什麼是 Azure Load Balancer?What is Azure Load Balancer?

您可以使用 Azure Load Balancer 調整您的應用程式,並為您的服務建立高可用性。With Azure Load Balancer you can scale your applications and create high availability for your services. 對於所有 TCP 和 UDP 應用程式,Load Balancer 可支援傳入和傳出情節、提供低延遲和高輸送量,且最多可相應增加為數百萬個流程。Load Balancer supports inbound and outbound scenarios, provides low latency and high throughput, and scales up to millions of flows for all TCP and UDP applications.

Load Balancer 會根據規則和健康情況探查,將抵達 Load Balancer 前端的新輸入流程,分送給各個後端集區執行個體。Load Balancer distributes new inbound flows that arrive on the Load Balancer's frontend to backend pool instances, according to rules and health probes.

此外,公用 Load Balancer 可以將虛擬網路內虛擬機器 (VM) 的私人 IP 位址轉譯成公用 IP 位址,為虛擬機器提供輸出連線。Additionally, a public Load Balancer can provide outbound connections for virtual machines (VMs) inside your virtual network by translating their private IP addresses to public IP addresses.

Azure Load Balancer 有兩種 SKU:基本和標準。Azure Load Balancer is available in two SKUs: Basic and Standard. 它們的規模、功能、價格不同。There are differences in scale, features, and pricing. 任何可在基本 Load Balancer 建立的案例,也可以使用標準 Load Balancer 來建立,雖然方法可能稍有不同。Any scenario that's possible with Basic Load Balancer can also be created with Standard Load Balancer, although the approaches might differ slightly. 在您摸索認識 Load Balancer 時,請務必熟悉基本功能以及 SKU 專屬的差異。As you learn about Load Balancer, it is important to familiarize yourself with the fundamentals and SKU-specific differences.

為什麼要使用 Load Balancer?Why use Load Balancer?

您可以使用 Azure Load Balancer:You can use Azure Load Balancer to:

  • 對 VM 的連入網際網路流量進行負載平衡。Load-balance incoming internet traffic to your VMs. 這種設定稱為公用 Load BalancerThis configuration is known as a Public Load Balancer.
  • 對虛擬網路內 VM 之間的流量進行負載平衡。Load-balance traffic across VMs inside a virtual network. 在混合式的案例中,您也可以從內部部署網路連線到 Load Balancer 前端。You can also reach a Load Balancer front end from an on-premises network in a hybrid scenario. 這兩種案例使用的設定稱為內部 Load BalancerBoth scenarios use a configuration that is known as an Internal Load Balancer.
  • 利用輸入網路位址轉譯 (NAT) 規則,從連接埠將流量轉送至特定 VM 上的特定連接埠。Port forward traffic to a specific port on specific VMs with inbound network address translation (NAT) rules.
  • 藉由使用公用 Load Balancer,為虛擬網路內的 VM 提供輸出連線能力Provide outbound connectivity for VMs inside your virtual network by using a public Load Balancer.

注意

Azure 會為您的案例提供一套完整受控的負載平衡解決方案。Azure provides a suite of fully managed load-balancing solutions for your scenarios. 如果您要尋找傳輸層安全性 (TLS) 通訊協定終止 (「SSL 卸載」) 或每一 HTTP/HTTPS 要求的應用程式層處理,請檢閱應用程式閘道If you are looking for Transport Layer Security (TLS) protocol termination ("SSL offload") or per-HTTP/HTTPS request, application-layer processing, review Application Gateway. 如果您要尋找全域 DNS 負載平衡,請檢閱流量管理員If you are looking for global DNS load balancing, review Traffic Manager. 視需要結合這些解決方案,可能有益於您的端對端案例。Your end-to-end scenarios might benefit from combining these solutions as needed.

什麼是 Load Balancer 資源?What are Load Balancer resources?

Load Balancer 資源可以公用 Load Balancer 或內部 Load Balancer 的形式存在。A Load Balancer resource can exist as either a public Load Balancer or an internal Load Balancer. Load Balancer 資源的運作方式可用前端、規則、健康情況探查和後端集區定義來表示。The Load Balancer resource's functions are expressed as a front end, a rule, a health probe, and a backend pool definition. 從虛擬機器指定後端集區,藉以將虛擬機器放在後端集區中。You place VMs into the backend pool by specifying the backend pool from the VM.

