1

我一直在寻找一种正确的方法来使用内部负载平衡器对我的内部 vm 规模集进行地形改造,该负载平衡器不会通过公共 IP 暴露于互联网。但是,节点应该可以访问 Internet 以下载位于 github 中的一些包。

我在部署负载均衡器和规模集时遇到了这个问题,但是我没有来自规模集节点的 Internet 带外连接......

我读了这篇文章,但它没有告诉 如何继续

根据我的理解,我应该可以从我的节点访问 Internet 以下载包,因为我使用标准负载均衡器,但它不起作用。

我错过了什么?我宁愿避免使用NAT 网关..

下面是我创建 RG、Vnet 子网、LB 规则以及最后是 VMSS 和 jumbpox 的完整 terraform 脚本。

        provider "azurerm" {       
                
        features {}        
        subscription_id = var.azure-subscription-id       
            client_id       = var.azure-client-app-id       
            client_secret   = var.azure-client-secret-password       
            tenant_id       = var.azure-tenant-id   
            }

        resource "azurerm_resource_group" "existing_terraform_rg" {
        name                     = "rg-ict-spoke1-001"
        location                 = "westeurope"
        #depends_on = [var.rg_depends_on]
        }
        # Create storage account for boot diagnostics
        resource "azurerm_storage_account" "mystorageaccount" {
            name                        = "diag${random_id.randomId.hex}"
            resource_group_name         = azurerm_resource_group.existing_terraform_rg.name
            location                    = "westeurope"
            account_tier                = "Standard"
            account_replication_type    = "LRS"
        }
        resource "azurerm_virtual_network" "existing_terraform_vnet" {
            name                = "vnet-spoke1-001"
            location            = "westeurope"
            resource_group_name = azurerm_resource_group.existing_terraform_rg.name
            address_space       = ["10.0.0.0/16"]
            #depends_on = [azurerm_resource_group.existing_terraform_rg]
        }
        // Subnets
        # Create subnet
        resource "azurerm_subnet" "spk1-jbx-subnet" {
            name                 = "spk1-jbx-subnet"
            resource_group_name  = azurerm_resource_group.existing_terraform_rg.name
            virtual_network_name = azurerm_virtual_network.existing_terraform_vnet.name
            address_prefixes       = ["10.0.0.0/24"]
        }

        resource "azurerm_subnet" "new_terraform_subnet_web" {
        name                 = "snet-webtier-${var.environment}-vdc-001"
        resource_group_name  =  azurerm_resource_group.existing_terraform_rg.name
        virtual_network_name =  azurerm_virtual_network.existing_terraform_vnet.name
        address_prefix       = var.webtier_address_prefix
        depends_on = [azurerm_virtual_network.existing_terraform_vnet]
        }

        # Create Network Security Group and rule
        resource "azurerm_network_security_group" "generic-nsg" {
            name                = "generic-nsg"
            location            = "westeurope"
            resource_group_name = azurerm_resource_group.existing_terraform_rg.name
            
            security_rule {
                name                       = "GENERIC-RULE"
                priority                   = 1001
                direction                  = "Inbound"
                access                     = "Allow"
                protocol                   = "Tcp"
                source_port_range          = "*"
                #destination_port_range     = "3389"
                #destination_port_ranges     = "["22","3389","80","8080"]" 
                destination_port_ranges     = ["22","3389","80","8080","443"]
                source_address_prefix      = "*"
                destination_address_prefix = "*"
            }
        }

        # Connect the security group to the network interface
        resource "azurerm_subnet_network_security_group_association" "new_terraform_subnet_web-asso-nsg" {
        subnet_id                 = azurerm_subnet.new_terraform_subnet_web.id
        network_security_group_id = azurerm_network_security_group.generic-nsg.id
        }


        resource "azurerm_subnet_network_security_group_association" "spk1-jbx-subnet-asso-nsg" {
        subnet_id                 = azurerm_subnet.spk1-jbx-subnet.id
        network_security_group_id = azurerm_network_security_group.generic-nsg.id
        }

