使用 NAT 网关资源设计虚拟网络Designing virtual networks with NAT gateway resources

NAT 网关资源是虚拟网络 NAT 的一部分,为虚拟网络的一个或多个子网提供出站 Internet 连接。NAT gateway resources are part of Virtual Network NAT and provide outbound Internet connectivity for one or more subnets of a virtual network. 虚拟网络的子网指明要使用的 NAT 网关。The subnet of the virtual network states which NAT gateway will be used. NAT 为子网提供源网络地址转换 (SNAT)。NAT provides source network address translation (SNAT) for a subnet. NAT 网关资源指定虚拟机在创建出站流时要使用的静态 IP 地址。NAT gateway resources specify which static IP addresses virtual machines use when creating outbound flows. 静态 IP 地址来自公共 IP 地址资源 (PIP) 和/或公共 IP 前缀资源。Static IP addresses come from public IP address resources (PIP), public IP prefix resources, or both. 如果使用公共 IP 前缀资源,则由 NAT 网关资源使用整个公共 IP 前缀资源的所有 IP 地址。If a public IP prefix resource is used, all IP addresses of the entire public IP prefix resource are consumed by a NAT gateway resource. NAT 网关资源最多可以使用公共 IP 地址资源或公共 IP 前缀资源中的 16 个(总计)静态 IP 地址。A NAT gateway resource can use a total of up to 16 static IP addresses from either.

Figure depicts a NAT gateway resource that consumes all IP addresses for a public IP prefix and directs that traffic to and from two subnets of virtual machines and a virtual machine scale set.

图:用于出站 Internet 连接的虚拟网络 NATFigure: Virtual Network NAT for outbound to Internet

如何部署 NATHow to deploy NAT

我们有意简化了 NAT 网关的配置和使用:Configuring and using NAT gateway is intentionally made simple:

NAT 网关资源:NAT gateway resource:

  • 创建区域性或局部性(区域隔离)NAT 网关资源;Create regional or zonal (zone-isolated) NAT gateway resource,
  • 分配 IP 地址;Assign IP addresses,
  • 如有必要,请修改 TCP 空闲超时(可选)。If necessary, modify TCP idle timeout (optional). 在更改默认值之前,请查看计时器Review timers before you change the default.

虚拟网络:Virtual network:

  • 将虚拟网络子网配置为使用 NAT 网关。Configure virtual network subnet to use a NAT gateway.

不需要指定用户定义的路由。User-defined routes aren't necessary.

资源Resource

从以下采用类似于模板格式的 Azure 资源管理器示例中就能看出,资源的设计非常简单。The resource is designed to be simple as you can see from the following Azure Resource Manager example in a template-like format. 此处显示了类似于模板的格式用于演示概念和结构。This template-like format is shown here to illustrate the concepts and structure. 请根据需要修改示例。Modify the example for your needs. 本文档并非旨在用作教程。This document isn't intended as a tutorial.

下图显示了不同 Azure 资源管理器资源之间的可写引用。The following diagram shows the writeable references between the different Azure Resource Manager resources. 箭头指示引用的方向,从可写位置开始。The arrow indicates the direction of the reference, originating from where it's writeable. 审阅Review

Figure depicts a NAT receiving traffic from internal subnets and directing it to a public IP and an IP prefix.

图:虚拟网络 NAT 对象模型Figure: Virtual Network NAT object model

建议为大多数工作负荷使用 NAT,除非对基于池的负载均衡器出站连接有具体的依赖。NAT is recommended for most workloads unless you have a specific dependency on pool-based Load Balancer outbound connectivity.

