輸出規則 Azure Load BalancerOutbound rules Azure Load Balancer

輸出規則可讓您明確地定義公用標準負載平衡器的 SNAT (來源網路位址轉譯) 。Outbound rules allow you to explicitly define SNAT(source network address translation) for a public standard load balancer. 這項設定可讓您使用負載平衡器的公用 IP () ,為您的後端實例提供輸出網際網路連線能力。This configuration allows you to use the public IP(s) of your load balancer to provide outbound internet connectivity for your backend instances.

此設定可啟用:This configuration enables:

  • IP 偽裝IP masquerading
  • 簡化您的允許清單。Simplifying your allow lists.
  • 減少部署的公用 IP 資源數量。Reduces the number of public IP resources for deployment.

使用輸出規則時,您可以完整地以宣告方式控制輸出網際網路連線能力。With outbound rules, you have full declarative control over outbound internet connectivity. 輸出規則可讓您調整及調整此能力,以滿足您的特定需求。Outbound rules allow you to scale and tune this ability to your specific needs.

只有當後端 VM 沒有 (ILPIP) 的實例層級公用 IP 位址時,才會遵循輸出規則。Outbound rules will only be followed if the backend VM doesn't have an instance-level public IP address (ILPIP).

Load Balancer 輸出規則

使用輸出規則,您可以明確地定義輸出 SNAT 行為。With outbound rules, you can explicitly define outbound SNAT behavior.

輸出規則可讓您控制:Outbound rules allow you to control:

  • 哪些虛擬機器會轉譯為哪些公用 IP 位址。Which virtual machines are translated to which public IP addresses.
    • 第二個規則是後端集區1使用藍色 IP 位址1和2,後端集區2則使用黃色 IP 首碼。Two rules were backend pool 1 uses the blue IP address 1 and 2, backend pool 2 uses the yellow IP prefix.
  • 輸出 SNAT 埠的配置方式。How outbound SNAT ports are allocated.
    • 如果後端集區2是建立輸出連線的唯一集區,請將所有 SNAT 埠授與後端集區2,而不是後端集區1。If backend pool 2 is the only pool making outbound connections, give all SNAT ports to backend pool 2 and none to backend pool 1.
  • 提供輸出轉譯的通訊協定。Which protocols to provide outbound translation for.
    • 如果後端集區2需要 UDP 埠以便進行輸出,而後端集區1需要 TCP,請將 TCP 埠從1和 UDP 埠提供給2。If backend pool 2 needs UDP ports for outbound, and backend pool 1 needs TCP, give TCP ports to 1 and UDP ports to 2.
  • 用於輸出連線閒置超時的持續時間 (4-120 分鐘) 。What duration to use for outbound connection idle timeout (4-120 minutes).
    • 如果有長時間執行的 keepalive 連線,請為長時間執行的連接保留閒置的埠,最多可達120分鐘。If there are long running connections with keepalives, reserve idle ports for long running connections for up to 120 minutes. 假設過時的連線已放棄,並在4分鐘內針對新的連線釋放埠Assume stale connections are abandoned and release ports in 4 minutes for fresh connections
  • 是否要在閒置的超時時間傳送 TCP 重設。Whether to send a TCP Reset on idle timeout.
    • 當閒置連線超時時,是否要將 TCP RST 傳送給用戶端和伺服器,讓他們知道流程已放棄?When timing out idle connections, do we send a TCP RST to the client and server so they know the flow is abandoned?

輸出規則定義Outbound rule definition

輸出規則遵循與負載平衡和輸入 NAT 規則相同的熟悉語法:前端 + 參數 + 後端集 區。Outbound rules follow the same familiar syntax as load balancing and inbound NAT rules: frontend + parameters + backend pool.

輸出規則會將「後端集區所識別的所有虛擬機器」的輸出 NAT 設定為轉譯成「前端」。An outbound rule configures outbound NAT for all virtual machines identified by the backend pool to be translated to the frontend.

這些 參數 可讓您更精細地控制輸出 NAT 演算法。The parameters provide additional fine grained control over the outbound NAT algorithm.

使用多個 IP 位址擴充輸出 NATScale outbound NAT with multiple IP addresses

前端提供的每個額外 IP 位址都會提供額外的64000暫時埠,以供負載平衡器用來作為 SNAT 埠。Each additional IP address provided by a frontend provides additional 64,000 ephemeral ports for load balancer to use as SNAT ports.

