教程:使用 Azure CLI 创建 NAT 网关并测试 NAT 服务Tutorial: Create a NAT gateway using Azure CLI and test the NAT service

在本教程中,你将创建一个 NAT 网关来为 Azure 中的虚拟机提供出站连接。In this tutorial, you'll create a NAT gateway to provide outbound connectivity for virtual machines in Azure. 为了测试该 NAT 网关,你将部署源和目标虚拟机。To test the NAT gateway, you deploy a source and destination virtual machine. 通过与公共 IP 地址建立出站连接来测试 NAT 网关。You'll test the NAT gateway by making outbound connections to a public IP address. 将从源虚拟机到目标虚拟机建立这些连接。These connections will come from the source to the destination virtual machine. 为简单起见,本教程将源和目标部署在同一资源组中的两个不同虚拟网络内。This tutorial deploys source and destination in two different virtual networks in the same resource group for simplicity only.

备注

在 Azure China 中使用 Azure CLI 2.0 之前,请首先运行 az cloud set -n AzureChinaCloud 更改云环境。Before you can use Azure CLI 2.0 in Azure China, please run az cloud set -n AzureChinaCloud first to change the cloud environment. 如果要切换回全局 Azure,请再次运行 az cloud set -n AzureCloudIf you want to switch back to Global Azure, run az cloud set -n AzureCloud again.

可以使用 Azure CLI 完成本教程,并以管理员权限在本地运行相应的命令。You can complete this tutorial using Azure CLI, and run the respective commands locally with administrator privilege.

如果选择在本地运行这些命令,则需要安装 CLI。If you choose to run these commands locally, you need to install CLI. 本教程要求运行 Azure CLI 2.0.71 或更高版本。This tutorial requires that you're running a version of the Azure CLI version 2.0.71 or later. 若要查找版本,请运行 az --versionTo find the version, run az --version. 如果需要进行安装或升级,请参阅安装 Azure CLIIf you need to install or upgrade, see Install Azure CLI.

创建资源组Create a resource group

使用 az group create 创建资源组。Create a resource group with az group create. Azure 资源组是在其中部署和管理 Azure 资源的逻辑容器。An Azure resource group is a logical container into which Azure resources are deployed and managed.

以下示例在“chinaeast2”位置创建名为“myResourceGroupNAT”的资源组:The following example creates a resource group named myResourceGroupNAT in the chinaeast2 location:

  az group create \
    --name myResourceGroupNAT \
    --location chinaeast2

创建 NAT 网关Create the NAT Gateway

创建公共 IP 地址Create a public IP address

若要访问公共 Internet,需要提供 NAT 网关的一个或多个公共 IP 地址。To access the public Internet, you need one or more public IP addresses for the NAT gateway. 使用 az network public-ip createmyResourceGroupNAT 中创建名为 myPublicIPsource 的公共 IP 地址资源。Use az network public-ip create to create a public IP address resource named myPublicIPsource in myResourceGroupNAT.

  az network public-ip create \
  --resource-group myResourceGroupNAT \
  --name myPublicIPsource \
  --sku standard

创建公共 IP 前缀Create a public IP prefix

可对 NAT 网关使用一个或多个公共 IP 地址资源和/或公共 IP 前缀。You can use one or more public IP address resources, public IP prefixes or both with NAT gateway. 为方便演示,我们将一个公共 IP 前缀资源添加到此方案。We'll add a public IP prefix resource to this scenario to demonstrate. 使用 az network public-ip prefix createmyResourceGroupNAT 中创建名为 myPublicIPprefixsource 的公共 IP 前缀资源。Use az network public-ip prefix create to create a public IP prefix resource named myPublicIPprefixsource in myResourceGroupNAT.

  az network public-ip prefix create \
  --resource-group myResourceGroupNAT \
  --name myPublicIPprefixsource \
  --length 31

创建 NAT 网关资源Create a NAT gateway resource

本部分详细介绍如何使用 NAT 网关资源创建并配置 NAT 服务的以下组件:This section details how you can create and configure the following components of the NAT service using the NAT gateway resource:

  • 一个公共 IP 池和公共 IP 前缀,供 NAT 网关资源转换的出站流使用。A public IP pool and public IP prefix to use for outbound flows translated by the NAT gateway resource.
  • 将空闲超时从默认值 4 分钟更改为 10 分钟。Change the idle timeout from the default of 4 minutes to 10 minutes.

