教程:使用 Azure CLI 创建 NAT 网关Tutorial: Create a NAT gateway using Azure CLI

本教程介绍如何使用 Azure 虚拟网络 NAT 服务。This tutorial shows you how to use Azure Virtual Network NAT service. 你将创建一个 NAT 网关,以便为 Azure 中的虚拟机提供出站连接。You'll create a NAT gateway to provide outbound connectivity for a virtual machine in Azure.

备注

在 Azure China 中使用 Azure CLI 2.0 之前,请首先运行 az cloud set -n AzureChinaCloud 更改云环境。Before you can use Azure CLI 2.0 in Azure China, please run az cloud set -n AzureChinaCloud first to change the cloud environment. 如果要切换回全局 Azure,请再次运行 az cloud set -n AzureCloudIf you want to switch back to Global Azure, run az cloud set -n AzureCloud again.

你可以在本地电脑上以管理员权限打开 Azure CLI 控制台,并通过运行相应的命令来完成本教程。You can open Azure CLI console with administrator privilege on local PC, and complete this tutorial with running the respective commands.

如果选择在本地运行这些命令,则需要安装 CLI。If you choose to run these commands locally, you need to install CLI. 本教程要求运行 Azure CLI 2.0.71 或更高版本。This tutorial requires that you're running a version of the Azure CLI version 2.0.71 or later. 若要查找版本,请运行 az --versionTo find the version, run az --version. 如果需要进行安装或升级,请参阅安装 Azure CLIIf you need to install or upgrade, see Install Azure CLI.

创建资源组Create a resource group

使用 az group create 创建资源组。Create a resource group with az group create. Azure 资源组是在其中部署和管理 Azure 资源的逻辑容器。An Azure resource group is a logical container into which Azure resources are deployed and managed.

以下示例在“chinaeast2”位置创建名为“myResourceGroupNAT”的资源组:The following example creates a resource group named myResourceGroupNAT in the chinaeast2 location:

  az group create \
    --name myResourceGroupNAT \
    --location chinaeast2

创建 NAT 网关Create the NAT Gateway

创建公共 IP 地址Create a public IP address

若要访问公共 Internet,需要提供 NAT 网关的一个或多个公共 IP 地址。To access the public Internet, you need one or more public IP addresses for the NAT gateway. 使用 az network public-ip createmyResourceGroupNAT 中创建名为 myPublicIP 的公共 IP 地址资源。Use az network public-ip create to create a public IP address resource named myPublicIP in myResourceGroupNAT.

  az network public-ip create \
    --resource-group myResourceGroupNAT \
    --name myPublicIP \
    --sku standard

创建公共 IP 前缀Create a public IP prefix

可对 NAT 网关使用一个或多个公共 IP 地址资源和/或公共 IP 前缀。You can use one or more public IP address resources, public IP prefixes, or both with NAT gateway. 为方便演示,我们将一个公共 IP 前缀资源添加到此方案。We"ll add a public IP prefix resource to this scenario to demonstrate. 使用 az network public-ip prefix createmyResourceGroupNAT 中创建名为 myPublicIPprefix 的公共 IP 前缀资源。Use az network public-ip prefix create to create a public IP prefix resource named myPublicIPprefix in myResourceGroupNAT.

  az network public-ip prefix create \
    --resource-group myResourceGroupNAT \
    --name myPublicIPprefix \
    --length 31

创建 NAT 网关资源Create a NAT gateway resource

本部分详细介绍如何使用 NAT 网关资源创建并配置 NAT 服务的以下组件:This section details how you can create and configure the following components of the NAT service using the NAT gateway resource:

  • 一个公共 IP 池和公共 IP 前缀,供 NAT 网关资源转换的出站流使用。A public IP pool and public IP prefix to use for outbound flows translated by the NAT gateway resource.
  • 将空闲超时从默认值 4 分钟更改为 10 分钟。Change the idle timeout from the default of 4 minutes to 10 minutes.

