我一直在寻找一种正确的方法来使用内部负载均衡器来改造我的内部虚拟机规模集,该负载均衡器不会通过公共(public) IP 暴露在互联网上。但是,节点应该能够访问互联网来下载 github 中的一些包。
我遇到了这个问题,其中部署了负载均衡器以及规模集,但是我没有来自规模集节点的互联网带外连接...
我读了这篇文章,但它没有告诉我how to proceed
根据我的理解,我应该可以从我的节点访问互联网来下载软件包,因为我使用标准负载均衡器,但它不起作用。
我错过了什么?我宁愿避免使用 NAT Gateway ..
下面是我的完整 terraform 脚本,用于创建 RG、Vnet SUbnet、LB 规则,最后是 VMSS 和 jumbpox。
provider "azurerm" {
features {}
subscription_id = var.azure-subscription-id
client_id = var.azure-client-app-id
client_secret = var.azure-client-secret-password
tenant_id = var.azure-tenant-id
}
resource "azurerm_resource_group" "existing_terraform_rg" {
name = "rg-ict-spoke1-001"
location = "westeurope"
#depends_on = [var.rg_depends_on]
}
# Create storage account for boot diagnostics
resource "azurerm_storage_account" "mystorageaccount" {
name = "diag${random_id.randomId.hex}"
resource_group_name = azurerm_resource_group.existing_terraform_rg.name
location = "westeurope"
account_tier = "Standard"
account_replication_type = "LRS"
}
resource "azurerm_virtual_network" "existing_terraform_vnet" {
name = "vnet-spoke1-001"
location = "westeurope"
resource_group_name = azurerm_resource_group.existing_terraform_rg.name
address_space = ["10.0.0.0/16"]
#depends_on = [azurerm_resource_group.existing_terraform_rg]
}
// Subnets
# Create subnet
resource "azurerm_subnet" "spk1-jbx-subnet" {
name = "spk1-jbx-subnet"
resource_group_name = azurerm_resource_group.existing_terraform_rg.name
virtual_network_name = azurerm_virtual_network.existing_terraform_vnet.name
address_prefixes = ["10.0.0.0/24"]
}
resource "azurerm_subnet" "new_terraform_subnet_web" {
name = "snet-webtier-${var.environment}-vdc-001"
resource_group_name = azurerm_resource_group.existing_terraform_rg.name
virtual_network_name = azurerm_virtual_network.existing_terraform_vnet.name
address_prefix = var.webtier_address_prefix
depends_on = [azurerm_virtual_network.existing_terraform_vnet]
}
# Create Network Security Group and rule
resource "azurerm_network_security_group" "generic-nsg" {
name = "generic-nsg"
location = "westeurope"
resource_group_name = azurerm_resource_group.existing_terraform_rg.name
security_rule {
name = "GENERIC-RULE"
priority = 1001
direction = "Inbound"
access = "Allow"
protocol = "Tcp"
source_port_range = "*"
#destination_port_range = "3389"
#destination_port_ranges = "["22","3389","80","8080"]"
destination_port_ranges = ["22","3389","80","8080","443"]
source_address_prefix = "*"
destination_address_prefix = "*"
}
}
# Connect the security group to the network interface
resource "azurerm_subnet_network_security_group_association" "new_terraform_subnet_web-asso-nsg" {
subnet_id = azurerm_subnet.new_terraform_subnet_web.id
network_security_group_id = azurerm_network_security_group.generic-nsg.id
}
resource "azurerm_subnet_network_security_group_association" "spk1-jbx-subnet-asso-nsg" {
subnet_id = azurerm_subnet.spk1-jbx-subnet.id
network_security_group_id = azurerm_network_security_group.generic-nsg.id
}
# Generate random text for a unique storage account name
resource "random_id" "randomId" {
keepers = {
# Generate a new ID only when a new resource group is defined
resource_group = azurerm_resource_group.existing_terraform_rg.name
}
byte_length = 8
}