使用 az network nat gateway create 创建名为 myNATgateway 的全局 Azure NAT 网关。Create a global Azure NAT gateway with az network nat gateway create named myNATgateway. 该命令同时使用公共 IP 地址 myPublicIP 和公共 IP 前缀 myPublicIPprefixThe command uses both the public IP address myPublicIP and the public IP prefix myPublicIPprefix. 该命令还将空闲超时更改为 10 分钟。The command also changes the idle timeout to 10 minutes.

  az network nat gateway create \
    --resource-group myResourceGroupNAT \
    --name myNATgateway \
    --public-ip-addresses myPublicIPsource \
    --public-ip-prefixes myPublicIPprefixsource \
    --idle-timeout 10       

此时,NAT 网关可正常工作,唯一遗漏的操作就是配置虚拟网络的哪些子网应使用该网关。At this point, the NAT gateway is functional and all that is missing is to configure which subnets of a virtual network should use it.

准备出站流量的源Prepare the source for outbound traffic

本文将引导你设置整个测试环境。We'll guide you through setup of a full test environment. 你将使用开源工具来设置测试,以验证 NAT 网关。You'll set up a test using open-source tools to verify the NAT gateway. 我们从源开始,它使用我们前面创建的 NAT 网关。We'll start with the source, which will use the NAT gateway we created previously.

配置源的虚拟网络Configure virtual network for source

在部署 VM 并测试 NAT 网关之前,需要先创建虚拟网络。Before you deploy a VM and can test your NAT gateway, we need to create the virtual network.

使用 az network Azure Virtual Network create,在 myResourceGroupNAT 中创建名为“myVnetsource”的虚拟网络和名为“mySubnetsource”的子网。Create a virtual network named myVnetsource with a subnet named mySubnetsource in the myResourceGroupNAT using az network Azure Virtual Network create. 虚拟网络的 IP 地址空间为 192.168.0.0/16The IP address space for the virtual network is 192.168.0.0/16. 虚拟网络中的子网为 192.168.0.0/24The subnet within the virtual network is 192.168.0.0/24.

  az network vnet create \
    --resource-group myResourceGroupNAT \
    --name myVnetsource \
    --address-prefix 192.168.0.0/16 \
    --subnet-name mySubnetsource \
    --subnet-prefix 192.168.0.0/24

配置源子网的 NAT 服务Configure NAT service for source subnet

使用 az network Azure Virtual Network subnet update,将虚拟网络 myVnetsource 中的源子网 mySubnetsource 配置为使用特定的 NAT 网关资源 myNATgateway。Configure the source subnet mySubnetsource in virtual network myVnetsource to use a specific NAT gateway resource myNATgateway with az network Azure Virtual Network subnet update. 此命令将激活指定子网中的 NAT 服务。This command will activate the NAT service on the specified subnet.

    az network vnet subnet update \
    --resource-group myResourceGroupNAT \
    --vnet-name myVnetsource \
    --name mySubnetsource \
    --nat-gateway myNATgateway

发往 Internet 目标的所有出站流量现在将使用该 NAT 服务。All outbound traffic to Internet destinations is now using the NAT service. 无需配置 UDR。It's not necessary to configure a UDR.

