教程:使用 Azure PowerShell 创建 NAT 网关Tutorial: Create a NAT gateway using Azure PowerShell

本教程介绍如何使用 Azure 虚拟网络 NAT 服务。This tutorial shows you how to use Azure Virtual Network NAT service. 你将创建一个 NAT 网关,以便为 Azure 中的虚拟机提供出站连接。You'll create a NAT gateway to provide outbound connectivity for a virtual machine in Azure.

可以使用 Azure PowerShell 完成本教程,以管理员权限在本地运行相应的命令。You can complete this tutorial using Azure PowerShell to run the commands locally with administrator privilege.

备注

本文进行了更新,以便使用新的 Azure PowerShell Az 模块。This article has been updated to use the new Azure PowerShell Az module. 你仍然可以使用 AzureRM 模块,至少在 2020 年 12 月之前,它将继续接收 bug 修补程序。You can still use the AzureRM module, which will continue to receive bug fixes until at least December 2020. 若要详细了解新的 Az 模块和 AzureRM 兼容性,请参阅新 Azure Powershell Az 模块简介To learn more about the new Az module and AzureRM compatibility, see Introducing the new Azure PowerShell Az module. 有关 Az 模块安装说明,请参阅安装 Azure PowerShellFor Az module installation instructions, see Install Azure PowerShell.

创建资源组Create a resource group

使用 New-AzResourceGroup 创建资源组。Create a resource group with New-AzResourceGroup. Azure 资源组是在其中部署和管理 Azure 资源的逻辑容器。An Azure resource group is a logical container into which Azure resources are deployed and managed.

以下示例在“chinaeast2”位置创建名为“myResourceGroupNAT”的资源组:The following example creates a resource group named myResourceGroupNAT in the chinaeast2 location:

$rsg = 'myResourceGroupNAT'
$loc = 'chinaeast2'

New-AzResourceGroup -Name $rsg -Location $loc

创建 NAT 网关Create the NAT gateway

NAT 网关的公共 IP 选项为:Public IP options for NAT gateway are:

  • 公共 IP 地址Public IP addresses
  • 公共 IP 前缀Public IP prefixes

两者均可在 NAT 网关中使用。Both can be used with NAT gateway.

为方便演示,我们将在此方案中添加公共 IP 地址和公共 IP 前缀。We'll add a public IP address and a public IP prefix to this scenario to demonstrate.

创建公共 IP 地址Create a public IP address

若要访问 Internet,需要提供 NAT 网关的一个或多个公共 IP 地址。To access the Internet, you need one or more public IP addresses for the NAT gateway. 使用 New-AzPublicIpAddressmyResourceGroupNAT 中创建名为 myPublicIP 的公共 IP 地址资源。Use New-AzPublicIpAddress to create a public IP address resource named myPublicIP in myResourceGroupNAT. 此命令的结果将存储在 $publicIP 变量中,供稍后使用。The result of this command will be stored in a variable $publicIP for later use.

$rsg = 'myResourceGroupNAT'
$loc = 'chinaeast2'
$sku = 'Standard'
$pbnm = 'myPublicIP'

$publicIP = 
New-AzPublicIpAddress -Name $pbnm -ResourceGroupName $rsg -AllocationMethod Static -Location $loc -Sku $sku

创建公共 IP 前缀Create a public IP prefix

使用 New-AzPublicIpPrefixmyResourceGroupNAT 中创建名为 myPublicIPprefix 的公共 IP 前缀资源。Use New-AzPublicIpPrefix to create a public IP prefix resource named myPublicIPprefix in myResourceGroupNAT. 此命令的结果将存储在名为 $publicIPPrefix 的变量中,供稍后使用。The result of this command will be stored in a variable named $publicIPPrefix for later use.