可以从标准负载均衡器方案(包括出站规则)迁移到 NAT 网关。You can migrate from standard load balancer scenarios, including outbound rules, to NAT gateway. 若要迁移,请将负载均衡器前端中的公共 IP 和公共 IP 前缀资源移到 NAT 网关。To migrate, move the public ip and public ip prefix resources from load balancer frontends to NAT gateway. 不需要为 NAT 网关指定新的 IP 地址。New IP addresses for NAT gateway aren't required. 可以重复使用标准公共 IP 地址资源和公共 IP 前缀资源,只要总共不超过 16 个 IP 地址即可。Standard public IP address resources and public IP prefix resource can be reused as long as the total doesn't exceed 16 IP addresses. 在转换期间,请规划好迁移并考虑到服务中断。Plan for migration with service interruption in mind during the transition. 将此过程自动化可以最大程度地缩减中断时间。You can minimize the interruption by automating the process. 首先在过渡环境中测试迁移。Test the migration in a staging environment first. 在转换期间,入站来源流不受影响。During the transition, inbound originated flows aren't affected.

以下示例是 Azure 资源管理器模板中的代码片段。The following example is a snippet from an Azure Resource Manager template. 此模板部署多个资源,其中包括 NAT 网关。This template deploys several resources, including a NAT gateway. 在此示例中,模板有以下参数:The template has the following parameters in this example:

  • natgatewayname - NAT 网关的名称。natgatewayname - Name of the NAT gateway.
  • location - 资源所在的 Azure 区域。location - Azure region where resource is located.
  • publicipname - 与 NAT 网关关联的出站公共 IP 的名称。publicipname - Name of the outbound public IP associated with the NAT gateway.
  • vnetname - 虚拟网络的名称。vnetname - Name of the virtual network.
  • subnetname - 与 NAT 网关关联的子网的名称。subnetname - Name of the subnet associated with the NAT gateway.

所有 IP 地址和前缀资源提供的 IP 地址总数不能超过 16 个。The total number of IP addresses provided by all IP address and prefix resources can't exceed 16 IP addresses total. 允许提供 1 到 16 范围内的任意数量的 IP 地址。Any number of IP addresses between 1 and 16 is allowed.

{
  "type": "Microsoft.Network/natGateways",
  "apiVersion": "2019-11-01",
  "name": "[parameters('natgatewayname')]",
  "location": "[parameters('location')]",
  "dependsOn": [
    "[resourceId('Microsoft.Network/publicIPAddresses', variables('publicipname'))]"
  ],
  "sku": {
    "name": "Standard"
  },
  "properties": {
    "idleTimeoutInMinutes": 4,
    "publicIpAddresses": "[if(not(empty(parameters('publicipdns'))), variables('publicIpAddresses'), json('null'))]"
  }
},

创建 NAT 网关资源后,可以在虚拟网络的一个或多个子网上使用它。When the NAT gateway resource has been created, it can be used on one or more subnets of a virtual network. 指定哪些子网使用此 NAT 网关资源。Specify which subnets use this NAT gateway resource. 一个 NAT 网关不能跨多个虚拟网络。A NAT gateway isn't able to span more than one virtual network. 不需要将同一个 NAT 网关分配到虚拟网络的所有子网。It isn't required to assign the same NAT gateway to all subnets of a virtual network. 可以使用不同的 NAT 网关资源配置各个子网。Individual subnets can be configured with different NAT gateway resources.

不使用可用性区域的方案是区域性的(不指定局部区域)。Scenarios that don't use availability zones will be regional (no zone specified).