resource "azurerm_lb" "new_terraform_lb_web" {
name = "lb-${var.web_lb_name}-${var.environment}-vdc-001"
location = azurerm_resource_group.existing_terraform_rg.location
resource_group_name = azurerm_resource_group.existing_terraform_rg.name
sku = var.lb_Sku
frontend_ip_configuration {
name = "PrivateIPAddress-${var.web_lb_name}"
subnet_id = azurerm_subnet.new_terraform_subnet_web.id
private_ip_address = var.web_lb_private_IP
private_ip_address_allocation = "Static"
}
}
resource "azurerm_lb_backend_address_pool" "new_terraform_bpepool_web" {
resource_group_name = azurerm_resource_group.existing_terraform_rg.name
loadbalancer_id = azurerm_lb.new_terraform_lb_web.id
name = "${var.web_lb_name}-BackEndAddressPool"
}
resource "azurerm_lb_probe" "new_terraform_lb_probe_web" {
resource_group_name = azurerm_resource_group.existing_terraform_rg.name
loadbalancer_id = azurerm_lb.new_terraform_lb_web.id
name = "${var.web_lb_name}-probe-${var.web_lb_probe_protocol}"
protocol = var.web_lb_probe_protocol
request_path = var.web_lb_probe_request_path
port = var.web_lb_probe_port
}
resource "azurerm_lb_rule" "new_terraform_bpepool_web_rule_http" {
resource_group_name = azurerm_resource_group.existing_terraform_rg.name
loadbalancer_id = azurerm_lb.new_terraform_lb_web.id
backend_address_pool_id = azurerm_lb_backend_address_pool.new_terraform_bpepool_web.id
probe_id = azurerm_lb_probe.new_terraform_lb_probe_web.id
disable_outbound_snat = true
name = "new_terraform_bpepool_web_rule_http"
protocol = "Tcp"
frontend_port = 80
backend_port = 80
frontend_ip_configuration_name = "PrivateIPAddress-${var.web_lb_name}"
}
resource "azurerm_lb_rule" "new_terraform_bpepool_web_rule_https" {
resource_group_name = azurerm_resource_group.existing_terraform_rg.name
loadbalancer_id = azurerm_lb.new_terraform_lb_web.id
backend_address_pool_id = azurerm_lb_backend_address_pool.new_terraform_bpepool_web.id
probe_id = azurerm_lb_probe.new_terraform_lb_probe_web.id
disable_outbound_snat = true
name = "new_terraform_bpepool_web_rule_https"
protocol = "Tcp"
frontend_port = 443
backend_port = 443
frontend_ip_configuration_name = "PrivateIPAddress-${var.web_lb_name}"
}
resource "azurerm_windows_virtual_machine_scale_set" "new_terraform_vmss_web" {
depends_on = [azurerm_lb_rule.new_terraform_bpepool_web_rule_http,azurerm_lb_rule.new_terraform_bpepool_web_rule_https]
name = "vmss-001"
resource_group_name = azurerm_resource_group.existing_terraform_rg.name
location = azurerm_resource_group.existing_terraform_rg.location
sku = var.webtier_vmss_sku
instances = var.webtier_vmss_instance_count
admin_password = var.webtier_vmss_admin_password
admin_username = var.webtier_vmss_admin_uname
zone_balance = true
zones = [1,2,3]
upgrade_mode = "Manual"
#automatic_os_upgrade_policy {
# disable_automatic_rollback = false
# enable_automatic_os_upgrade = true
#}
#rolling_upgrade_policy {
# max_batch_instance_percent = 20
# max_unhealthy_instance_percent = 20
# max_unhealthy_upgraded_instance_percent = 5
# pause_time_between_batches = "PT0S"
#}
#health_probe_id = azurerm_lb_probe.new_terraform_lb_probe_web.id
source_image_reference {
publisher = "MicrosoftWindowsServer"
offer = "WindowsServer"
sku = var.webtier_vmss_image_sku
version = "latest"