$rsg = 'myResourceGroupNAT'
$loc = 'chinaeast2'
$pxnm = 'myPublicIPprefix'

$publicIPPrefix = 
New-AzPublicIpPrefix -Name $pxnm -ResourceGroupName $rsg -Location $loc -PrefixLength 31

创建 NAT 网关资源Create a NAT gateway resource

本部分详细介绍如何使用 NAT 网关资源创建并配置 NAT 服务的以下组件:This section details how you can create and configure the following components of the NAT service using the NAT gateway resource:

  • 一个公共 IP 池和公共 IP 前缀,供 NAT 网关资源转换的出站流使用。A public IP pool and public IP prefix to use for outbound flows translated by the NAT gateway resource.
  • 将空闲超时从默认值 4 分钟更改为 10 分钟。Change the idle timeout from the default of 4 minutes to 10 minutes.

使用 New-AzNatGateway 创建全局 Azure NAT 网关。Create a global Azure NAT gateway with New-AzNatGateway. 此命令的结果将创建名为 myNATgateway 的网关资源,该资源使用公共 IP 地址 myPublicIP 和公共 IP 前缀 myPublicIPprefixThe result of this command will create a gateway resource named myNATgateway that uses the public IP address myPublicIP and the public IP prefix myPublicIPprefix. 空闲超时设置为 10 分钟。The idle timeout is set to 10 minutes. 此命令的结果将存储在名为 $natGateway 的变量中,供稍后使用。The result of this command will be stored in a variable named $natGateway for later use.

$rsg = 'myResourceGroupNAT'
$loc = 'chinaeast2'
$sku = 'Standard'
$gnm = 'myNATgateway'

$natGateway = 
New-AzNatGateway -Name $gnm -ResourceGroupName $rsg -PublicIpAddress $publicIP -PublicIpPrefix $publicIPPrefix -Location $loc -Sku $sku -IdleTimeoutInMinutes 10

此时,NAT 网关可正常工作,唯一遗漏的操作就是配置虚拟网络的哪些子网应使用该网关。At this point, the NAT gateway is functional and all that is missing is to configure which subnets of a virtual network should use it.

配置虚拟网络Configure virtual network

创建虚拟网络,并将子网关联到网关。Create the virtual network and associate the subnet to the gateway.

使用 New-AzVirtualNetworkmyResourceGroup 中创建名为 myVnet 的虚拟网络,并使用 New-AzVirtualNetworkSubnetConfig 创建名为 mySubnet 的子网。Create a virtual network named myVnet with a subnet named mySubnet using New-AzVirtualNetworkSubnetConfig in the myResourceGroup using New-AzVirtualNetwork. 虚拟网络的 IP 地址空间为 192.168.0.0/16The IP address space for the virtual network is 192.168.0.0/16. 虚拟网络中的子网为 192.168.0.0/24The subnet within the virtual network is 192.168.0.0/24. 命令的结果将存储在名为 $subnet$vnet 的变量中,供稍后使用。The result of the commands will be stored in variables named $subnet and $vnet for later use.

$sbnm = 'mySubnet'
$vnnm = 'myVnet'
$rsg = 'myResourceGroupNAT'
$loc = 'chinaeast2'
$pfxsub = '192.168.0.0/24'
$pfxvn = '192.168.0.0/16'

$subnet = 
New-AzVirtualNetworkSubnetConfig -Name $sbnm -AddressPrefix $pfxsub -NatGateway $natGateway

$vnet = 
New-AzVirtualNetwork -Name $vnnm -ResourceGroupName $rsg -Location $loc -AddressPrefix $pfxvn -Subnet $subnet

发往 Internet 目标的所有出站流量现在将使用该 NAT 服务。All outbound traffic to Internet destinations is now using the NAT service. 无需配置 UDR。It isn't necessary to configure a UDR.

创建 VM 以使用 NAT 服务Create a VM to use the NAT service

现在,我们将创建一个 VM 来使用 NAT 服务。We'll now create a VM to use the NAT service. 此 VM 将某个公共 IP 用作实例级公共 IP,使你能够访问此 VM。This VM has a public IP to use as an instance-level Public IP to allow you to access the VM. NAT 服务可识别流的方向,并会替代子网中的默认 Internet 目标。NAT service is flow direction aware and will replace the default Internet destination in your subnet. VM 的公共 IP 地址不会用于出站连接。The VM's public IP address won't be used for outbound connections.