        # Generate random text for a unique storage account name
        resource "random_id" "randomId" {
            keepers = {
                # Generate a new ID only when a new resource group is defined
                resource_group = azurerm_resource_group.existing_terraform_rg.name
            }
            byte_length = 8
        }









        resource "azurerm_lb" "new_terraform_lb_web" {
        name                = "lb-${var.web_lb_name}-${var.environment}-vdc-001"
        location            =  azurerm_resource_group.existing_terraform_rg.location
        resource_group_name =  azurerm_resource_group.existing_terraform_rg.name
        sku = var.lb_Sku
        frontend_ip_configuration {
            name                 = "PrivateIPAddress-${var.web_lb_name}"
            subnet_id            = azurerm_subnet.new_terraform_subnet_web.id
            private_ip_address   = var.web_lb_private_IP
            private_ip_address_allocation = "Static"
        }
        }
        resource "azurerm_lb_backend_address_pool" "new_terraform_bpepool_web" {
        resource_group_name =  azurerm_resource_group.existing_terraform_rg.name
        loadbalancer_id     = azurerm_lb.new_terraform_lb_web.id
        name                = "${var.web_lb_name}-BackEndAddressPool"
        }
        resource "azurerm_lb_probe" "new_terraform_lb_probe_web" {
        resource_group_name =  azurerm_resource_group.existing_terraform_rg.name
        loadbalancer_id     = azurerm_lb.new_terraform_lb_web.id
        name                = "${var.web_lb_name}-probe-${var.web_lb_probe_protocol}"
        protocol            = var.web_lb_probe_protocol
        request_path        = var.web_lb_probe_request_path
        port                = var.web_lb_probe_port
        }

        resource "azurerm_lb_rule" "new_terraform_bpepool_web_rule_http" {
        resource_group_name            = azurerm_resource_group.existing_terraform_rg.name
        loadbalancer_id                = azurerm_lb.new_terraform_lb_web.id
        backend_address_pool_id        = azurerm_lb_backend_address_pool.new_terraform_bpepool_web.id
        probe_id                       = azurerm_lb_probe.new_terraform_lb_probe_web.id
        disable_outbound_snat          = true 
        name                           = "new_terraform_bpepool_web_rule_http"
        protocol                       = "Tcp"
        frontend_port                  = 80
        backend_port                   = 80
        frontend_ip_configuration_name = "PrivateIPAddress-${var.web_lb_name}"
        }

        resource "azurerm_lb_rule" "new_terraform_bpepool_web_rule_https" {
        resource_group_name            = azurerm_resource_group.existing_terraform_rg.name
        loadbalancer_id                = azurerm_lb.new_terraform_lb_web.id
        backend_address_pool_id        = azurerm_lb_backend_address_pool.new_terraform_bpepool_web.id
        probe_id                       = azurerm_lb_probe.new_terraform_lb_probe_web.id
        disable_outbound_snat          = true 
        name                           = "new_terraform_bpepool_web_rule_https"
        protocol                       = "Tcp"
        frontend_port                  = 443
        backend_port                   = 443
        frontend_ip_configuration_name = "PrivateIPAddress-${var.web_lb_name}"
        }

        resource "azurerm_windows_virtual_machine_scale_set" "new_terraform_vmss_web" {
        depends_on = [azurerm_lb_rule.new_terraform_bpepool_web_rule_http,azurerm_lb_rule.new_terraform_bpepool_web_rule_https]
        name                = "vmss-001"
        resource_group_name =  azurerm_resource_group.existing_terraform_rg.name
        location            =  azurerm_resource_group.existing_terraform_rg.location
        sku                 = var.webtier_vmss_sku
        instances           = var.webtier_vmss_instance_count
        admin_password      = var.webtier_vmss_admin_password
        admin_username      = var.webtier_vmss_admin_uname
        zone_balance = true
        zones = [1,2,3]
        upgrade_mode = "Manual"
            #automatic_os_upgrade_policy {
            #    disable_automatic_rollback  = false
            #    enable_automatic_os_upgrade = true
            #}
            #rolling_upgrade_policy {
            #  max_batch_instance_percent              = 20
            #  max_unhealthy_instance_percent          = 20
            #  max_unhealthy_upgraded_instance_percent = 5
            #  pause_time_between_batches              = "PT0S"
            #}    
        #health_probe_id = azurerm_lb_probe.new_terraform_lb_probe_web.id