在测试 NAT 网关之前,需要先创建源 VM。Before we can test the NAT gateway, we need to create a source VM. 将某个公共 IP 地址资源分配为实例级公共 IP,以便从外部访问此 VM。We'll assign a public IP address resource as an instance-level public IP to access this VM from the outside. 此地址仅用于访问此 VM,以进行测试。This address is only used to access it for the test. 我们将演示 NAT 服务如何优先于其他出站选项。We'll demonstrate how the NAT service takes precedence over other outbound options.

也可以不使用公共 IP 创建此 VM,而是在练习中创建另一个 VM 作为没有公共 IP 的 Jumpbox。You could also create this VM without a public IP and create another VM to use as a jumpbox without a public IP as an exercise.

创建源 VM 的公共 IPCreate public IP for source VM

我们将创建一个用于访问源 VM 的公共 IP。We create a public IP to be used to access the source VM. 使用 az network public-ip createmyResourceGroupNAT 中创建名为 myPublicIPsourceVM 的公共 IP 地址资源。Use az network public-ip create to create a public IP address resource named myPublicIPsourceVM in myResourceGroupNAT.

  az network public-ip create \
    --resource-group myResourceGroupNAT \
    --name myPublicIPsourceVM \
    --sku standard

创建源 VM 的 NSGCreate an NSG for source VM

由于标准公共 IP 地址是“默认安全的”,因此我们需要创建一个 NSG 来允许 SSH 入站访问。Because Standard public IP addresses are 'secure by default', we need to create an NSG to allow inbound access for ssh access. Azure NAT 服务可以识别流的方向。Azure NAT service is flow direction aware. 在同一子网中配置 NAT 网关后,此 NSG 不会用于出站连接。This NSG won't be used for outbound once the NAT gateway is configured on the same subnet. 使用 az network nsg createmyResourceGroupNAT 中创建名为 myNSGsource 的 NSG 资源。Use az network nsg create to create an NSG resource named myNSGsource in myResourceGroupNAT.

  az network nsg create \
    --resource-group myResourceGroupNAT \
    --name myNSGsource 

在源 VM 上公开 SSH 终结点Expose SSH endpoint on source VM

我们将在 NSG 中创建一个规则,以通过 SSH 访问源 VM。We create a rule in the NSG for SSH access to the source vm. 使用 az network nsg rule create 创建名为 ssh 的 NSG 规则。Use az network nsg rule create to create an NSG rule named ssh. 将在资源组 myResourceGroupNAT 中名为 myNSGsource 的 NSG 内创建此规则。This rule will be created in the NSG named myNSGsource in the resource group myResourceGroupNAT.

  az network nsg rule create \
    --resource-group myResourceGroupNAT \
    --nsg-name myNSGsource \
    --priority 100 \
    --name ssh \
    --description "SSH access" \
    --access allow \
    --protocol tcp \
    --direction inbound \
    --destination-port-ranges 22

创建源 VM 的 NICCreate NIC for source VM

使用 az network nic create 创建一个网络接口,并将其关联到公共 IP 地址和网络安全组。Create a network interface with az network nic create and associate with the public IP address and the network security group.

  az network nic create \
    --resource-group myResourceGroupNAT \
    --name myNicsource \
    --vnet-name myVnetsource \
    --subnet mySubnetsource \
    --public-ip-address myPublicIPSourceVM \
    --network-security-group myNSGsource

创建源 VMCreate a source VM

使用 az vm create 创建虚拟机。Create the virtual machine with az vm create. 我们将为此 VM 生成 SSH 密钥,并存储私钥供稍后使用。We generate ssh keys for this VM and store the private key to use later.

  az vm create \
    --resource-group myResourceGroupNAT \
    --name myVMsource \
    --nics myNicsource \
    --image UbuntuLTS \
    --generate-ssh-keys \
    --no-wait

该命令将立即返回,但部署 VM 可能需要花费几分钟时间。While the command will return immediately, it may take a few minutes for the VM to get deployed.