{
  "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "vnetname": {
      "defaultValue": "myVnet",
      "type": "String",
      "metadata": {
        "description": "Name of the virtual network"
      }
    },
    "subnetname": {
      "defaultValue": "mySubnet",
      "type": "String",
      "metadata": {
        "description": "Name of the subnet for virtual network"
      }
    },
    "vnetaddressspace": {
      "defaultValue": "192.168.0.0/16",
      "type": "String",
      "metadata": {
        "description": "Address space for virtual network"
      }
    },
    "vnetsubnetprefix": {
      "defaultValue": "192.168.0.0/24",
      "type": "String",
      "metadata": {
        "description": "Subnet prefix for virtual network"
      }
    },
    "natgatewayname": {
      "defaultValue": "myNATgateway",
      "type": "String",
      "metadata": {
        "description": "Name of the NAT gateway resource"
      }
    },
    "publicipdns": {
      "defaultValue": "[concat('gw-', uniqueString(resourceGroup().id))]",
      "type": "String",
      "metadata": {
        "description": "dns of the public ip address, leave blank for no dns"
      }
    },
    "location": {
      "defaultValue": "[resourceGroup().location]",
      "type": "String",
      "metadata": {
        "description": "Location of resources"
      }
    }
  },
  "variables": {
    "publicIpName": "[concat(parameters('natgatewayname'), 'ip')]",
    "publicIpAddresses": [
      {
        "id": "[resourceId('Microsoft.Network/publicIPAddresses', variables('publicipname'))]"
      }
    ]
  },
  "resources": [
    {
      "type": "Microsoft.Network/publicIPAddresses",
      "apiVersion": "2019-11-01",
      "name": "[variables('publicIpName')]",
      "location": "[parameters('location')]",
      "sku": {
        "name": "Standard"
      },
      "properties": {
        "publicIPAddressVersion": "IPv4",
        "publicIPAllocationMethod": "Static",
        "idleTimeoutInMinutes": 4,
        "dnsSettings": {
          "domainNameLabel": "[parameters('publicipdns')]"
        }
      }
    },
    {
      "type": "Microsoft.Network/natGateways",
      "apiVersion": "2019-11-01",
      "name": "[parameters('natgatewayname')]",
      "location": "[parameters('location')]",
      "dependsOn": [
        "[resourceId('Microsoft.Network/publicIPAddresses', variables('publicipname'))]"
      ],
      "sku": {
        "name": "Standard"
      },
      "properties": {
        "idleTimeoutInMinutes": 4,
        "publicIpAddresses": "[if(not(empty(parameters('publicipdns'))), variables('publicIpAddresses'), json('null'))]"
      }
    },
    {
      "type": "Microsoft.Network/virtualNetworks",
      "apiVersion": "2019-11-01",
      "name": "[parameters('vnetname')]",
      "location": "[parameters('location')]",
      "dependsOn": [
        "[resourceId('Microsoft.Network/natGateways', parameters('natgatewayname'))]"
      ],
      "properties": {
        "addressSpace": {
          "addressPrefixes": [
            "[parameters('vnetaddressspace')]"
          ]
        },
        "subnets": [
          {
            "name": "[parameters('subnetname')]",
            "properties": {
              "addressPrefix": "[parameters('vnetsubnetprefix')]",
              "natGateway": {
                "id": "[resourceId('Microsoft.Network/natGateways', parameters('natgatewayname'))]"
              },
              "privateEndpointNetworkPolicies": "Enabled",
              "privateLinkServiceNetworkPolicies": "Enabled"
            }
          }
        ],
        "enableDdosProtection": false,
        "enableVmProtection": false
      }
    },
    {
      "type": "Microsoft.Network/virtualNetworks/subnets",
      "apiVersion": "2019-11-01",
      "name": "[concat(parameters('vnetname'), '/mySubnet')]",
      "dependsOn": [
        "[resourceId('Microsoft.Network/virtualNetworks', parameters('vnetname'))]",
        "[resourceId('Microsoft.Network/natGateways', parameters('natgatewayname'))]"
      ],
      "properties": {
        "addressPrefix": "[parameters('vnetsubnetprefix')]",
        "natGateway": {
          "id": "[resourceId('Microsoft.Network/natGateways', parameters('natgatewayname'))]"
        },
        "privateEndpointNetworkPolicies": "Enabled",
        "privateLinkServiceNetworkPolicies": "Enabled"
      }
    }
  ]
}

NAT 网关是使用虚拟网络中某个子网上的属性定义的。NAT gateways are defined with a property on a subnet within a virtual network. 虚拟网络 vnetname 的子网 subnetname 上的虚拟机创建的流将使用 NAT 网关。Flows created by virtual machines on subnet subnetname of virtual network vnetname will use the NAT gateway. 所有出站连接将使用与 natgatewayname 关联的 IP 地址作为源 IP 地址。All outbound connectivity will use the IP addresses associated with natgatewayname as the source IP address.