        source_image_reference {
            publisher = "MicrosoftWindowsServer"
            offer     = "WindowsServer"
            sku       = var.webtier_vmss_image_sku
            version   = "latest"
        }

        os_disk {
            storage_account_type = "Standard_LRS"
            caching              = "ReadWrite"
        }

        network_interface {
            name    = "vmss-001-nic-1"
            primary = true
            ip_configuration {
            name      = "vmss-001-nic-1-Configuration"
            primary   = true
            subnet_id = azurerm_subnet.new_terraform_subnet_web.id
            load_balancer_backend_address_pool_ids = [azurerm_lb_backend_address_pool.new_terraform_bpepool_web.id]
            #load_balancer_inbound_nat_rules_ids    = [azurerm_lb_nat_pool.lbnatpool-1.id]
            }
        }
        }

        resource "azurerm_virtual_machine_scale_set_extension" "new_terraform_vmss_web_ext_1" {
        name                         = "new_terraform_vmss_web_ext_1"
        virtual_machine_scale_set_id = azurerm_windows_virtual_machine_scale_set.new_terraform_vmss_web.id
            publisher = "Microsoft.Compute"
            type = "CustomScriptExtension"
            type_handler_version = "1.9"
            settings = <<SETTINGS
                {
                    "fileUris": ["https://raw.githubusercontent.com/Azure-Samples/compute-automation-configurations/master/automate-iis-v2.ps1"]
                }
                    SETTINGS
            protected_settings = <<PROTECTED_SETTINGS
                { 
                    "commandToExecute": "powershell -ExecutionPolicy Unrestricted -File automate-iis-v2.ps1"
                }
                    PROTECTED_SETTINGS
        }




    # Create public IPs
    resource "azurerm_public_ip" "spk1-jbx-puip" {
        name                         = "spk1-jbx-puip"
        location                     = "westeurope"
        resource_group_name          = azurerm_resource_group.existing_terraform_rg.name
        allocation_method            = "Dynamic"
    }



    # Create network interface
    resource "azurerm_network_interface" "spk1-jbx-nic" {
        name                      = "spk1-jbx-nic"
        location                  = "westeurope"
        resource_group_name       = azurerm_resource_group.existing_terraform_rg.name
        ip_configuration {
            name                          = "spk1-jbx-nic-conf"
            subnet_id                     = azurerm_subnet.spk1-jbx-subnet.id
            private_ip_address_allocation = "Dynamic"
            public_ip_address_id          = azurerm_public_ip.spk1-jbx-puip.id
        }
    }

    resource "azurerm_virtual_machine" "spk1-jbx-vm" {
    name                  = "spk1-jbx-vm"
    location              = "westeurope" 
    resource_group_name   = azurerm_resource_group.existing_terraform_rg.name
    network_interface_ids = ["${azurerm_network_interface.spk1-jbx-nic.id}"]
    vm_size               = "Standard_D2s_v3"
    storage_image_reference {
        publisher = "MicrosoftWindowsServer"
        offer     = "WindowsServer"
        sku       =  "2016-Datacenter"
        version   = "latest"
    }

    storage_os_disk {
        name              = "spk1-jbx-vm-mtwin-disk-os"
        caching           = "ReadWrite"
        create_option     = "FromImage"
        managed_disk_type = "Standard_LRS"
    }
    os_profile {
        computer_name  = "spk1-jbx-vm"
        admin_username = "demouser"
        admin_password = "M0nP@ssw0rd!" 
    }
    os_profile_windows_config {
        provision_vm_agent = true
    }

    }
4

1 回答 1

3

您需要一个公共负载均衡器用于端口伪装 SNAT (PAT) 出站流量。您可以按照您引用的文档 Azure 中的说明配置内部和公共 LB。

内部标准负载均衡器方案的出站 NAT使用内部标准负载均衡器时,出站 NAT 在明确声明出站连接之前不可用。您可以使用出站规则定义出站连接,通过以下步骤为内部标准负载均衡器后面的虚拟机创建出站连接: 1. 创建公共标准负载均衡器。2. 创建一个后端池,并将虚拟机放入公共负载均衡器的后端池中,除了内部负载均衡器。3. 在公共负载均衡器上配置出站规则,为这些虚拟机编程出站 NAT。

于 2020-08-12T16:46:22.523 回答