使用多個 IP 位址來規劃大規模案例。Use multiple IP addresses to plan for large-scale scenarios. 使用輸出規則來減輕 SNAT 耗盡的問題。Use outbound rules to mitigate SNAT exhaustion.

您也可以直接使用 公用 IP 前置 詞和輸出規則。You can also use a public IP prefix directly with an outbound rule.

公用 IP 首碼可增加部署的規模。A public IP prefix increases scaling of your deployment. 前置詞可以新增到源自您 Azure 資源的流程允許清單中。The prefix can be added to the allow list of flows originating from your Azure resources. 您可以設定負載平衡器內的前端 IP 設定,以參考公用 IP 位址首碼。You can configure a frontend IP configuration within the load balancer to reference a public IP address prefix.

負載平衡器具有公用 IP 前置詞的控制權。The load balancer has control over the public IP prefix. 輸出規則會自動使用公用 IP 首碼中包含的所有公用 IP 位址來進行輸出連線。The outbound rule will automatically use all public IP addresses contained within the public IP prefix for outbound connections.

公用 IP 首碼中的每個 IP 位址都會為每個 IP 位址提供額外的64000暫時埠,以供負載平衡器用來作為 SNAT 埠。Each of the IP addresses within public IP prefix provides an additional 64,000 ephemeral ports per IP address for load balancer to use as SNAT ports.

輸出流量閒置超時和 TCP 重設Outbound flow idle timeout and TCP reset

輸出規則提供設定參數來控制輸出流程閒置逾時,並使其符合您應用程式的需求。Outbound rules provide a configuration parameter to control the outbound flow idle timeout and match it to the needs of your application. 輸出閒置逾時預設為 4 分鐘。Outbound idle timeouts default to 4 minutes. 如需詳細資訊,請參閱 設定閒置的超時時間。For more information, see configure idle timeouts.

負載平衡器的預設行為是在達到輸出閒置超時時,以無訊息方式卸載流程。The default behavior of load balancer is to drop the flow silently when the outbound idle timeout has been reached. enableTCPReset參數會啟用可預測的應用程式行為和控制項。The enableTCPReset parameter enables a predictable application behavior and control. 此參數會指定是否要在輸出閒置超時時間的超時時,傳送雙向 TCP 重設 (TCP RST) 。The parameter dictates whether to send bidirectional TCP Reset (TCP RST) at the timeout of the outbound idle timeout.

如需詳細資訊(包括區域可用性),請參閱 閒置 timeout 的 TCP 重設Review TCP Reset on idle timeout for details including region availability.

明確保護和控制輸出連線能力Securing and controlling outbound connectivity explicitly

負載平衡規則會提供輸出 NAT 的自動程式設計。Load-balancing rules provide automatic programming of outbound NAT. 某些案例受益或要求您停用負載平衡規則的輸出 NAT 的自動程式設計。Some scenarios benefit or require you to disable the automatic programming of outbound NAT by the load-balancing rule. 透過規則停用可讓您控制或精簡行為。Disabling via the rule allows you to control or refine the behavior.

您可以透過兩種方式來使用此參數:You can use this parameter in two ways:

  1. 防止輸出 SNAT 的輸入 IP 位址。Prevention of the inbound IP address for outbound SNAT. 在負載平衡規則中停用輸出 SNAT。Disable outbound SNAT in the load-balancing rule.

  2. 同時調整用於輸入和輸出之 IP 位址的輸出 SNAT 參數。Tune the outbound SNAT parameters of an IP address used for inbound and outbound simultaneously. 必須停用自動輸出 NAT,才能讓輸出規則獲得控制權。The automatic outbound NAT must be disabled to allow an outbound rule to take control. 若要變更位址也用於輸入的 SNAT 埠配置, disableOutboundSnat 參數必須設定為 true。To change the SNAT port allocation of an address also used for inbound, the disableOutboundSnat parameter must be set to true.

如果您嘗試重新定義用於輸入的 IP 位址,則設定輸出規則的作業將會失敗。The operation to configure an outbound rule will fail if you attempt to redefine an IP address that is used for inbound. 先停用負載平衡規則的輸出 NAT。Disable the outbound NAT of the load-balancing rule first.

重要

如果您將此參數設定為 true,且沒有可定義輸出連線能力的輸出規則,則您的虛擬機器將不會有輸出連線能力。Your virtual machine will not have outbound connectivity if you set this parameter to true and do not have an outbound rule to define outbound connectivity. 您 VM 或應用程式的某些作業可能取決於可用輸出連線。Some operations of your VM or your application may depend on having outbound connectivity available. 請確定您了解情節的相依性,並考慮這項變更的影響。Make sure you understand the dependencies of your scenario and have considered impact of making this change.