使用 az network nat gateway create 创建名为 myNATgateway 的全局 Azure NAT 网关。Create a global Azure NAT gateway with az network nat gateway create named myNATgateway. 该命令同时使用公共 IP 地址 myPublicIP 和公共 IP 前缀 myPublicIPprefixThe command uses both the public IP address myPublicIP and the public IP prefix myPublicIPprefix. 该命令将空闲超时更改为 10 分钟。The command changes the idle timeout to 10 minutes.

  az network nat gateway create \
    --resource-group myResourceGroupNAT \
    --name myNATgateway \
    --public-ip-addresses myPublicIP \
    --public-ip-prefixes myPublicIPprefix \
    --idle-timeout 10       

此时,NAT 网关可正常工作,唯一遗漏的操作就是配置虚拟网络的哪些子网应使用该网关。At this point, the NAT gateway is functional and all that is missing is to configure which subnets of a virtual network should use it.

配置虚拟网络Configure virtual network

在部署 VM 并使用 NAT 网关之前,需要先创建虚拟网络。Before you deploy a VM and can use your NAT gateway, we need to create the virtual network.

使用 az network vnet createmyResourceGroupNAT 中创建名为 myVnet 的虚拟网络,该虚拟网络包含名为 mySubnet 的子网。Create a virtual network named myVnet with a subnet named mySubnet in the myResourceGroupNAT using az network vnet create. 虚拟网络的 IP 地址空间为 192.168.0.0/16The IP address space for the virtual network is 192.168.0.0/16. 虚拟网络中的子网为 192.168.0.0/24The subnet within the virtual network is 192.168.0.0/24.

  az network vnet create \
    --resource-group myResourceGroupNAT \
    --location chinaeast2 \
    --name myVnet \
    --address-prefix 192.168.0.0/16 \
    --subnet-name mySubnet \
    --subnet-prefix 192.168.0.0/24

配置源子网的 NAT 服务Configure NAT service for source subnet

我们将使用 az network vnet subnet update 在虚拟网络 myVnet 中配置源子网 mySubnet,以使用特定的 NAT 网关资源 myNATgatewayWe'll configure the source subnet mySubnet in virtual network myVnet to use a specific NAT gateway resource myNATgateway with az network vnet subnet update. 此命令将激活指定子网中的 NAT 服务。This command will activate the NAT service on the specified subnet.

  az network vnet subnet update \
    --resource-group myResourceGroupNAT \
    --vnet-name myVnet \
    --name mySubnet \
    --nat-gateway myNATgateway

发往 Internet 目标的所有出站流量现在将使用该 NAT 网关。All outbound traffic to Internet destinations is now using the NAT gateway. 无需配置 UDR。It's not necessary to configure a UDR.

创建 VM 以使用 NAT 服务Create a VM to use the NAT service

现在,我们将创建一个 VM 来使用 NAT 服务。We'll now create a VM to use the NAT service. 此 VM 将某个公共 IP 用作实例级公共 IP,使你能够访问此 VM。This VM has a public IP to use as an instance-level Public IP to allow you to access the VM. NAT 服务可识别流的方向,并会替代子网中的默认 Internet 目标。NAT service is flow direction aware and will replace the default Internet destination in your subnet. VM 的公共 IP 地址不会用于出站连接。The VM's public IP address won't be used for outbound connections.

创建源 VM 的公共 IPCreate public IP for source VM

我们将创建一个用于访问 VM 的公共 IP。We create a public IP to be used to access the VM. 使用 az network public-ip createmyResourceGroupNAT 中创建名为 myPublicIPVM 的公共 IP 地址资源。Use az network public-ip create to create a public IP address resource named myPublicIPVM in myResourceGroupNAT.

  az network public-ip create \
    --resource-group myResourceGroupNAT \
    --name myPublicIPVM \
    --sku standard

创建 VM 的 NSGCreate an NSG for VM

由于标准公共 IP 地址是“默认安全的”,因此我们需要创建一个 NSG 来允许 SSH 入站访问。Because Standard Public IP addresses are 'secure by default', we need to create an NSG to allow inbound access for ssh access. 使用 az network nsg createmyResourceGroupNAT 中创建名为 myNSG 的 NSG 资源。Use az network nsg create to create an NSG resource named myNSG in myResourceGroupNAT.