有关此示例中使用的 Azure 资源管理器模板的详细信息,请参阅:For more information on the Azure Resource Manager template used in this example, see:

设计指南Design Guidance

请阅读本部分来了解有关使用 NAT 设计虚拟网络的注意事项。Review this section to familiarize yourself with considerations for designing virtual networks with NAT.

  1. 成本优化Cost optimization
  2. 入站和出站连接的共存Coexistence of inbound and outbound
  3. 管理基本资源Managing Basic resources

成本优化Cost optimization

若要优化开销,服务终结点是可以考虑的选项。Service endpoints is option to consider for optimizing cost. 这些服务不需要 NAT。NAT isn't needed for these services. 定向到服务终结点或专用链接的流量不会得到虚拟网络 NAT 的处理。Traffic directed to service endpoints or private link is not processed by the virtual network's NAT.

服务终结点将 Azure 服务资源关联到虚拟网络,并控制对 Azure 服务资源的访问。Service endpoints tie Azure service resources to your virtual network and control access to your Azure service resources. 例如,在访问 Azure 存储时,可将服务终结点用于存储,以免产生 NAT 数据处理费用。For example, when you access Azure storage, use a service endpoint for storage to avoid data processed NAT charges. 服务终结点是免费的。Service endpoints are free.

入站和出站连接的共存Coexistence of inbound and outbound

NAT 网关与以下资源兼容:NAT gateway is compatible with:

  • 标准负载均衡器Standard load balancer
  • 标准公共 IPStandard public IP
  • 标准公共 IP 前缀Standard public IP prefix

开发新的部署时,请从标准 SKU 着手。When developing a new deployment, start with standard SKUs.

Figure depicts a NAT gateway that supports outbound traffic to the internet from a virtual network.

图:用于出站 Internet 连接的虚拟网络 NATFigure: Virtual Network NAT for outbound to Internet

可以使用从 Internet 建立入站连接功能,来扩展 NAT 网关提供的仅限 Internet 出站连接方案。The Internet outbound only scenario provided by NAT gateway can be expanded with inbound from Internet functionality. 每个资源都知道流的来源方向。Each resource is aware of the direction in which a flow is originated. 在使用 NAT 网关的子网上,所有 Internet 出站连接方案都将由 NAT 网关取代。On a subnet with a NAT gateway, all outbound to Internet scenarios are superseded by the NAT gateway. 从 Internet 建立入站连接方案由相应的资源提供。Inbound from Internet scenarios are provided by the respective resource.

使用实例级公共 IP 的 NAT 和 VMNAT and VM with instance-level Public IP

Figure depicts a NAT gateway that supports outbound traffic to the internet from a virtual network and inbound traffic with an instance-level public IP.

图:使用实例级公共 IP 的虚拟网络 NAT 和 VMFigure: Virtual Network NAT and VM with instance-level Public IP

方向Direction 资源Resource
入站Inbound 使用实例级公共 IP 的 VMVM with instance-level Public IP
出站Outbound NAT 网关NAT gateway

VM 将使用 NAT 网关建立出站连接。VM will use NAT gateway for outbound. 来源入站连接不受影响。Inbound originated isn't affected.

使用公共负载均衡器的 NAT 和 VMNAT and VM with public Load Balancer

Figure depicts a NAT gateway that supports outbound traffic to the internet from a virtual network and inbound traffic with a public load balancer.

图:使用公共负载均衡器的虚拟网络 NAT 和 VMFigure: Virtual Network NAT and VM with public Load Balancer

方向Direction 资源Resource
入站Inbound 公共负载均衡器public Load Balancer
出站Outbound NAT 网关NAT gateway

负载均衡规则或出站规则中的任何出站配置将由 NAT 网关取代。Any outbound configuration from a load-balancing rule or outbound rules is superseded by NAT gateway. 来源入站连接不受影响。Inbound originated isn't affected.

使用实例级公共 IP 和公共负载均衡器的 NAT 与 VMNAT and VM with instance-level public IP and public Load Balancer

Figure depicts a NAT gateway that supports outbound traffic to the internet from a virtual network and inbound traffic with an instance-level public IP and a public load balancer.