有時候,VM 不需要建立輸出流程。Sometimes it's undesirable for a VM to create an outbound flow. 可能需要管理哪些目的地接收輸出流程,或哪些目的地會開始輸入流量。There might be a requirement to manage which destinations receive outbound flows, or which destinations begin inbound flows. 使用 網路安全性群組 來管理 VM 抵達的目的地。Use network security groups to manage the destinations that the VM reaches. 使用 Nsg 來管理哪些公用目的地啟動輸入流程。Use NSGs to manage which public destinations start inbound flows.

當您將 NSG 套用到經過負載平衡的虛擬機器時,請注意服務標記預設安全性規則When you apply an NSG to a load-balanced VM, pay attention to the service tags and default security rules.

確定 VM 可以從 Azure Load Balancer 接收健康情況探查要求。Ensure that the VM can receive health probe requests from Azure Load Balancer.

如果 NSG 封鎖來自 AZURE_LOADBALANCER 預設標記的健康情況探查要求,則您的 VM 健康情況探查會失敗,而且 VM 會標示為無法使用。If an NSG blocks health probe requests from the AZURE_LOADBALANCER default tag, your VM health probe fails and the VM is marked unavailable. 負載平衡器會停止將新流量傳送到該 VM。The load balancer stops sending new flows to that VM.

具有輸出規則的案例Scenarios with outbound rules

輸出規則案例Outbound rules scenarios

  • 設定一組特定公用 Ip 或首碼的輸出連線。Configure outbound connections to a specific set of public IPs or prefix.
  • 修改 SNAT 埠配置。Modify SNAT port allocation.
  • 僅啟用輸出。Enable outbound only.
  • Vm 的輸出 NAT 只 (沒有任何輸入) 。Outbound NAT for VMs only (no inbound).
  • 內部標準負載平衡器的輸出 NAT。Outbound NAT for internal standard load balancer.
  • 使用公用標準負載平衡器啟用輸出 NAT 的 TCP & UDP 通訊協定。Enable both TCP & UDP protocols for outbound NAT with a public standard load balancer.

案例1:設定特定一組公用 Ip 或首碼的輸出連接Scenario 1: Configure outbound connections to a specific set of public IPs or prefix

詳細資料Details

您可以使用此案例,將輸出連線量身打造為源自一組公用 IP 位址。Use this scenario to tailor outbound connections to originate from a set of public IP addresses. 根據來源將公用 Ip 或首碼新增至允許或拒絕清單。Add public IPs or prefixes to an allow or deny list based on origination.

此公用 IP 或首碼可以與負載平衡規則所使用的相同。This public IP or prefix can be the same as used by a load-balancing rule.

使用與負載平衡規則所使用的不同公用 IP 或首碼:To use a different public IP or prefix than used by a load-balancing rule:

  1. 建立公用 IP 首碼或公用 IP 位址。Create public IP prefix or public IP address.
  2. 建立公用標準負載平衡器Create a public standard load balancer
  3. 建立參考公用 IP 首碼或您想要使用之公用 IP 位址的前端。Create a frontend referencing the public IP prefix or public IP address you wish to use.
  4. 重複使用後端集區,或建立後端集區,並將 Vm 放入公用負載平衡器的後端集區Reuse a backend pool or create a backend pool and place the VMs into a backend pool of the public load balancer
  5. 在公用負載平衡器上設定輸出規則,以使用前端為 Vm 啟用輸出 NAT。Configure an outbound rule on the public load balancer to enable outbound NAT for the VMs using the frontend. 不建議針對輸出使用負載平衡規則,在負載平衡規則上停用輸出 SNAT。It is not recommended to use a load-balancing rule for outbound, disable outbound SNAT on the load-balancing rule.

案例2:修改 SNAT 埠配置Scenario 2: Modify SNAT port allocation

詳細資料Details

您可以 根據後端集區大小,使用輸出規則來調整自動 SNAT 埠配置。You can use outbound rules to tune the automatic SNAT port allocation based on backend pool size.

如果您遇到 SNAT 耗盡的情況,請增加提供預設值1024的 snat 埠數目。If you experience SNAT exhaustion, increase the number of SNAT ports given from the default of 1024.

