没有从负载均衡器后面的Azure VM Scale Set中的节点获取任何外部出站流量

Question

我遇到了从VM Scale Set中配置的节点（RHEL）访问外部资源的困难。

要绘制我尝试使用Azure资源管理器模板描述的环境，我正在寻找创建：

• 1个常见的virtualNetwork
• 1前端虚拟机（运行RHEL，正在按预期工作）
• 1群集（vmss）运行2个节点（RHEL）
  • 节点在与前端VM相同的私有子网中生成
  • 1个loadbalancer应该作为NAT网关工作（但它不是这样工作的）
    • loadbalancer有一个外部IP，inboundNatPool（可以工作），backendAddressPool（节点成功注册）
  • 网络安全组管理对端口的访问（设置为允许所有出站连接）

作为脚注，我很乐意在YAML中编写AWS云数据文件，因此我以类似的方式处理Azure资源管理器模板，以便于阅读和在模板中添加注释的附加功能。 / p>

我的vmss配置示例（简短代码段）

... #(yaml-template is first converted to json and than deployed using the azure cli)
#   Cluster
#   -------
#     Scale Set
#     ---------
#       | VM Scale Set can not connect to external sources
#       |
- type: Microsoft.Compute/virtualMachineScaleSets
  name: '[variables(''vmssName'')]'
  location: '[resourceGroup().location]'
  apiVersion: '2017-12-01'
  dependsOn:
  - '[variables(''vnetName'')]'
  - '[variables(''loadBalancerName'')]'
  - '[variables(''networkSecurityGroupName'')]'
  sku:
    capacity: '[variables(''instanceCount'')]' # Amount of nodes to be spawned
    name: Standard_A2_v2
    tier: Standard
  # zones: # If zone is specified, no sku can be chosen
  # - '1'
  properties:
    overprovision: 'true'
    upgradePolicy:
      mode: Manual
    virtualMachineProfile:
      networkProfile:
        networkInterfaceConfigurations:
        - name: '[variables(''vmssNicName'')]'
          properties:
            ipConfigurations:
            - name: '[variables(''ipConfigName'')]'
              properties:
                loadBalancerBackendAddressPools:
                - id: '[variables(''lbBackendAddressPoolsId'')]'
                loadBalancerInboundNatPools:
                - id: '[variables(''lbInboundNatPoolsId'')]'
                subnet:
                  id: '[variables(''subnetId'')]'
            primary: true
            networkSecurityGroup:
              id: '[variables(''networkSecurityGroupId'')]'
      osProfile:
        computerNamePrefix: '[variables(''vmssName'')]'
        adminUsername: '[parameters(''sshUserName'')]'
        # adminPassword: '[parameters(''adminPassword'')]'
        linuxConfiguration:
          disablePasswordAuthentication: True
          ssh:
            publicKeys:
            - keyData: '[parameters(''sshPublicKey'')]'
              path: '[concat(''/home/'',parameters(''sshUserName''),''/.ssh/authorized_keys'')]'
      storageProfile:
        imageReference: '[variables(''clusterImageReference'')]'
        osDisk:
          caching: ReadWrite
          createOption: FromImage
...

上述模板引用的网络安全组是：

#     NetworkSecurityGroup
#     --------------------
- type: Microsoft.Network/networkSecurityGroups
  name: '[variables(''networkSecurityGroupName'')]'
  apiVersion: '2017-10-01'
  location: '[resourceGroup().location]'
  properties:
    securityRules:
    - name: remoteConnection
      properties:
        priority: 101
        access: Allow
        direction: Inbound
        protocol: Tcp
        description: Allow SSH traffic
        sourceAddressPrefix: '*'
        sourcePortRange: '*'
        destinationAddressPrefix: '*'
        destinationPortRange: '22'
    - name: allow_outbound_connections
      properties:
        description: This rule allows outbound connections
        priority: 200
        access: Allow
        direction: Outbound
        protocol: '*'
        sourceAddressPrefix: 'VirtualNetwork'
        sourcePortRange: '*'
        destinationAddressPrefix: '*'
        destinationPortRange: '*'

我认为错误的负载均衡器应该是：

#   Loadbalancer as NatGateway
#   --------------------------
- type: Microsoft.Network/loadBalancers
  name: '[variables(''loadBalancerName'')]'
  apiVersion: '2017-10-01'
  location: '[resourceGroup().location]'
  sku:
    name: Standard
  dependsOn:
  - '[variables(''natIPAddressName'')]'
  properties:
    backendAddressPools:
    - name: '[variables(''lbBackendPoolName'')]'
    frontendIPConfigurations:
    - name: LoadBalancerFrontEnd
      properties:
        publicIPAddress:
          id: '[variables(''natIPAddressId'')]'
    inboundNatPools:
    - name: '[variables(''lbNatPoolName'')]'
      properties:
        backendPort: '22'
        frontendIPConfiguration:
          id: '[variables(''frontEndIPConfigID'')]'
        frontendPortRangeStart: '50000'
        frontendPortRangeEnd: '50099'
        protocol: tcp

我一直在阅读有关使用端口伪装配置SNAT的文章，但我缺少此类设置的相关示例。

非常感谢任何帮助。

Answer 1

需要进行大量搜索，但article from Azure about Azure Load Balancer outbound Connections (Scenario #2)声明了一个负载平衡规则（和补充的健康探测器）是SNAT运行所必需的。

负载均衡器的新代码变为：

...
- type: Microsoft.Network/loadBalancers
  name: '[variables(''loadBalancerName'')]'
  apiVersion: '2017-10-01'
  location: '[resourceGroup().location]'
  sku:
    name: Standard
  dependsOn:
  - '[variables(''natIPAddressName'')]'
  properties:
    backendAddressPools:
    - name: '[variables(''lbBackendPoolName'')]'
    frontendIPConfigurations:
    - name: LoadBalancerFrontEnd
      properties:
        publicIPAddress:
          id: '[variables(''natIPAddressId'')]'
    probes:  # Needed for loadBalancingRule to work
    - name: '[variables(''lbProbeName'')]'
      properties:
        protocol: Tcp
        port: 22
        intervalInSeconds: 5
        numberOfProbes: 2
    loadBalancingRules:  # Needed for SNAT to work
    - name: '[concat(variables(''loadBalancerName''),''NatRule'')]'
      properties:
        disableOutboundSnat: false
        frontendIPConfiguration:
          id: '[variables(''frontEndIPConfigID'')]'
        backendAddressPool:
          id: '[variables(''lbBackendAddressPoolsId'')]'
        probe:
          id: '[variables(''lbProbeId'')]'
        protocol: tcp
        frontendPort: 80
        backendPort: 80
...