Load Balancer 資源是一種物件,而您可以在其中表示 Azure 應如何對其多租用戶基礎結構設計程式,以達到您想要建立的案例。Load Balancer resources are objects within which you can express how Azure should program its multi-tenant infrastructure to achieve the scenario that you want to create. Load Balancer 資源與實際的基礎結構之間沒有直接關聯性。There is no direct relationship between Load Balancer resources and actual infrastructure. 建立 Load Balancer 並不會建立執行個體,而且隨時都有容量可用。Creating a Load Balancer doesn't create an instance, and capacity is always available.

Load Balancer 的基本功能Fundamental Load Balancer features

Load Balancer 為 TCP 和 UDP 應用程式提供下列基本功能:Load Balancer provides the following fundamental capabilities for TCP and UDP applications:

  • 負載平衡Load balancing

    有了 Azure Load Balancer,您就能建立負載平衡規則,將抵達前端的流量分送給各個後端集區執行個體。With Azure Load Balancer, you can create a load-balancing rule to distribute traffic that arrives at frontend to backend pool instances. Load Balancer 使用雜湊型演算法來分送輸入流程,並據以重寫流向後端集區執行個體的流程標頭。Load Balancer uses a hash-based algorithm for distribution of inbound flows and rewrites the headers of flows to backend pool instances accordingly. 當健康情況探查表示後端端點狀況良好時,伺服器便可以接收新的流程。A server is available to receive new flows when a health probe indicates a healthy backend endpoint.

    Load Balancer 預設會使用 5-tuple 的雜湊 (由來源 IP 位址、來源連接埠、目的地 IP 位址、目的地連接埠、IP 通訊協定數目所組成),將流程對應至可用的伺服器。By default, Load Balancer uses a 5-tuple hash composed of source IP address, source port, destination IP address, destination port, and IP protocol number to map flows to available servers. 您可以選擇建立特定來源 IP 位址的親和性,做法是替指定規則加入 2-tuple 或 3-tuple 的雜湊。You can choose to create affinity to a specific source IP address by opting into a 2- or 3-tuple hash for a given rule. 相同封包流程的所有封包會抵達相同執行個體,執行個體位於已負載平衡的前端之後。All packets of the same packet flow arrive on the same instance behind the load-balanced front end. 當用戶端從相同的來源 IP 起始新的流程時,來源連接埠會變更。When the client initiates a new flow from the same source IP, the source port changes. 結果是產生的 5-tuple 可能會將流量送往不同的後端端點。As a result, the 5-tuple might cause the traffic to go to a different backend endpoint.

    如需詳細資訊,請參閱 Load Balancer 分送模式For more information, see Load Balancer distribution mode. 下列影像顯示雜湊型分送:The following image displays the hash-based distribution:

    雜湊型分散

    圖:雜湊型分送Figure: Hash-based distribution

  • 連接埠轉送Port forwarding

    有了 Load Balancer,您就能建立輸入 NAT 規則,將特定前端 IP 位址特定連接埠的流量,從連接埠轉送到虛擬網路內特定後端執行個體的特定連接埠。With Load Balancer, you can create an inbound NAT rule to port forward traffic from a specific port of a specific frontend IP address to a specific port of a specific backend instance inside the virtual network. 這也是使用和負載平衡同樣的雜湊型分送來完成的。This is also accomplished by the same hash-based distribution as load balancing. 此功能的常見案例是透過遠端桌面通訊協定 (RDP) 或安全殼層 (SSH) 工作階段連線至 Azure 虛擬網路內的個別 VM 執行個體。Common scenarios for this capability are Remote Desktop Protocol (RDP) or Secure Shell (SSH) sessions to individual VM instances inside the Azure Virtual Network. 您可以將多個內部端點對應至相同前端 IP 位址的各個連接埠。You can map multiple internal endpoints to the various ports on the same frontend IP address. 您可以使用這些端點透過網際網路遠端管理 VM,而不需要額外的跳箱。You can use them to remotely administer your VMs over the internet without the need for an additional jump box.