图:使用实例级公共 IP 和公共负载均衡器的虚拟网络 NAT 与 VMFigure: Virtual Network NAT and VM with instance-level public IP and public Load Balancer

方向Direction 资源Resource
入站Inbound 使用实例级公共 IP 和公共负载均衡器的 VMVM with instance-level public IP and public Load Balancer
出站Outbound NAT 网关NAT gateway

负载均衡规则或出站规则中的任何出站配置将由 NAT 网关取代。Any outbound configuration from a load-balancing rule or outbound rules is superseded by NAT gateway. VM 也使用 NAT 网关建立出站连接。The VM will also use NAT gateway for outbound. 来源入站连接不受影响。Inbound originated isn't affected.

管理基本资源Managing Basic resources

标准负载均衡器、公共 IP 和公共 IP 前缀与 NAT 网关兼容。Standard load balancer, public IP, and public IP prefix are compatible with NAT gateway. NAT 网关在子网范围内运行。NAT gateways operate in the scope of a subnet. 必须在不带 NAT 网关的子网上部署这些服务的基本 SKU。The basic SKU of these services must be deployed on a subnet without a NAT gateway. 借助这种隔离,两个 SKU 变体可以在同一虚拟网络中共存。This separation allows both SKU variants to coexist in the same virtual network.

NAT 网关优先于子网的出站方案。NAT gateways take precedence over outbound scenarios of the subnet. 无法通过适当的转换来调整基本负载均衡器或公共 IP(以及使用这些资源构建的任何托管服务)。Basic load balancer or public IP (and any managed service built with them) is unable to be adjusted with the correct translations. NAT 网关控制与子网上 Internet 流量的出站连接。NAT gateway takes control over outbound to Internet traffic on a subnet. 发往基本负载均衡器和公共 IP 的入站流量将不可用。Inbound traffic to basic load balancer and public ip is unavailable. 发往基本负载均衡器和/或 VM 上配置的公共 IP 的入站流量将不可用。Inbound traffic to a basic load balancer and, or a public ip configured on a VM won't be available.

性能Performance

每个 NAT 网关资源最多可提供 50 Gbps 的吞吐量。Each NAT gateway resource can provide up to 50 Gbps of throughput. 可以将部署拆分成多个子网,为每个子网或子网组分配一个 NAT 网关,以便进行横向扩展。You can split your deployments into multiple subnets and assign each subnet or groups of subnets a NAT gateway to scale out.

对于所分配的每个出站 IP 地址,每个 NAT 网关可支持 64,000 个分别用于 TCP 和 UDP 的流。Each NAT gateway can support 64,000 flows for TCP and UDP respectively per assigned outbound IP address. 请查看下面的有关源网络地址转换 (SNAT) 的部分来获取详细信息,并查看故障排除文章来了解具体的问题解决指南。Review the following section on Source Network Address Translation (SNAT) for details as well as the troubleshooting article for specific problem resolution guidance.

源网络地址转换Source Network Address Translation

源网络地址转换 (SNAT) 将流的源重写为源自不同的 IP 地址。Source network address translation (SNAT) rewrites the source of a flow to originate from a different IP address. NAT 网关资源使用一个通常称作端口地址转换 (PAT) 的 SNAT 变体。NAT gateway resources use a variant of SNAT commonly referred to port address translation (PAT). PAT 可重写源地址和源端口。PAT rewrites the source address and source port. 使用 SNAT 时,专用地址的数量与其转换的公共地址之间没有固定的关系。With SNAT, there's no fixed relationship between the number of private addresses and their translated public addresses.

基本Fundamentals

让我们看一个示例,其中通过四个流来解释基本概念。Let's look at an example of four flows to explain the basic concept. NAT 网关正在使用公共 IP 地址资源 65.52.1.1,而 VM 正在连接到 65.52.0.1。The NAT gateway is using public IP address resource 65.52.1.1 and the VM is making connections to 65.52.0.1.