  az network nsg create \
    --resource-group myResourceGroupNAT \
    --name myNSG 

在源 VM 上公开 SSH 终结点Expose SSH endpoint on source VM

我们将在 NSG 中创建一个规则,以通过 SSH 访问源 VM。We create a rule in the NSG for SSH access to the source vm. 使用 az network nsg rule createmyResourceGroupNAT 中名为 myNSG 的 NSG 规则内创建名为 ssh 的 NSG 规则。Use az network nsg rule create to create an NSG rule named ssh in the NSG named myNSG in myResourceGroupNAT.

  az network nsg rule create \
    --resource-group myResourceGroupNAT \
    --nsg-name myNSG \
    --priority 100 \
    --name ssh \
    --description "SSH access" \
    --access allow \
    --protocol tcp \
    --direction inbound \
    --destination-port-ranges 22

创建 VM 的 NICCreate NIC for VM

使用 az network nic create 创建一个网络接口,并将其关联到公共 IP 地址和网络安全组。Create a network interface with az network nic create and associate with the Public IP address and the network security group.

  az network nic create \
    --resource-group myResourceGroupNAT \
    --name myNic \
    --vnet-name myVnet \
    --subnet mySubnet \
    --public-ip-address myPublicIPVM \
    --network-security-group myNSG

创建 VMCreate VM

使用 az vm create 创建虚拟机。Create the virtual machine with az vm create. 我们将为此 VM 生成 SSH 密钥,并存储私钥供稍后使用。We generate ssh keys for this VM and store the private key to use later.

 az vm create \
   --resource-group myResourceGroupNAT \
   --name myVM \
   --nics myNic \
   --image UbuntuLTS \
   --generate-ssh-keys

等待 VM 部署完成,然后继续执行剩余的步骤。Wait for the VM to deploy then continue with the rest of the steps.

发现 VM 的 IP 地址Discover the IP address of the VM

首先需要发现已创建的 VM 的 IP 地址。First we need to discover the IP address of the VM you've created. 若要检索 VM 的公共 IP 地址,请使用 az network public-ip showTo retrieve the public IP address of the VM, use az network public-ip show.

  az network public-ip show \
    --resource-group myResourceGroupNAT \
    --name myPublicIPVM \
    --query [ipAddress] \
    --output tsv

重要

复制公共 IP 地址并将其粘贴到记事本中,以便可以用它来访问 VM。Copy the public IP address, and then paste it into a notepad so you can use it to access the VM.

登录到 VMSign in to VM

SSH 凭据应通过上一个操作存储在本地计算机中。The SSH credentials should be stored on your local computer from the previous operation. 使用在上一步骤中检索到的 IP 地址通过 SSH 连接到虚拟机。Use the IP address retrieved in the previous step to SSH to the virtual machine.

ssh <ip-address-destination>

现已准备好使用 NAT 服务。You're now ready to use the NAT service.

清理资源Clean up resources

如果不再需要上述资源组及其包含的所有资源,可以使用 az group delete 命令将其删除。When no longer needed, you can use the az group delete command to remove the resource group and all resources contained within.

  az group delete \
    --name myResourceGroupNAT

后续步骤Next steps

在本教程中,你创建了一个 NAT 网关,并创建了一个 VM 来使用该网关。In this tutorial, you created a NAT gateway and a VM to use it.

可以查看 Azure Monitor 中的指标来了解 NAT 服务的运行情况。Review metrics in Azure Monitor to see your NAT service operating. 可以诊断可用 SNAT 端口资源耗尽等问题。Diagnose issues such as resource exhaustion of available SNAT ports. 添加更多公共 IP 地址资源和/或公共 IP 前缀资源即可解决 SNAT 端口资源耗尽的问题。Resource exhaustion of SNAT ports is addressed by adding additional public IP address resources or public IP prefix resources or both.