}
os_disk {
storage_account_type = "Standard_LRS"
caching = "ReadWrite"
}
network_interface {
name = "vmss-001-nic-1"
primary = true
ip_configuration {
name = "vmss-001-nic-1-Configuration"
primary = true
subnet_id = azurerm_subnet.new_terraform_subnet_web.id
load_balancer_backend_address_pool_ids = [azurerm_lb_backend_address_pool.new_terraform_bpepool_web.id]
#load_balancer_inbound_nat_rules_ids = [azurerm_lb_nat_pool.lbnatpool-1.id]
}
}
}
resource "azurerm_virtual_machine_scale_set_extension" "new_terraform_vmss_web_ext_1" {
name = "new_terraform_vmss_web_ext_1"
virtual_machine_scale_set_id = azurerm_windows_virtual_machine_scale_set.new_terraform_vmss_web.id
publisher = "Microsoft.Compute"
type = "CustomScriptExtension"
type_handler_version = "1.9"
settings = <<SETTINGS
{
"fileUris": ["https://raw.githubusercontent.com/Azure-Samples/compute-automation-configurations/master/automate-iis-v2.ps1"]
}
SETTINGS
protected_settings = <<PROTECTED_SETTINGS
{
"commandToExecute": "powershell -ExecutionPolicy Unrestricted -File automate-iis-v2.ps1"
}
PROTECTED_SETTINGS
}
# Create public IPs
resource "azurerm_public_ip" "spk1-jbx-puip" {
name = "spk1-jbx-puip"
location = "westeurope"
resource_group_name = azurerm_resource_group.existing_terraform_rg.name
allocation_method = "Dynamic"
}
# Create network interface
resource "azurerm_network_interface" "spk1-jbx-nic" {
name = "spk1-jbx-nic"
location = "westeurope"
resource_group_name = azurerm_resource_group.existing_terraform_rg.name
ip_configuration {
name = "spk1-jbx-nic-conf"
subnet_id = azurerm_subnet.spk1-jbx-subnet.id
private_ip_address_allocation = "Dynamic"
public_ip_address_id = azurerm_public_ip.spk1-jbx-puip.id
}
}
resource "azurerm_virtual_machine" "spk1-jbx-vm" {
name = "spk1-jbx-vm"
location = "westeurope"
resource_group_name = azurerm_resource_group.existing_terraform_rg.name
network_interface_ids = ["${azurerm_network_interface.spk1-jbx-nic.id}"]
vm_size = "Standard_D2s_v3"
storage_image_reference {
publisher = "MicrosoftWindowsServer"
offer = "WindowsServer"
sku = "2016-Datacenter"
version = "latest"
}
storage_os_disk {
name = "spk1-jbx-vm-mtwin-disk-os"
caching = "ReadWrite"
create_option = "FromImage"
managed_disk_type = "Standard_LRS"
}
os_profile {
computer_name = "spk1-jbx-vm"
admin_username = "demouser"
admin_password = "M0nP@ssw0rd!"
}
os_profile_windows_config {
provision_vm_agent = true
}
}
最佳答案
您需要一个公共(public)负载均衡器来对出站流量进行端口伪装 SNAT (PAT)。您可以按照您引用的 Azure 文档中的说明配置内部负载均衡器和公共(public)负载均衡器。
Outbound NAT for internal Standard Load Balancer scenarios When using an internal Standard Load Balancer, outbound NAT is not available until outbound connectivity has been explicitly declared. You can define outbound connectivity using an outbound rule to create outbound connectivity for VMs behind an internal Standard Load Balancer with these steps: 1. Create a public Standard Load Balancer. 2. Create a backend pool and place the VMs into a backend pool of the public Load Balancer in addition to the internal Load Balancer. 3. Configure an outbound rule on the public Load Balancer to program outbound NAT for these VMs.
关于带有内部负载平衡器的 azurerm terraform 秤,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/63380270/