  • 透明且相容的應用程式Application agnostic and transparent

    Load Balancer 不會直接與 TCP 或 UDP 或應用程式層互動,可以支援任何 TCP 或 UDP 應用程式案例。Load Balancer does not directly interact with TCP or UDP or the application layer, and any TCP or UDP application scenario can be supported. Load Balancer 不會終止或產生流程,也不會與流程承載互動,不提供任何應用程式層的閘道功能,而且通訊協定交握一律直接在用戶端與後端集區的執行個體之間發生。Load Balancer does not terminate or originate flows, interact with the payload of the flow, provides no application layer gateway function, and protocol handshakes always occur directly between the client and the backend pool instance. 輸入流程的回應一律是來自虛擬機器的回應。A response to an inbound flow is always a response from a virtual machine. 當流程到達虛擬機器時,也會保留原始的來源 IP 位址。When the flow arrives on the virtual machine, the original source IP address is also preserved. 以下透過幾個範例來進一步說明透明度:A couple of examples to further illustrate transparency:

    • 每個端點只會由 VM 回應。Every endpoint is only answered by a VM. 例如,TCP 交握一律是在用戶端和選取的後端虛擬機器之間發生。For example, a TCP handshake always occurs between the client and the selected backend VM. 前端要求的回應是由後端虛擬機器所產生的回應。A response to a request to a front end is a response generated by backend VM. 當您已順利驗證前端連線時,就代表至少驗證了一個後端虛擬機器的端對端連線。When you successfully validate connectivity to a frontend, you are validating the end to end connectivity to at least one backend virtual machine.
    • 對 Load Balancer 而言,應用程式承載均 透明可見,且可支援任何 UDP 或 TCP 應用程式。Application payloads are transparent to Load Balancer and any UDP or TCP application can be supported. 至於需要對處理或操作每個 HTTP 要求之應用程式層承載的工作負載 (如 HTTP URL 剖析),則應使用應用程式閘道這類第 7 層 Load Balancer。For workloads which require per HTTP request processing or manipulation of application layer payloads (for example, parsing of HTTP URLs), you should use a layer 7 load balancer like Application Gateway.
    • 由於 Load Balancer 無從驗證 TCP 承載,而且未提供 TLS 卸載 (「SSL」),因此可以使用 Load Balancer 建立端對端加密的案例,並藉由終止 VM 本身的 TLS 連線來相應放大 TLS 應用程式。Because Load Balancer is agnostic to the TCP payload and TLS offload ("SSL") is not provided, you can build end to end encrypted scenarios using Load Balancer and gain large scale out for TLS applications by terminating the TLS connection on the VM itself. 舉例而言,您的 TLS 工作階段金鑰處理容量只會受限於您新增至後端集區的虛擬機器類型和數量。For example, your TLS session keying capacity is only limited by the type and number of VMs you add to the backend pool. 如果您需要「SSL 卸載」、應用程式層處理,或是想要將憑證管理委派給 Azure,應改用 Azure 的第 7 層 Load Balancer 應用程式閘道If you require "SSL offloading", application layer treatment, or wish to delegate certificate management to Azure, you should use Azure's layer 7 load balancer Application Gateway instead.
  • 自動重新設定Automatic reconfiguration

    當您相應增加或減少執行個體時,Load Balancer 本身會立即重新設定。Load Balancer instantly reconfigures itself when you scale instances up or down. 從後端集區新增或移除 VM 會重新設定 Load Balancer,而不需要在 Load Balancer 資源上進行其他作業。Adding or removing VMs from the backend pool reconfigures the Load Balancer without additional operations on the Load Balancer resource.

  • 健康情況探查Health probes

    若要判斷後端集區中執行個體的健康情況,Load Balancer 會使用您定義的健康情況探查。To determine the health of instances in the backend pool, Load Balancer uses health probes that you define. 當探查無法回應時,Load Balancer 會停止傳送新的連線至狀況不良的執行個體。When a probe fails to respond, the Load Balancer stops sending new connections to the unhealthy instances. 現有連線不會受到影響,會繼續維持連線直到應用程式終止流程、發生閒置逾時或 VM 關機。Existing connections are not affected, and they continue until the application terminates the flow, an idle timeout occurs, or the VM is shut down.

    Load Balancer 會為 TCP、HTTP 和 HTTPS 端點提供不同的健康情況探查類型Load Balancer provides different health probe types for TCP, HTTP, and HTTPS endpoints.