每個公用 IP 位址最多可占64000個暫時埠。Each public IP address contributes up to 64,000 ephemeral ports. 後端集區中的 Vm 數目會決定分散至每部 VM 的埠數目。The number of VMs in the backend pool determines the number of ports distributed to each VM. 後端集區中的一個 VM 可以存取最多64000個埠。One VM in the backend pool has access to the maximum of 64,000 ports. 針對兩個 Vm,可以使用輸出規則來指定最多32000個 SNAT 埠, (2x 32000 = 64000) 。For two VMs, a maximum of 32,000 SNAT ports can be given with an outbound rule (2x 32,000 = 64,000).

您可以使用輸出規則來微調預設提供的 SNAT 埠。You can use outbound rules to tune the SNAT ports given by default. 您可以提供比預設 SNAT 埠配置更多或更少的配置。You give more or less than the default SNAT port allocation provides. 來自輸出規則前端的每個公用 IP 位址,最多可提供64000個暫時埠,作為 SNAT 埠使用。Each public IP address from a frontend of an outbound rule contributes up to 64,000 ephemeral ports for use as SNAT ports.

負載平衡器會以8的倍數提供 SNAT 埠。Load balancer gives SNAT ports in multiples of 8. 如果您提供的值無法與 8 整除,則會拒絕設定作業。If you provide a value not divisible by 8, the configuration operation is rejected. 每個負載平衡規則和輸入 NAT 規則都會耗用8個埠的範圍。Each load balancing rule and inbound NAT rule will consume a range of 8 ports. 如果負載平衡或輸入 NAT 規則與另一個相同的8範圍共用,將不會使用其他埠。If a load balancing or inbound NAT rule shares the same range of 8 as another, no additional ports will be consumed.

如果您嘗試提供的 SNAT 埠數目超過公用 IP 位址的可用數量,則會拒絕設定作業。If you attempt to give more SNAT ports than are available based on the number of public IP addresses, the configuration operation is rejected. 例如,如果您為每個 VM 提供10000個埠,且後端集區中有七個 Vm 共用單一公用 IP,則會拒絕設定。For example, if you give 10,000 ports per VM and seven VMs in a backend pool share a single public IP, the configuration is rejected. 七乘以10000超過64000埠的限制。Seven multiplied by 10,000 exceeds the 64,000 port limit. 將更多公用 IP 位址新增至輸出規則的前端以啟用此案例。Add more public IP addresses to the frontend of the outbound rule to enable the scenario.

針對埠數目指定0,以還原為 預設的埠配置Revert to the default port allocation by specifying 0 for the number of ports. 第一個 50 VM 實例將會取得1024埠,51-100 VM 實例會取得512到最大實例。The first 50 VM instances will get 1024 ports, 51-100 VM instances will get 512 up to the maximum instances. 如需預設 SNAT 埠配置的詳細資訊,請參閱 snat 埠配置表For more information on default SNAT port allocation, see SNAT ports allocation table.

案例3:僅啟用輸出Scenario 3: Enable outbound only

詳細資料Details

使用公用標準負載平衡器,為一組 Vm 提供輸出 NAT。Use a public standard load balancer to provide outbound NAT for a group of VMs. 在此案例中,您可以單獨使用輸出規則,而不需要設定任何其他規則。In this scenario, use an outbound rule by itself, without any additional rules configured.

注意

Azure 虛擬網路 NAT 可以為虛擬機器提供輸出連線能力,而不需要負載平衡器。Azure Virtual Network NAT can provide outbound connectivity for virtual machines without the need for a load balancer. 如需詳細資訊,請參閱 什麼是 Azure 虛擬網路 NAT?See What is Azure Virtual Network NAT? for more information.

案例4: Vm 的輸出 NAT 僅 (沒有輸入) Scenario 4: Outbound NAT for VMs only (no inbound)

注意

Azure 虛擬網路 NAT 可以為虛擬機器提供輸出連線能力,而不需要負載平衡器。Azure Virtual Network NAT can provide outbound connectivity for virtual machines without the need for a load balancer. 如需詳細資訊,請參閱 什麼是 Azure 虛擬網路 NAT?See What is Azure Virtual Network NAT? for more information.

詳細資料Details

針對此案例: Azure Load Balancer 輸出規則和虛擬網路 NAT 是可從虛擬網路輸出的選項。For this scenario: Azure Load Balancer outbound rules and Virtual Network NAT are options available for egress from a virtual network.