创建源 VM 的公共 IPCreate public IP for source VM

我们将创建一个用于访问 VM 的公共 IP。We create a public IP to be used to access the VM. 使用 New-AzPublicIpAddressmyResourceGroupNAT 中创建名为 myPublicIPVM 的公共 IP 地址资源。Use New-AzPublicIpAddress to create a public IP address resource named myPublicIPVM in myResourceGroupNAT. 此命令的结果将存储在名为 $publicIpVM 的变量中,供稍后使用。The result of this command will be stored in a variable named $publicIpVM for later use.

$rsg = 'myResourceGroupNAT'
$loc = 'chinaeast2'
$ipnm = 'myPublicIPVM'
$sku = 'Standard'

$publicIpVM = 
New-AzPublicIpAddress -Name $ipnm -ResourceGroupName $rsg -AllocationMethod Static -Location $loc -Sku $sku

创建 NSG 并公开 VM 的 SSH 终结点Create an NSG and expose SSH endpoint for VM

标准公共 IP 地址是“默认安全的”,因此需要创建一个 NSG 来允许 SSH 入站访问。Standard public IP addresses are 'secure by default', we need to create an NSG to allow inbound access for ssh. 使用 New-AzNetworkSecurityGroup 创建名为 myNSG 的 NSG 资源。Use New-AzNetworkSecurityGroup to create an NSG resource named myNSG. 使用 New-AzNetworkSecurityRuleConfigmyResourceGroupNAT 中创建名为 ssh 的 NSG 规则用于进行 SSH 访问。Use New-AzNetworkSecurityRuleConfig to create an NSG rule for SSH access named ssh in myResourceGroupNAT. 此命令的结果将存储在名为 $nsg 的变量中,供稍后使用。The result of this command will be stored in a variable named $nsg for later use.

$rnm = 'ssh'
$rdesc = 'SSH access'
$acc = 'Allow'
$pro = 'Tcp'
$dir = 'Inbound'
$pri = '100'
$prt = '22'
$rsg = 'myResourceGroupNAT'
$rnm = 'myNSG'
$loc = 'chinaeast2'

$sshrule = 
New-AzNetworkSecurityRuleConfig -Name $rnm -Description $rdesc -Access $acc -Protocol $pro -Direction $dir -Priority $pri -SourceAddressPrefix * -SourcePortRange * -DestinationAddressPrefix * -DestinationPortRange $prt

$nsg = 
New-AzNetworkSecurityGroup -ResourceGroupName $rsg -Name $rnm -Location $loc -SecurityRules $sshrule 

创建 VM 的 NICCreate NIC for VM

使用 New-AzNetworkInterface 创建名为 myNic 的网络接口。Create a network interface with New-AzNetworkInterface named myNic. 此命令会将公共 IP 地址与网络安全组相关联。This command associates the Public IP address and the network security group. 此命令的结果将存储在名为 $nic 的变量中,供稍后使用。The result of this command will be stored in a variable named $nic for later use.

$rsg = 'myResourceGroupNAT'
$nmn = 'myNic'
$loc = 'chinaeast2'

$nic = 
New-AzNetworkInterface -ResourceGroupName $rsg -Name $nmn -NetworkSecurityGroupID $nsg.Id -PublicIPAddressID $publicIPVM.Id -SubnetID $vnet.Subnets[0].Id -Location $loc

创建 VMCreate VM

创建 SSH 密钥对Create SSH key pair

需要一个 SSH 密钥对才能完成本快速入门。You need an SSH key pair to complete this quickstart. 如果已有一个 SSH 密钥对,则可以跳过此步骤。If you already have an SSH key pair, you can skip this step.

使用 ssh-keygen 创建 SSH 密钥对。Use ssh-keygen to create an SSH key pair.

ssh-keygen -t rsa -b 2048

有关如何创建 SSH 密钥对的更多详细信息,包括 PuTTy 的用法,请参阅如何将 SSH 密钥与 Windows 配合使用For more detailed information on how to create SSH key pairs, including the use of PuTTy, see How to use SSH keys with Windows.

创建 VM 配置Create VM Configuration

若要在 PowerShell 中创建 VM,请创建一个配置,其中包含要使用的映像、大小和身份验证选项设置。To create a VM in PowerShell, you create a configuration that has settings for the image to use, size, and authentication options. 系统将使用该配置生成 VM。The configuration is used to build the VM.