    此外,使用傳統雲端服務時,允許使用其他類型:客體代理程式Additionally, when using Classic cloud services, an additional type is allowed: Guest agent. 這應該被視為健康情況探查的最後手段,但不建議使用於有其他可行的選項時。This should be consider to be a health probe of last resort and is not recommended when other options are viable.

  • 輸出連線 (SNAT)Outbound connections (SNAT)

    所有從虛擬網路內私人 IP 位址送往網際網路上公用 IP 位址的輸出流程,皆可以轉譯為 Load Balancer 的前端 IP 位址。All outbound flows from private IP addresses inside your virtual network to public IP addresses on the internet can be translated to a frontend IP address of the Load Balancer. 當公用前端透過負載平衡規則繫結到後端虛擬機器時,Azure 會自動將輸出連線轉譯成公用前端 IP 位址。When a public front end is tied to a backend VM by way of a load balancing rule, Azure programs outbound connections to be automatically translated to the public frontend IP address.

    • 能夠輕鬆進行服務的升級及災害復原,因為前端可以動態對應到服務的另一個執行個體。Enable easy upgrade and disaster recovery of services, because the front end can be dynamically mapped to another instance of the service.
    • 讓存取控制清單 (ACL) 管理變得更容易。Easier access control list (ACL) management to. 當服務相應增加、相應減少或重新部署時,根據前端 IP 表示的 ACL 不會變更。ACLs expressed in terms of frontend IPs do not change as services scale up or down or get redeployed. 將輸出連線轉譯成數量比機器更少的 IP 地址,可以減少白清單的負擔。Translating outbound connections to a smaller number of IP addresses than machines can reduce the burden of whitelisting.

      如需詳細資訊,請參閱輸出連線For more information, see outbound connections.

除了這些基本功能,標準 Load Balancer 還有其他的 SKU 專屬功能。Standard Load Balancer has additional SKU-specific capabilities beyond these fundamentals. 請檢閱本文的其餘部分以了解詳情。Review the remainder of this article for details.

Load Balancer SKU 的比較Load Balancer SKU comparison

Load Balancer 支援基本和標準 SKU,兩者在案例規模、功能、價格方面各不相同。Load Balancer supports both Basic and Standard SKUs, each differing in scenario scale, features, and pricing. 任何可在基本 Load Balancer 建立的案例,也可以使用標準 Load Balancer 來建立。Any scenario that's possible with Basic Load Balancer can be created with Standard Load Balancer as well. 事實上,這兩個 SKU 的 API 類似,都是透過指定 SKU 來叫用。In fact, the APIs for both SKUs are similar and invoked through the specification of a SKU. 從 2017-08-01 API 開始,已提供可支援 Load Balancer 和公用 IP 之 SKU 的 API。The API for supporting SKUs for Load Balancer and the public IP is available starting with the 2017-08-01 API. 這兩個 SKU 具有相同的一般 API 和結構。Both SKUs have the same general API and structure.

不過,根據選擇的 SKU 不同,完整的案例設定可能稍有不同。However, depending on which SKU you choose, the complete scenario configuration might differ slightly. 當文章僅適用於特定 SKU 時,Load Balancer 文件才會加以標注。Load Balancer documentation calls out when an article applies only to a specific SKU. 若要比較並了解其中的差異,請參閱下表。To compare and understand the differences, see the following table. 如需詳細資訊,請參閱標準 Load Balancer 概觀For more information, see Standard Load Balancer overview.

注意

新的設計應該使用 Standard Load Balancer。New designs should adopt Standard Load Balancer.

獨立 VM、可用性設定組和虛擬機器擴展集都只能和一個 SKU 連線,永遠不能和兩者同時連線。Standalone VMs, availability sets, and virtual machine scale sets can be connected to only one SKU, never both. 與公用 IP 位址搭配使用時,Load Balancer 和公用 IP 位址的 SKU 必須相符。When you use them with public IP addresses, both Load Balancer and the public IP address SKU must match. Load Balancer 和公用 IP 的 SKU 不可變動。Load Balancer and public IP SKUs are not mutable.

雖無強制性,但您最好明確地指定 SKU。It is a best practice to specify the SKUs explicitly, even though it is not yet mandatory. 現階段,會將所需的變更保持在最少量的狀態。At this time, required changes are being kept to a minimum. 若未指定 SKU,系統會認為您打算使用基本 SKU 的 2017-08-01 API 版本。If a SKU is not specified, it is interpreted as an intention to use the 2017-08-01 API version of the Basic SKU.