  1. 建立公用 IP 或首碼。Create a public IP or prefix.
  2. 建立公用標準負載平衡器。Create a public standard load balancer.
  3. 建立與公用 IP 或用於輸出的首碼相關聯的前端。Create a frontend associated with the public IP or prefix dedicated for outbound.
  4. 建立 Vm 的後端集區。Create a backend pool for the VMs.
  5. 將 Vm 放入後端集區。Place the VMs into the backend pool.
  6. 設定輸出規則以啟用輸出 NAT。Configure an outbound rule to enable outbound NAT.

使用前置詞或公用 IP 來調整 SNAT 埠。Use a prefix or public IP to scale SNAT ports. 將輸出連接的來源新增至允許或拒絕清單。Add the source of outbound connections to an allow or deny list.

案例5:內部標準負載平衡器的輸出 NATScenario 5: Outbound NAT for internal standard load balancer

注意

Azure 虛擬網路 NAT 可以為利用內部標準負載平衡器的虛擬機器提供輸出連線能力。Azure Virtual Network NAT can provide outbound connectivity for virtual machines utilizing an internal standard load balancer. 如需詳細資訊,請參閱 什麼是 Azure 虛擬網路 NAT?See What is Azure Virtual Network NAT? for more information.

詳細資料Details

輸出連線能力在透過實例層級的公用 Ip 或虛擬網路 NAT 明確宣告,或將後端集區成員與僅限輸出的負載平衡器設定產生關聯,而無法用於內部標準負載平衡器。Outbound connectivity isn't available for an internal standard load balancer until it has been explicitly declared through instance-level public IPs or Virtual Network NAT, or by associating the backend pool members with an outbound-only load balancer configuration.

如需詳細資訊,請參閱 僅限輸出的負載平衡器設定。For more information, see Outbound-only load balancer configuration.

案例6:使用公用標準負載平衡器啟用輸出 NAT 的 TCP & UDP 通訊協定Scenario 6: Enable both TCP & UDP protocols for outbound NAT with a public standard load balancer

詳細資料Details

使用公用標準負載平衡器時,所提供的自動輸出 NAT 會符合負載平衡規則的傳輸通訊協定。When using a public standard load balancer, the automatic outbound NAT provided matches the transport protocol of the load-balancing rule.

  1. 在負載平衡規則上停用輸出 SNATDisable outbound SNAT on the load-balancing rule.
  2. 在相同的負載平衡器上設定輸出規則。Configure an outbound rule on the same load balancer.
  3. 重複使用 VM 已使用的後端集區。Reuse the backend pool already used by your VMs.
  4. 指定 "protocol": "All" 作為輸出規則的一部分。Specify "protocol": "All" as part of the outbound rule.

僅使用輸出 NAT 規則時,不會提供輸出 NAT。When only inbound NAT rules are used, no outbound NAT is provided.

  1. 將 VM 放入後端集區中。Place VMs in a backend pool.
  2. 使用公用 IP 位址 (es) 或公用 IP 首碼來定義一或多個前端 IP 設定Define one or more frontend IP configurations with public IP address(es) or public IP prefix
  3. 在相同的負載平衡器上設定輸出規則。Configure an outbound rule on the same load balancer.
  4. 指定 "protocol": "All" 作為輸出規則的一部分Specify "protocol": "All" as part of the outbound rule

限制Limitations

  • 每個前端 IP 位址的可用暫時連接埠數目上限為 64,000。The maximum number of usable ephemeral ports per frontend IP address is 64,000.
  • 可設定輸出閒置逾時的範圍為 4 到 120 分鐘 (240 到 7200 秒)。The range of the configurable outbound idle timeout is 4 to 120 minutes (240 to 7200 seconds).
  • 負載平衡器不支援輸出 NAT 的 ICMP。Load balancer doesn't support ICMP for outbound NAT.
  • 輸出規則只能套用至 NIC 的主要 IP 設定。Outbound rules can only be applied to primary IP configuration of a NIC. 您無法為 VM 或 NVA 的次要 IP 建立輸出規則。You can't create an outbound rule for the secondary IP of a VM or NVA. 支援多個 Nic。Multiple NICs are supported.
  • 可用性設定組 內的所有虛擬機器都必須新增至後端集區,才能進行輸出連線。All virtual machines within an availability set must be added to the backend pool for outbound connectivity.
  • 虛擬機器擴展集 內的所有虛擬機器都必須新增至後端集區,才能進行輸出連線。All virtual machines within a virtual machine scale set must be added to the backend pool for outbound connectivity.

下一步Next steps