准备出站流量的目标Prepare destination for outbound traffic

现在,我们将为 NAT 服务转换的出站流量创建目标,以便对其进行测试。We'll now create a destination for the outbound traffic translated by the NAT service to allow you to test it.

配置目标的虚拟网络Configure virtual network for destination

我们需要创建一个虚拟网络,目标虚拟机将置于其中。We need to create a virtual network where the destination virtual machine will be. 这些命令执行的步骤与针对源 VM 执行的步骤相同,只是需要做出轻微的更改来公开目标终结点。These commands are the same steps as for the source VM with small changes to expose the destination endpoint.

使用 az network Azure Virtual Network create,在 myResourceGroupNAT 中创建名为“myVnetdestination”的虚拟网络,其中包含名为“mySubnetdestination”的子网。Create a virtual network named myVnetdestination with a subnet named mySubnetdestination in the myResourceGroupNAT using az network Azure Virtual Network create. 虚拟网络的 IP 地址空间为 192.168.0.0/16The IP address space for the virtual network is 192.168.0.0/16. 虚拟网络中的子网为 192.168.0.0/24The subnet within the virtual network is 192.168.0.0/24.

  az network vnet create \
    --resource-group myResourceGroupNAT \
    --name myVnetdestination \
    --address-prefix 192.168.0.0/16 \
    --subnet-name mySubnetdestination \
    --subnet-prefix 192.168.0.0/24

创建目标 VM 的公共 IPCreate public IP for destination VM

我们将创建一个用于访问源 VM 的公共 IP。We create a public IP to be used to access the source VM. 使用 az network public-ip createmyResourceGroupNAT 中创建名为 myPublicIPdestinationVM 的公共 IP 地址资源。Use az network public-ip create to create a public IP address resource named myPublicIPdestinationVM in myResourceGroupNAT.

  az network public-ip create \
  --resource-group myResourceGroupNAT \
  --name myPublicIPdestinationVM \
  --sku standard

创建目标 VM 的 NSGCreate an NSG for destination VM

标准公共 IP 地址是“默认安全的”,因此需要创建一个 NSG 来允许 SSH 入站访问。Standard Public IP addresses are 'secure by default', you'll need to create an NSG to allow inbound access for ssh. Azure NAT 服务可以识别流的方向。The Azure NAT service is flow direction aware. 在同一子网中配置 NAT 网关后,此 NSG 不会用于出站连接。This NSG won't be used for outbound once the NAT gateway is configured on the same subnet. 使用 az network nsg createmyResourceGroupNAT 中创建名为 myNSGdestination 的 NSG 资源。Use az network nsg create to create an NSG resource named myNSGdestination in myResourceGroupNAT.

    az network nsg create \
    --resource-group myResourceGroupNAT \
    --name myNSGdestination

在目标 VM 上公开 SSH 终结点Expose SSH endpoint on destination VM

我们将在 NSG 中创建一个规则,以通过 SSH 访问目标 VM。We create a rule in the NSG for SSH access to the destination vm. 使用 az network nsg rule create 创建名为 ssh 的 NSG 规则。Use az network nsg rule create to create an NSG rule named ssh. 将在资源组 myResourceGroupNAT 中名为 myNSGdestination 的 NSG 内创建此规则。This rule will be created in the NSG named myNSGdestination in the resource group myResourceGroupNAT.

    az network nsg rule create \
    --resource-group myResourceGroupNAT \
    --nsg-name myNSGdestination \
    --priority 100 \
    --name ssh \
    --description "SSH access" \
    --access allow \
    --protocol tcp \
    --direction inbound \
    --destination-port-ranges 22

在目标 VM 上公开 HTTP 终结点Expose HTTP endpoint on destination VM

我们将在 NSG 中创建一个规则,以通过 HTTP 访问目标 VM。We create a rule in the NSG for HTTP access to the destination vm. 使用 az network nsg rule createmyResourceGroupNAT 中名为 myNSGdestination 的 NSG 规则内创建名为 http 的 NSG 规则。Use az network nsg rule create to create an NSG rule named http in the NSG named myNSGdestination in myResourceGroupNAT.