重要

標準 Load Balancer 是新的 Load Balancer 產品,大體上是基本 Load Balancer 的超集。Standard Load Balancer is a new Load Balancer product and largely a superset of Basic Load Balancer. 兩種產品間有重要且刻意製造的差別。There are important and deliberate differences between the two products. 任何可在基本 Load Balancer 建立的端對端案例,也可以使用標準 Load Balancer 來建立。Any end-to-end scenario that's possible with Basic Load Balancer can also be created with Standard Load Balancer. 如果您已經習慣使用基本 Load Balancer,請讓自己熟悉標準 Load Balancer,以了解標準和基本在行為上的最新變更以及其影響。If you're already used to Basic Load Balancer, you should familiarize yourself with Standard Load Balancer to understand the latest changes in behavior between Standard and Basic and their impact. 請仔細檢閱這一節。Review this section carefully.

標準 SKUStandard SKU 基本 SKUBasic SKU
後端集區大小Backend pool size 支援最多 1000 個執行個體Supports up to 1000 instances 支援最多 100 個執行個體Supports up to 100 instances
後端集區端點Backend pool endpoints 在單一虛擬網路中的任何虛擬機器,包括虛擬機器混合、可用性設定組、虛擬機器擴展集。Any virtual machine in a single virtual network, including blend of virtual machines, availability sets, virtual machine scale sets. 在單一可用性設定組或虛擬機器擴展集中的虛擬機器。Virtual machines in a single availability set or virtual machine scale set.
健康情況探查Health probes TCP, HTTP, HTTPSTCP, HTTP, HTTPS TCP, HTTPTCP, HTTP
健康狀態探查關閉行為Health probe down behavior 執行個體探查關閉__和__所有探查關閉時,TCP 連線保持作用中。TCP connections stay alive on instance probe down and on all probes down. 執行個體探查關閉時,TCP 連線保持作用中。TCP connections stay alive on instance probe down. 所有探查關閉時,所有 TCP 連線都終止。All TCP connections terminate on all probes down.
可用性區域Availability Zones 在基本 SKU 中,輸入和輸出的區域備援和區域性前端、輸出流程對應存活區域失敗、跨區域負載平衡。In Basic SKU, Zone-redundant and zonal frontends for inbound and outbound, outbound flows mappings survive zone failure, cross-zone load balancing. n/an/a
診斷Diagnostics Azure 監視器、多維度計量 (包括位元組和封包計數器)、健康情況探查狀態、連線嘗試 (TCP SYN)、輸出連線的健康情況 (SNAT 成功和失敗的流程)、使用中資料層測量Azure Monitor, multi-dimensional metrics including byte and packet counters, health probe status, connection attempts (TCP SYN), outbound connection health (SNAT successful and failed flows), active data plane measurements 僅適用於公用 Load Balancer 的 Azure Log Analytics、SNAT 耗盡警示、後端集區健康情況計數。Azure Log Analytics for public Load Balancer only, SNAT exhaustion alert, backend pool health count.
HA 連接埠HA Ports 內部負載平衡器Internal Load Balancer n/an/a
預設保護Secure by default 針對公用 IP 和 Load Balancer 端點的保護預設為關閉,必須使用網路安全性群組明確地將流程的流量加入允許清單。Default closed for public IP and Load Balancer endpoints and a network security group must be used to explicitly whitelist for traffic to flow. 預設為開啟,網路安全性群組為選擇性。Default open, network security group optional.
輸出連線Outbound connections 多個可選擇退出個別負載平衡規則的前端。「必須」明確建立輸出案例,虛擬機器才能使用輸出連線能力。Multiple frontends with per load balancing rule opt-out. An outbound scenario must be explicitly created for the virtual machine to be able to use outbound connectivity. 不用輸出連線能力即可與「虛擬網路服務端點」連線,且不會計入已處理的資料。Virtual Network Service Endpoints can be reached without outbound connectivity and do not count towards data processed. 必須透過輸出連線能力連線到任何公用 IP 位址 (包括無法作為 VNet 服務端點的 Azure PaaS 服務),並計入已處理的資料。Any public IP addresses, including Azure PaaS services not available as VNet Service Endpoints, must be reached via outbound connectivity and count towards data processed. 只有內部 Load Balancer 在提供虛擬機器時,就無法透過預設 SNAT 進行輸出連線。When only an internal Load Balancer is serving a virtual machine, outbound connections via default SNAT are not available. 輸出 SNAT 的程式設計依傳輸通訊協定而異,以輸入負載平衡規則的通訊協定為依據。Outbound SNAT programming is transport protocol specific based on protocol of the inbound load balancing rule. 單一前端,有多個前端時會隨機選取。Single frontend, selected at random when multiple frontends are present. 只有內部 Load Balancer 在提供虛擬機器時,會使用預設 SNAT。When only internal Load Balancer is serving a virtual machine, default SNAT is used.
多個前端Multiple frontends 輸入和輸出Inbound and outbound 僅輸入Inbound only
管理作業Management Operations 大部分的作業 < 30 秒Most operations < 30 seconds 通常是 60-90+ 秒。60-90+ seconds typical.
SLASLA 99.99% (當資料路徑具有兩個狀況良好的虛擬機器時)。99.99% for data path with two healthy virtual machines. 內含在 VM SLA 中。Implicit in VM SLA.
價格Pricing 根據規則數目、與資源相關聯的輸入或輸出所處理的資料來計費。Charged based on number of rules, data processed inbound or outbound associated with resource. 不收費No charge