流向Flow 源元组Source tuple 目标元组Destination tuple
11 192.168.0.16:4283192.168.0.16:4283 65.52.0.1:8065.52.0.1:80
22 192.168.0.16:4284192.168.0.16:4284 65.52.0.1:8065.52.0.1:80
33 192.168.0.17.5768192.168.0.17.5768 65.52.0.1:8065.52.0.1:80

发生 PAT 后,这些流可能类似于:These flows might look like this after PAT has taken place:

流向Flow 源元组Source tuple 经过 SNAT 处理的源元组SNAT'ed source tuple 目标元组Destination tuple
11 192.168.0.16:4283192.168.0.16:4283 65.52.1.1:123465.52.1.1:1234 65.52.0.1:8065.52.0.1:80
22 192.168.0.16:4284192.168.0.16:4284 65.52.1.1:123565.52.1.1:1235 65.52.0.1:8065.52.0.1:80
33 192.168.0.17.5768192.168.0.17.5768 65.52.1.1:123665.52.1.1:1236 65.52.0.1:8065.52.0.1:80

目标将会看到,流的源为 65.52.0.1(SNAT 源元组)以及所示的分配端口。The destination will see the source of the flow as 65.52.0.1 (SNAT source tuple) with the assigned port shown. 上表中所示的 PAT 也称为端口伪装 SNAT。PAT as shown in the preceding table is also called port masquerading SNAT. 多个专用源在 IP 和端口后面伪装。Multiple private sources are masqueraded behind an IP and port.

源 (SNAT) 端口重用source (SNAT) port reuse

NAT 网关可借机重复使用源 (SNAT) 端口。NAT gateways opportunistically reuse source (SNAT) ports. 下面将这个概念阐释为前面一组流的附加流。The following illustrates this concept as an additional flow for the preceeding set of flows. 示例中的 VM 是流向 65.52.0.2 的流。The VM in the example is a flow to 65.52.0.2.

流向Flow 源元组Source tuple 目标元组Destination tuple
44 192.168.0.16:4285192.168.0.16:4285 65.52.0.2:8065.52.0.2:80

某个 NAT 网关可能会将流 4 转换为一个端口,这个端口也可以用于其他目标。A NAT gateway will likely translate flow 4 to a port that may be used for other destinations as well. 请参阅缩放,了解有关正确调整 IP 地址预配大小的其他讨论。See Scaling for additional discussion on correctly sizing your IP address provisioning.

流向Flow 源元组Source tuple 经过 SNAT 处理的源元组SNAT'ed source tuple 目标元组Destination tuple
44 192.168.0.16:4285192.168.0.16:4285 65.52.1.1: 123465.52.1.1: 1234 65.52.0.2:8065.52.0.2:80

请不要依赖于上面示例中源端口的特定分配方式。Don't take a dependency on the specific way source ports are assigned in the above example. 上面只是基本概念的演示图。The preceding is an illustration of the fundamental concept only.

NAT 提供的 SNAT 在多个方面不同于负载均衡器SNAT provided by NAT is different from Load Balancer in several aspects.

按需On-demand

NAT 为新的出站流量流提供按需 SNAT 端口。NAT provides on-demand SNAT ports for new outbound traffic flows. 配置了 NAT 的子网上的任何虚拟机将使用库存中所有可用的 SNAT 端口。All available SNAT ports in inventory are used by any virtual machine on subnets configured with NAT.

Figure depicts inventory of all available SNAT ports used by any virtual machine on subnets configured with N A T.

图:虚拟网络 NAT 按需出站 SNATFigure: Virtual Network NAT on-demand outbound SNAT

虚拟机的任何 IP 配置都可以按需创建出站流。Any IP configuration of a virtual machine can create outbound flows on-demand as needed. 不需要进行预先分配和按实例的规划,包括根据每个实例的最差情况进行过度预配。Pre-allocation, per instance planning including per instance worst case overprovisioning, isn't required.

Figure depicts inventory of all available SNAT ports used by any virtual machine on subnets configured with N A T with exhaustion threshold.