定义 SSH 凭据、OS 信息和 VM 大小。Define the SSH credentials, OS information, and VM size. 在此示例中,SSH 密钥存储在 ~/.ssh/id_rsa.pub 中。In this example, the SSH key is stored in ~/.ssh/id_rsa.pub.

#Define a credential object

$securePassword = 
ConvertTo-SecureString ' ' -AsPlainText -Force

$cred = 
New-Object System.Management.Automation.PSCredential ("azureuser", $securePassword)

# Create a virtual machine configuration

$vnm = 'myVM'
$vsz = 'Standard_D1'
$pub = 'Canonical'
$off = 'UbuntuServer'
$sku = '18.04-LTS'
$ver = 'latest'

$vmConfig = 
New-AzVMConfig -VMName $vnm -VMSize $vsz

Set-AzVMOperatingSystem -VM $vmConfig -Linux -ComputerName $vnm -Credential $cred -DisablePasswordAuthentication

Set-AzVMSourceImage -VM $vmConfig -PublisherName $pub -Offer $off -Skus $sku -Version $ver

Add-AzVMNetworkInterface -VM $vmConfig -Id $nic.Id

# Configure the SSH key

$sshPublicKey = cat ~/.ssh/id_rsa.pub

Add-AzVMSshPublicKey -VM $vmconfig -KeyData $sshPublicKey -Path "/home/azureuser/.ssh/authorized_keys"

合并配置定义,使用 New-AzVMmyResourceGroupNAT 中创建名为 myVM 的 VM。Combine the configuration definitions to create a VM named myVM with New-AzVM in myResourceGroupNAT.

$rsg = 'myResourceGroupNAT'
$loc = 'chinaeast2'

New-AzVM -ResourceGroupName $rsg -Location $loc -VM $vmconfig

等待 VM 做好部署准备,然后继续执行剩余的步骤。Wait for the VM to prepare to deploy then continue with the rest of the steps.

发现 VM 的 IP 地址Discover the IP address of the VM

首先需要发现已创建的 VM 的 IP 地址。First we need to discover the IP address of the VM you've created. 若要获取 VM 的公共 IP 地址,请使用 Get-AzPublicIpAddressTo get the public IP address of the VM, use Get-AzPublicIpAddress.

$rsg = 'myResourceGroupNAT'
$nmn = 'myPublicIPVM'

Get-AzPublicIpAddress -ResourceGroupName $rsg -Name $nmn | select IpAddress

重要

复制公共 IP 地址并将其粘贴到记事本中,以便可以用它来访问 VM。Copy the public IP address, and then paste it into a notepad so you can use it to access the VM.

登录到 VMSign in to VM

SSH 凭据应通过上一个操作存储在本地计算机中。The SSH credentials should be stored in your local computer from the previous operation. 使用在上一步骤中检索到的 IP 地址通过 SSH 连接到虚拟机。Use the IP address retrieved in the previous step to SSH to the virtual machine.

ssh azureuser@<ip-address-destination>

现已准备好使用 NAT 服务。You're now ready to use the NAT service.

清理资源Clean up resources

如果不再需要上述资源组及其包含的所有资源,可以使用 Remove-AzResourceGroup 命令将其删除。When no longer needed, you can use the Remove-AzResourceGroup command to remove the resource group and all resources contained within.

Remove-AzResourceGroup -Name myResourceGroupNAT

后续步骤Next steps

在本教程中,你创建了一个 NAT 网关,并创建了一个 VM 来使用该网关。In this tutorial, you created a NAT gateway and a VM to use it.

可以查看 Azure Monitor 中的指标来了解 NAT 服务的运行情况。Review metrics in Azure Monitor to see your NAT service operating. 可以诊断可用 SNAT 端口资源耗尽等问题。Diagnose issues such as resource exhaustion of available SNAT ports. 添加更多公共 IP 地址资源和/或公共 IP 前缀资源即可解决 SNAT 端口资源耗尽的问题。Resource exhaustion of SNAT ports is addressed by adding additional public IP address resources or public IP prefix resources or both.