如需詳細資訊,請參閱 Load Balancer 的服務限制For more information, see service limits for Load Balancer. 如需標準 Load Balancer 詳細資料,請參閱概觀定價SLAFor Standard Load Balancer details, see overview, pricing, and SLA.

概念Concepts

公用 Load BalancerPublic Load Balancer

公用 Load Balancer 會將連入流量的公用 IP 位址和連接埠號碼,對應至 VM 的私人 IP 位址和連接埠號碼,來自 VM 的回應流量也是如此。A public Load Balancer maps the public IP address and port number of incoming traffic to the private IP address and port number of the VM, and vice versa for the response traffic from the VM. 藉由套用負載平衡規則,即可將特定類型的流量分散至多個 VM 或服務。By applying load-balancing rules, you can distribute specific types of traffic across multiple VMs or services. 例如,您可以將 Web 要求的流量負載分散在多個 Web 伺服器。For example, you can spread the load of web request traffic across multiple web servers.

下圖顯示在三部 VM 中共用,且公用和私人 TCP 通訊埠均為 80 的 Web 流量負載平衡端點。The following figure shows a load-balanced endpoint for web traffic that is shared among three VMs for the public and TCP port 80. 這三部 VM 均位在負載平衡集中。These three VMs are in a load-balanced set.

公用 Load Balancer 範例

圖:使用公用 Load Balancer 來進行網路流量負載平衡Figure: Load balancing web traffic by using a public Load Balancer

當網際網路用戶端在 TCP 通訊埠 80 上傳送網頁要求至 Web 應用程式的公用 IP 位址時,Azure Load Balancer 會在負載平衡集中,將要求分配至這三部 VM。When internet clients send webpage requests to the public IP address of a web app on TCP port 80, Azure Load Balancer distributes the requests across the three VMs in the load-balanced set. 如需 Load Balancer 演算法的詳細資訊,請參閱本文的 Load Balancer 功能一節。For more information about Load Balancer algorithms, see the Load Balancer features section of this article.

根據預設,Azure Load Balancer 會在多個 VM 執行個體之間均分網路流量。By default, Azure Load Balancer distributes network traffic equally among multiple VM instances. 您也可以設定工作階段親和性。You can also configure session affinity. 如需詳細資訊,請參閱 Load Balancer 分送模式For more information, see Load Balancer distribution mode.

內部 Load BalancerInternal Load Balancer

內部 Load Balancer 只會將流量導向位於虛擬網路內的資源,或導向會使用 VPN 來存取 Azure 基礎結構的資源。An internal Load Balancer directs traffic only to resources that are inside a virtual network or that use a VPN to access Azure infrastructure. 在這一方面,內部 Load Balancer 與公用 Load Balancer 不同。In this respect, an internal Load Balancer differs from a public Load Balancer. Azure 基礎結構會限制存取虛擬網路的負載平衡前端 IP 位址。Azure infrastructure restricts access to the load-balanced frontend IP addresses of a virtual network. 前端 IP 位址與虛擬網路永不會直接公開至網際網路端點。frontend IP addresses and virtual networks are never directly exposed to an internet endpoint. 內部企業營運應用程式會在 Azure 中執行,並且可從 Azure 內或內部部署資源內存取。Internal line-of-business applications run in Azure and are accessed from within Azure or from on-premises resources.