图:耗尽方案的差异Figure: Differences in exhaustion scenarios

释放某个 SNAT 端口后,该端口可供配置了 NAT 的子网上的任何虚拟机使用。Once a SNAT port releases, it's available for use by any virtual machine on subnets configured with NAT. 按需分配允许子网上的动态和分散工作负荷按需使用 SNAT 端口。On-demand allocation allows dynamic and divergent workloads on subnet(s) to use SNAT ports as they need. 只要有可用的 SNAT 端口库存,SNAT 流就会成功。As long as there's SNAT port inventory available, SNAT flows will succeed. SNAT 端口热点则可受益于较大的端口库存。SNAT port hot spots benefit from the larger inventory instead. 不需要 SNAT 端口的虚拟机并非不使用这些端口。SNAT ports aren't left unused for virtual machines not actively needing them.

扩展Scaling

缩放 NAT 功能主要用于管理共享的可用 SNAT 端口库存。Scaling NAT is primarily a function of managing the shared, available SNAT port inventory. NAT 需有足够的 SNAT 端口库存,才能解决已附加到 NAT 网关资源的所有子网的预期高峰出站流。NAT needs sufficient SNAT port inventory for expected peak outbound flows for all subnets attached to a NAT gateway resource. 可以使用公共 IP 地址资源和/或公共 IP 前缀资源来创建 SNAT 端口库存。You can use public IP address resources, public IP prefix resources, or both to create SNAT port inventory.

备注

如果你分配一个公共 IP 前缀资源,则会使用整个公共 IP 前缀。If you are assigning a public IP prefix resource, the entire public IP prefix will be used. 不能先分配一个公共 IP 前缀资源,然后再将个别 IP 地址取出来分配给其他资源。You can't assign a public IP prefix resource and then break out individual IP addresses to assign to other resources. 如果要将来自公共 IP 地址前缀的个别 IP 地址分配给多个资源,则你需要基于公共 IP 前缀资源创建个别公共 IP 地址,再根据需要分配这些地址,而不能分配公共 IP 前缀资源本身。If you want to assign individual IP addresses from a public IP prefix to multiple resources, you need to create individual public IP addresses from the public IP prefix resource and assign them as needed instead of the public IP prefix resource itself.

SNAT 将专用地址映射到一个或多个公共 IP 地址,并重写进程中的源地址和源端口。SNAT maps private addresses to one or more public IP addresses, rewriting source address and source port in the processes. NAT 网关资源将为所配置的每个公共 IP 地址使用 64,000 个端口(SNAT 端口)进行此转换。A NAT gateway resource will use 64,000 ports (SNAT ports) per configured public IP address for this translation. NAT 网关资源可以扩展到 16 个 IP 地址和 100 万个 SNAT 端口。NAT gateway resources can scale up to 16 IP addresses and 1M SNAT ports. 如果提供了公共 IP 前缀资源,则前缀中的每个 IP 地址都会提供 SNAT 端口库存。If a public IP prefix resource is provided, each IP address within the prefix is providing SNAT port inventory. 添加更多公共 IP 地址可以增加可用库存 SNAT 端口。And adding more public IP addresses increases the available inventory SNAT ports. TCP 和 UDP 是独立的 SNAT 端口库存,与此无关。TCP and UDP are separate SNAT port inventories and unrelated.

NAT 网关资源可借机重复使用源 (SNAT) 端口。NAT gateway resources opportunistically reuse source (SNAT) ports. 对于缩放目的设计指南,应假设每个流需要新的 SNAT 端口,并缩放出站流量的可用 IP 地址总数。As design guidance for scaling purposes, you should assume each flow requires a new SNAT port and scale the total number of available IP addresses for outbound traffic. 应仔细考虑你正在设计的缩放,并相应预配 IP 地址数量。You should carefully consider the scale you are designing for and provision IP addresses quantities accordingly.

不同目标的 SNAT 端口最有可能被重用。SNAT ports to different destinations are most likely to be reused when possible. 而且随着 SNAT 端口即将耗尽,流可能不会成功。And as SNAT port exhaustion approaches, flows may not succeed.