    az network nsg rule create \
    --resource-group myResourceGroupNAT \
    --nsg-name myNSGdestination \
    --priority 101 \
    --name http \
    --description "HTTP access" \
    --access allow \
    --protocol tcp \
    --direction inbound \
    --destination-port-ranges 80

创建目标 VM 的 NICCreate NIC for destination VM

使用 az network nic create 创建一个网络接口,并将其关联到公共 IP 地址 myPublicIPdestinationVM 和网络安全组 myNSGdestinationCreate a network interface with az network nic create and associate with the public IP address myPublicIPdestinationVM and the network security group myNSGdestination.

    az network nic create \
    --resource-group myResourceGroupNAT \
    --name myNicdestination \
    --vnet-name myVnetdestination \
    --subnet mySubnetdestination \
    --public-ip-address myPublicIPdestinationVM \
    --network-security-group myNSGdestination

创建目标 VMCreate a destination VM

使用 az vm create 创建虚拟机。Create the virtual machine with az vm create. 我们将为此 VM 生成 SSH 密钥,并存储私钥供稍后使用。We generate ssh keys for this VM and store the private key to use later.

   az vm create \
   --resource-group myResourceGroupNAT \
   --name myVMdestination \
   --nics myNicdestination \
   --image UbuntuLTS \
   --generate-ssh-keys \
   --no-wait

该命令将立即返回,但部署 VM 可能需要花费几分钟时间。While the command will return immediately, it may take a few minutes for the VM to get deployed.

在目标 VM 上准备 Web 服务器和测试有效负载Prepare a web server and test payload on destination VM

首先需要发现目标 VM 的 IP 地址。First we need to discover the IP address of the destination VM. 若要获取目标 VM 的公共 IP 地址,请使用 az network public-ip showTo get the public IP address of the destination VM, use az network public-ip show.

  az network public-ip show \
    --resource-group myResourceGroupNAT \
    --name myPublicIPdestinationVM \
    --query [ipAddress] \
    --output tsv

重要

复制该公共 IP 地址并将其粘贴到记事本中,以便可以在后续步骤中使用它。Copy the public IP address, and then paste it into a notepad so you can use it in subsequent steps. 指明这是目标虚拟机。Indicate this is the destination virtual machine.

登录到目标 VMSign in to destination VM

SSH 凭据应通过上一个操作存储在本地计算机中。The SSH credentials should be stored in your local computer from the previous operation. 使用在上一步骤中检索到的 IP 地址通过 SSH 连接到虚拟机。Use the IP address retrieved in the previous step to SSH to the virtual machine.

ssh <ip-address-destination>

登录后,复制并粘贴以下命令。Copy and paste the following commands once you've signed in.

sudo apt -y update && \
sudo apt -y upgrade && \
sudo apt -y install nginx && \
sudo ln -sf /dev/null /var/log/nginx/access.log && \
sudo touch /var/www/html/index.html && \
sudo rm /var/www/html/index.nginx-debian.html && \
sudo dd if=/dev/zero of=/var/www/html/100k bs=1024 count=100

这些命令将更新虚拟机,安装 nginx,并创建 100 KB 大小的文件。These commands will update your virtual machine, install nginx, and create a 100-KBytes file. 将使用 NAT 服务从源 VM 中检索此文件。This file will be retrieved from the source VM using the NAT service.

关闭与目标 VM 建立的 SSH 会话。Close the SSH session with the destination VM.