內部 Load Balancer 可提供下列幾種類型的負載平衡:An internal Load Balancer enables the following types of load balancing:

  • 虛擬網路內:從虛擬網路中的 VM 至一組位於相同虛擬網路內之 VM 的負載平衡。Within a virtual network: Load balancing from VMs in the virtual network to a set of VMs that reside within the same virtual network.
  • 在跨單位虛擬網路中:從內部部署電腦至一組位於相同虛擬網路內之 VM 的負載平衡。For a cross-premises virtual network: Load balancing from on-premises computers to a set of VMs that reside within the same virtual network.
  • 多層應用程式:網際網路對向多層式應用程式 (其中的後端層並非網際網路對向) 的負載平衡。For multi-tier applications: Load balancing for internet-facing multi-tier applications where the backend tiers are not internet-facing. 後端層需要來自網際網路對向層的流量負載平衡 (請見下一張圖)。The backend tiers require traffic load-balancing from the internet-facing tier (see the next figure).
  • 針對企業營運應用程式:在 Azure 中代管的企業營運應用程式的負載平衡,而不額外負載平衡器硬體或軟體。For line-of-business applications: Load balancing for line-of-business applications that are hosted in Azure without additional load balancer hardware or software. 此情節包括流量已負載平衡之電腦集合中的內部部署伺服器。This scenario includes on-premises servers that are in the set of computers whose traffic is load-balanced.

內部 Load Balancer 範例

圖:使用公用和內部 Load Balancer 來進行多層式應用程式負載平衡Figure: Load balancing multi-tier applications by using both public and internal Load Balancer

價格Pricing

標準 Load Balancer 使用量的收費是根據設定的負載平衡規則數量,以及處理輸入和輸出的資料量而定。Standard Load Balancer usage is charged based on the number of configured load-balancing rules and the amount of processed inbound and outbound data. 如需標準 Load Balancer 的定價資訊,請瀏覽 Load Balancer 定價頁面。For Standard Load Balancer pricing information, go to the Load Balancer pricing page.

基本 Load Balancer 則是免費提供。Basic Load Balancer is offered at no charge.

SLASLA

如需標準 Load Balancer SLA 的相關資訊,請瀏覽 Load Balancer SLA 網頁。For information about the Standard Load Balancer SLA, go to the Load Balancer SLA page.