有关示例信息,请参阅 SNAT 基础知识See SNAT fundamentals for example.

协议Protocols

NAT 网关资源与 UDP 和 TCP 流的 IP 和 IP 传输标头交互,对应用层有效负载不可知。NAT gateway resources interact with IP and IP transport headers of UDP and TCP flows and are agnostic to application layer payloads. 不支持其他 IP 协议。Other IP protocols aren't supported.

计时器Timers

重要

空闲计时器没有必要太长,太长可能会增加 SNAT 耗尽的可能性。Long idle timer can unnecessarily increase likelihood of SNAT exhaustion. 你指定的计时器时间越长,NAT 保持使用 SNAT 端口的时间也越长,直至最终达到空闲超时。The longer of a timer you specify, the longer NAT will hold on to SNAT ports until they eventually idle timeout. 如果流已达到空闲超时,则它们最终会失败,并且会不必要地消耗 SNAT 端口库存。If your flows are idle timed out, they will fail eventually anyway and unnecessarily consume SNAT port inventory. 原本在 2 小时后失败的流也会在达到 4 分钟默认超时后失败。Flows that fail at 2 hours would have failed at the default 4 minutes as well. 增大空闲超时是迫不得已才应使用的方法,应该慎用。Increasing the idle timeout is a last resort option that should be used sparingly. 如果流永远不会进入空闲状态,则它不受空闲计时器的影响。If a flow never does go idle, it will not be impacted by the idle timer.

对于所有流,可将 TCP 空闲超时从 4 分钟(默认值)调整为 120 分钟(2小时)。TCP idle timeout can be adjusted from 4 minutes (default) to 120 minutes (2 hours) for all flows. 此外,对于流中的流量,还可以重置空闲计时器。Additionally, you can reset the idle timer with traffic on the flow. TCP Keepalive 是刷新长时间空闲连接和执行终结点活动状态检测的推荐模式。A recommended pattern for refreshing long idle connections and endpoint liveness detection is TCP keepalives. TCP Keepalive 以重复 ACK 的形式显示给终结点,其开销较低,对应用层不可见。TCP keepalives appear as duplicate ACKs to the endpoints, are low overhead, and invisible to the application layer.

以下计时器用于 SNAT 端口释放:The following timers are used for SNAT port release:

TimerTimer Value
TCP FINTCP FIN 60 秒60 seconds
TCP RSTTCP RST 10 秒10 seconds
TCP 半开TCP half open 30 秒30 seconds

5 秒钟后,SNAT 端口即可供同一目标 IP 地址和目标端口重复使用。A SNAT port is available for reuse to the same destination IP address and destination port after 5 seconds.

备注

这些计时器设置随时可能更改。These timer settings are subject to change. 提供这些值是为了帮助进行故障排除,暂时请不要依赖于特定的计时器。The values are provided to help troubleshooting and you shouldn't take a dependency on specific timers at this time.

限制Limitations

  • NAT 与标准 SKU 公共 IP、公共 IP 前缀和负载均衡器资源兼容。NAT is compatible with standard SKU public IP, public IP prefix, and load balancer resources. 基本资源(例如基本负载均衡器)以及派生自这些资源的任何产品都与 NAT 不兼容。Basic resources (for example basic load balancer) and any products derived from them aren't compatible with NAT. 必须将基本资源放在未配置 NAT 的子网中。Basic resources must be placed on a subnet not configured with NAT.
  • 支持 IPv4 地址系列。IPv4 address family is supported. NAT 不会与 IPv6 地址系列交互。NAT doesn't interact with IPv6 address family. NAT 不能部署在具有 IPv6 前缀的子网中。NAT can't be deployed on a subnet with an IPv6 prefix.
  • NAT 不能跨多个虚拟网络。NAT can't span multiple virtual networks.

建议Suggestions

我们很想知道如何能够改进该服务。We want to know how we can improve the service. 缺少某个功能?Are missing a capability? 请在 UserVoice for NAT 上针对我们接下来应打造什么功能提出建议。Make your case for what we should build next at UserVoice for NAT.

后续步骤Next steps