在源 VM 上准备测试Prepare test on source VM

首先需要发现源 VM 的 IP 地址。First we need to discover the IP address of the source VM. 若要获取源 VM 的公共 IP 地址,请使用 az network public-ip showTo get the public IP address of the source VM, use az network public-ip show.

  az network public-ip show \
    --resource-group myResourceGroupNAT \
    --name myPublicIPsourceVM \
    --query [ipAddress] \
    --output tsv

重要

复制该公共 IP 地址并将其粘贴到记事本中,以便可以在后续步骤中使用它。Copy the public IP address, and then paste it into a notepad so you can use it in subsequent steps. 指明这是源虚拟机。Indicate this is the source virtual machine.

登录到源 VMSign in to source VM

同样,SSH 凭据存储在本地计算机中。Again, the SSH credentials are stored in local computer. 使用在上一步骤中检索到的 IP 地址通过 SSH 连接到虚拟机。Use the IP address retrieved in the previous step to SSH to the virtual machine.

ssh <ip-address-source>

复制并粘贴以下命令,以准备测试 NAT 服务。Copy and paste the following commands to prepare for testing the NAT service.

sudo apt -y update && \
sudo apt -y upgrade && \
sudo apt install -y nload golang && \
echo 'export GOPATH=${HOME}/go' >> .bashrc && \
echo 'export PATH=${PATH}:${GOPATH}/bin' >> .bashrc && \
. ~/.bashrc &&
go get -u github.com/rakyll/hey

此命令将更新虚拟机,安装 go,安装 GitHub 中的 hey,并更新 shell 环境。This command will update your virtual machine, install go, install hey from GitHub, and update your shell environment.

现已准备好测试 NAT 服务。You're now ready to test the NAT service.

验证 NAT 服务Validate NAT service

登录到源 VM 后,可以使用 curlhey 生成发往目标 IP 地址的请求。While logged into the source VM, you can use curl and hey to generate requests to the destination IP address.

使用 curl 检索 100 KB 大小的文件。Use curl to retrieve the 100-KBytes file. 请将以下示例中的 <ip-address-destination> 替换为前面复制的目标 IP 地址。Replace <ip-address-destination> in the example below with the destination IP address you have previously copied. --output 参数指示将丢弃检索到的文件。The --output parameter indicates that the retrieved file will be discarded.

curl http://<ip-address-destination>/100k --output /dev/null

也可以使用 hey 生成一系列请求。You can also generate a series of requests using hey. 同样,请将 <ip-address-destination> 替换为前面复制的目标 IP 地址。Again, replace <ip-address-destination> with the destination IP address you have previously copied.

hey -n 100 -c 10 -t 30 --disable-keepalive http://<ip-address-destination>/100k

此命令将生成 100 个请求,其中有 10 个是超时为 30 秒的并发请求。This command will generate 100 requests, 10 concurrently, with a timeout of 30 seconds. 不会重复使用 TCP 连接。The TCP connection won't be reused. 每个请求将检索 100 KB。Each request will retrieve 100 Kbytes. 运行结束时,hey 会报告有关 NAT 服务运行情况的统计信息。At the end of the run, hey will report some statistics about how well the NAT service did.

清理资源Clean up resources

如果不再需要上述资源组及其包含的所有资源,可以使用 az group delete 命令将其删除。When no longer needed, you can use the az group delete command to remove the resource group and all resources contained within.

  az group delete --name myResourceGroupNAT

后续步骤Next steps

在本教程中,你已创建 NAT 网关、源 VM 和目标 VM,然后测试了 NAT 网关。In this tutorial, you created a NAT gateway, created a source and destination VM, and then tested the NAT gateway.

可以查看 Azure Monitor 中的指标来了解 NAT 服务的运行情况。Review metrics in Azure Monitor to see your NAT service operating. 可以诊断可用 SNAT 端口资源耗尽等问题。Diagnose issues such as resource exhaustion of available SNAT ports. 通过添加更多公共 IP 地址资源和/或公共 IP 前缀资源,可以轻松解决 SNAT 端口资源耗尽的问题。Resource exhaustion of SNAT ports is easily addressed by adding additional public IP address resources or public IP prefix resources or both.