限制Limitations

  • Load Balancer 是一款 TCP 或 UDP 產品,用於針對特定的 IP 通訊協定,進行負載平衡和連接埠轉送作業。Load Balancer is a TCP or UDP product for load balancing and port forwarding for these specific IP protocols. 負載平衡規則和 NAT 傳入規則均支援 TCP 和 UDP ,但不支援包含 ICMP 在內的其他 IP 通訊協定。Load balancing rules and inbound NAT rules are supported for TCP and UDP and not supported for other IP protocols including ICMP. Load Balancer 並不會終止、回應或與 UDP 或 TCP 流程的承載互動。Load Balancer does not terminate, respond, or otherwise interact with the payload of a UDP or TCP flow. Load Balancer 並非 Proxy。It is not a proxy. 前端連線能力必須在與負載平衡或是 NAT 傳入規則 (TCP 或 UDP) 所使用的相同通訊協定中,成功進行頻內驗證,「而且」至少要有一個虛擬機器必須對用戶端產生回應,以查看來自前端的回應。Successful validation of connectivity to a frontend must take place in-band with the same protocol used in a load balancing or inbound NAT rule (TCP or UDP) and at least one of your virtual machines must generate a response for a client to see a response from a frontend. 未從 Load Balancer 前端接收到頻內回應,即表示沒有任何虛擬機器能夠回應。Not receiving an in-band response from the Load Balancer frontend indicates no virtual machines were able to respond. 在虛擬機器未回應的情況下,無法和 Load Balancer 前端互動。It is not possible to interact with a Load Balancer frontend without a virtual machine able to respond. 這也適用於傳出連線,其中連接埠偽裝 SNAT 僅支援 TCP 和 UDP,包括 ICMP 在內的任何其他 IP 通訊協定也會失敗。This also applies to outbound connections where port masquerade SNAT is only supported for TCP and UDP; any other IP protocols including ICMP will also fail. 指派執行個體層級的公用 IP 可減輕負擔。Assign an instance-level Public IP address to mitigate.
  • 公用 Load Balancer 從虛擬網路內的私人 IP 位址轉換至公用 IP 位址時會提供傳出連線,但是內部 Load Balancers 與公用 Load Balancer 不同,不會將傳出的起源連線轉譯至內部 Load Balancer,因為兩者都位於私人 IP 位址空間內。Unlike public Load Balancers which provide outbound connections when transitioning from private IP addresses inside the virtual network to public IP addresses, internal Load Balancers do not translate outbound originated connections to the frontend of an internal Load Balancer as both are in private IP address space. 如此可避免在無需轉譯的專屬內部 IP 位址空間中將 SNAT 連接埠耗盡。This avoids potential for SNAT port exhaustion inside unique internal IP address space where translation is not required. 副作用是,如果後端集區虛擬機器的傳出流程嘗試將流程傳送到其所在集區之內部 Load Balancer 前端,「而且」對應回本身,則這兩個流程互不相符,而且流程會失敗。The side effect is that if an outbound flow from a VM in the backend pool attempts a flow to frontend of the internal Load Balancer in which pool it resides and is mapped back to itself, both legs of the flow don't match and the flow will fail. 如果流程未對應回位於後端集區中,且建立了到前端流程的相同虛擬機器,則流程將會成功。If the flow did not map back to the same VM in the backend pool which created the flow to the frontend, the flow will succeed. 當流程對應回本身時,傳出流程會看來像是從虛擬機器傳至前端,而對應的傳入流程會看來像是從虛擬機器傳至本身。When the flow maps back to itself the outbound flow appears to originate from the VM to the frontend and the corresponding inbound flow appears to originate from the VM to itself. 以客體作業系統來看,相同流程的傳入和傳出部分在虛擬機器內部不相符。From the guest OS's point of view, the inbound and outbound parts of the same flow don't match inside the virtual machine. 由於來源和目的地不同,TCP 堆疊無法將其中半數的流程視為相同流程的一部分。The TCP stack will not recognize these halves of the same flow as being part of the same flow as the source and destination don't match. 當流程對應至後端集區中的任何其他虛擬機器時,半數流程將會相符,而虛擬機器就能成功回應流程。When the flow maps to any other VM in the backend pool, the halves of the flow will match and the VM can successfully respond to the flow. 此案例的徵兆是當流量回到其源自的相同後端時,發生間歇性連線逾時。The symptom for this scenario is intermittent connection timeouts when the flow returns to the same backend which originated the flow. 若要將來自後端集區的流程導向各自內部 Load Balancer 前端的後端集區,有數個常見的因應措施能夠可靠地實現這種情況,包括在內部 Load Balancer 後插入 Proxy 層或使用 DSR 樣式規則There are several common workarounds for reliably achieving this scenario (originating flows from a backend pool to the backend pools respective internal Load Balancer frontend) which include either insertion of a proxy layer behind the internal Load Balancer or using DSR style rules. 客戶可以結合內部 Load Balancer 與任何第 3 方 Proxy,或用內部應用程式閘道代替受限於 HTTP/HTTPS 的 Proxy 案例。Customers can combine an internal Load Balancer with any 3rd party proxy or substitute internal Application Gateway for proxy scenarios limited to HTTP/HTTPS. 儘管可以使用公用 Load Balancer 來減輕負擔,但產生的情節容易造成 SNAT 耗盡,除非謹慎控管,否則應該避免。While you could use a public Load Balancer to mitigate, the resulting scenario is prone to SNAT exhaustion and should be avoided unless carefully managed.

後續步驟Next steps

您現在已概略了解 Azure Load Balancer。You now have an overview of Azure Load Balancer. 若要開始使用 Load Balancer,請先建立 Load Balancer,再建立安裝好自訂 IIS 擴充功能的 VM,並對 VM 之間的 Web 應用程式進行負載平衡。To get started with using a Load Balancer, create one, create VMs with a custom IIS extension installed, and load-balance the web app between the VMs. 若要了解如何進行,請參閱建立基本 Load Balancer的快速入門。To learn how, see the Create a Basic Load Balancer quickstart.