Corporation 440BX/ZX/DX - 82443BX/ZX/DX Host bridge (AGP disabled) (rev 03)
0000:00:07.0 ISA bridge: Intel Corporation 82371AB/EB/MB PIIX4 ISA (rev 01)
0000:00:07.1 IDE interface: Intel Corporation 82371AB/EB/MB PIIX4 IDE (rev 01)
0000:00:07.3 Bridge: Intel Corporation 82371AB/EB/MB PIIX4 ACPI (rev 02)
0000:00:08.0 VGA compatible controller: Microsoft Corporation Hyper-V virtual VGA
0001:00:02.0 Ethernet controller: Mellanox Technologies MT27500/MT27520 Family [ConnectX-3/ConnectX-3 Pro Virtual Function]

使用 ethtool -S eth0 | grep vf_ 命令检查 VF（虚拟函数）的活动。Check for activity on the VF (virtual function) with the ethtool -S eth0 | grep vf_ command. 如果获得的输出类似以下示例，则表示加速网络已启用并正常工作。If you receive output similar to the following sample output, accelerated networking is enabled and working.

vf_rx_packets: 992956
vf_rx_bytes: 2749784180
vf_tx_packets: 2656684
vf_tx_bytes: 1099443970
vf_tx_dropped: 0

现在已为 VM 启用加速网络。Accelerated Networking is now enabled for your VM.

处理虚拟函数的动态绑定和吊销Handle dynamic binding and revocation of virtual function

应用程序必须通过 VM 中公开的合成 NIC 运行。Applications must run over the synthetic NIC that is exposed in VM. 如果应用程序直接通过 VF NIC 运行，它不会收到发往 VM 的所有包，因为一些包通过合成接口显示。If the application runs directly over the VF NIC, it doesn't receive all packets that are destined to the VM, since some packets show up over the synthetic interface. 如果通过合成 NIC 运行应用程序，它保证应用程序收到发往它的所有数据包。If you run an application over the synthetic NIC, it guarantees that the application receives all packets that are destined to it. 它还可以确保应用程序保持运行，即使在为主机提供服务时 VF 已吊销也是如此。It also makes sure that the application keeps running, even if the VF is revoked when the host is being serviced. 对于利用 加速网络 的所有应用程序，绑定到合成 NIC 的应用程序是 强制性 要求。Applications binding to the synthetic NIC is a mandatory requirement for all applications taking advantage of Accelerated Networking.

在现有 VM 上启用加速网络Enable Accelerated Networking on existing VMs

如果创建的 VM 没有加速网络，则可在现有 VM 上启用此功能。If you have created a VM without Accelerated Networking, it is possible to enable this feature on an existing VM. VM 必须支持加速网络，前提是满足以下先决条件（上文亦有列出）：The VM must support Accelerated Networking by meeting the following prerequisites that are also outlined above:

VM 必须是加速网络支持的大小The VM must be a supported size for Accelerated Networking
VM 必须是受支持的 Azure 库映像（以及适用于 Linux 的内核版本）The VM must be a supported Azure Gallery image (and kernel version for Linux)
在任何 NIC 上启用加速网络前，必须停止/解除分配可用性集或 VMSS 中的所有 VMAll VMs in an availability set or VMSS must be stopped/deallocated before enabling Accelerated Networking on any NIC

单个 VM 与可用性集中的 VMIndividual VMs & VMs in an availability set

首先停止/解除分配 VM，或集合中的所有 VM（如果是可用性集）：First stop/deallocate the VM or, if an Availability Set, all the VMs in the Set:

az vm deallocate \
    --resource-group myResourceGroup \
    --name myVM

请务必注意，如果 VM 是单独创建的并且没有可用性集，则只需停止/解除分配单个 VM 即可启用加速网络。Important, please note, if your VM was created individually, without an availability set, you only need to stop/deallocate the individual VM to enable Accelerated Networking. 如果 VM 是随可用性集创建的，则在任何 NIC 上启用加速网络前，必须停止/解除分配可用性集中包含的所有 VM。If your VM was created with an availability set, all VMs contained in the availability set will need to be stopped/deallocated before enabling Accelerated Networking on any of the NICs.

一旦停止，即可在 VM 的 NIC 上启用加速网络：Once stopped, enable Accelerated Networking on the NIC of your VM:

az network nic update \
    --name myNic \
    --resource-group myResourceGroup \
    --accelerated-networking true

重启 VM，或集合中的所有 VM（如果在可用性集中），并确认已启用加速网络：Restart your VM or, if in an Availability Set, all the VMs in the Set and confirm that Accelerated Networking is enabled:

az vm start --resource-group myResourceGroup \
    --name myVM

VMSSVMSS

VMSS 略有不同，但遵循相同的工作流。VMSS is slightly different but follows the same workflow. 首先，停止 VM：First, stop the VMs:

az vmss deallocate \
    --name myvmss \
    --resource-group myrg

VM 停止后，更新网络接口下的加速网络属性：Once the VMs are stopped, update the Accelerated Networking property under the network interface:

az vmss update --name myvmss \
    --resource-group myrg \
    --set virtualMachineProfile.networkProfile.networkInterfaceConfigurations[0].enableAcceleratedNetworking=true

请注意，VMSS 的 VM 升级功能可使用三种不同的设置（自动、滚动和手动）应用更新。Please note, a VMSS has VM upgrades that apply updates using three different settings, automatic, rolling and manual. 在这些说明中，策略设置为自动，以便 VMSS 在可重启后立即收到更改。In these instructions the policy is set to automatic so that the VMSS will pick up the changes immediately after restarting. 若要将其设置为自动以便立即收到更改，请执行以下操作：To set it to automatic so that the changes are immediately picked up:

az vmss update \
    --name myvmss \
    --resource-group myrg \
    --set upgradePolicy.mode="automatic"

最后，重启 VMSS：Finally, restart the VMSS:

az vmss start \
    --name myvmss \
    --resource-group myrg

请在重启后等待升级完成，但一旦完成，VF 将在 VM 内部出现。Once you restart, wait for the upgrades to finish but once completed, the VF will appear inside the VM. （请确保使用的是支持的操作系统和 VM 大小。）(Please make sure you are using a supported OS and VM size.)

调整具有加速网络的现有 VM 的大小Resizing existing VMs with Accelerated Networking

启用加速网络的 VM 只能调整为支持加速网络的 VM 的大小。VMs with Accelerated Networking enabled can only be resized to VMs that support Accelerated Networking.

启用加速网络的 VM 不能使用调整大小操作调整为不支持加速网络的 VM 实例的大小。A VM with Accelerated Networking enabled cannot be resized to a VM instance that does not support Accelerated Networking using the resize operation. 相反，若要调整其中一个 VM 的大小，请执行以下操作：Instead, to resize one of these VMs:

停止/解除分配 VM，或如果在可用性集/VMSS 中，则停止/解除分配集合/VMSS 中的所有 VM。Stop/Deallocate the VM or if in an availability set/VMSS, stop/deallocate all the VMs in the set/VMSS.
必须在 VM 的 NIC 上禁用加速网络，或者如果在可用性集/VMSS 中，则必须在集合/VMSS 中的所有 VM 上禁用。Accelerated Networking must be disabled on the NIC of the VM or if in an availability set/VMSS, all VMs in the set/VMSS.
一旦加速网络被禁用，VM/可用性集/VMSS 即可移至不支持加速网络的新大小并重启。Once Accelerated Networking is disabled, the VM/availability set/VMSS can be moved to a new size that does not support Accelerated Networking and restarted.