具有VNet网关和P2S VPN的Azure内部负载平衡网络
[英]Azure internal load-balanced network with VNet Gateway with P2S VPN
问题描述
So as the title suggests, I need to make a load-balanced internal gateway with a VPN. 
因此,正如标题所示,我需要使用VPN创建负载平衡的内部网关。 I'm a developer, so networking is not my forte. 我是开发人员,所以网络并不是我的强项。
I have two identical VMs (VM1 in Availability Zone 1 and VM2 in Availability Zone 2) and I need to share VPN traffic between them. 我有两个相同的VM(可用区1中的VM1和可用区2中的VM2),我需要在它们之间共享VPN流量。 My client has provided a range of 5 addresses that will be configured on their firewall, so I will pick one for them to use and they then need to be oblivious to the internal routing. 我的客户提供了将在其防火墙上配置的5个地址范围,因此我将选择一个供他们使用,然后他们需要忽略内部路由。
My ultimate goal is to allow the client to connect through a VPN to one IP address (in the range they have allocated) and let Azure direct the traffic to VM1 primarily, but failover to VM2 if Availability Zone 1 goes down. 我的最终目标是允许客户端通过VPN连接到一个IP地址(在其分配的范围内),并让Azure主要将流量定向到VM1,但是如果可用区1出现故障,则将故障转移到VM2。 The client must be oblivious to which VM they ultimately connect to. 客户端必须忽略最终连接到哪个VM。
My problem is that I cannot create a configuration where the Load Balancer's static IP is in the address range of the Gateway's VPN P2S address pool. 我的问题是我无法创建一个配置,其中负载均衡器的静态IP在网关的VPN P2S地址池的地址范围内。 Azure requires the P2S address pool to be outside of the VNet's address space and the Load Balancer needs to use the VNet's Subnet (which obviously is INSIDE the VNet's address space, so I'm stuck. Azure要求P2S地址池在VNet的地址空间之外,并且Load Balancer需要使用VNet的子网(显然是在VNet的地址空间之内,所以我被困住了。
I can create the GW -> Vnet -> subnet -> VM1/VM2 set up no problem using the client's specified IP range for the P2S VPN, but without a Load Balancer, how do I then direct the traffic between the VMs? 我可以使用客户端为P2S VPN指定的IP范围来创建GW-> Vnet->子网-> VM1 / VM2进行设置,但是没有负载均衡器,那么如何在VM之间定向流量呢?
eg (IPs are hypothetical) 例如(IP是假设的)
- The Vnet address range is 172.10.0.0/16 Vnet地址范围是172.10.0.0/16
- The Gateway subnet is 172.10.10.0/24 网关子网是172.10.10.0/24
- The Gateway's P2S address pool is 172.5.5.5/29 网关的P2S地址池是172.5.5.5/29
- VM1's IP is 172.10.10.4 VM1的IP为172.10.10.4
- VM2's IP is 172.10.10.5 VM2的IP为172.10.10.5
I can create a Load Balancer to use the Vnet (and the VMs in a Backend Pool), but then it's static IP has to fall in the VNet's subnet and thus outside the P2S address pool. 我可以创建一个负载平衡器来使用Vnet(以及后端池中的VM),但是它的静态IP必须落在VNet的子网中,因此必须位于P2S地址池之外。 So how do I achieve this? 那么我该如何实现呢?
I thought of creating a second VNet and corresponding Gateway and linking the Gateways, but I seemed to end up in the same boat 我曾想创建第二个VNet和相应的网关并链接网关,但是我似乎最终却陷入了困境
UPDATE : here is an image of my VNet diagram. 更新 :这是我的VNet图的图像。 I have only added one of the VMs (NSPHiAvail1) for now, but VM2 will be in the same LB backend pool 我现在仅添加了其中一个VM(NSPHiAvail1),但是VM2将位于同一LB后端池中
NSP_Address_Range is the range is a subnet of the VNet and is the range dictated by the client. NSP_Address_Range是范围,是VNet的子网,是客户端指定的范围。 The load balancer has a frontend IP in this range 负载平衡器的前端IP在此范围内
2 个解决方案
解决方案1
0 2019-01-31 02:58:39
Firstly, the Azure load balancer does round-robin load balancing for new incoming TCP connections, you could not use it for failover. 首先,Azure负载平衡器对新传入的TCP连接进行循环负载平衡,您不能将其用于故障转移。
My problem is that I cannot create a configuration where the Load Balancer's static IP is in the address range of the Gateway's VPN P2S address pool.
You do not need to add the Load balancer frontend IP in the P2S address pool, the address pool is used for clients connecting to your Azure VNet. 您无需在P2S地址池中添加负载均衡器前端IP,该地址池用于连接到Azure VNet的客户端。
Generally, you could configure P2S VPN gateway, create Gateway subnet and vmsubnet and create an internal standard SKU load balancer in the vmsubnet , then you could add the VMs in the vmsubnet into the backend pool as the backend target of the load balancer and configure the healthpro and load balancer rule for load balancing traffic. 通常,您可以配置P2S VPN网关,创建网关子网和vmsubnet并在 vmsubnet中创建内部标准SKU负载均衡器 ,然后可以将vmsubnet中的VM添加到后端池中作为负载均衡器的后端目标,并配置healthpro和负载均衡器规则,用于对流量进行负载均衡。 If so, you could access the backend VMs from clients via the load balancer frontend private IP. 如果是这样,您可以通过负载平衡器前端专用IP从客户端访问后端VM。
Moreover, you could know some limitations about internal load balancer. 此外,您可能知道有关内部负载均衡器的一些限制 。
解决方案2
0 已采纳 2019-01-31 16:34:48
My problem was the Load Balancer Rules - or lack thereof. 我的问题是负载均衡器规则-或缺少规则。 Once I had added a rule for port 1433 (SQL Server), I was able to query the DB from my local instance of SSMS 添加端口1433(SQL Server)的规则后,就可以从本地SSMS实例查询数据库
There is another solution that is a LOT simpler than the solution I was trying to implement, BUT it does not work allow for an internal load balancer 还有另一种解决方案比我尝试实现的解决方案要简单得多,但是它无法正常运行,因此需要一个内部负载均衡器
Azure Virtual Machine Scale Sets implement as many VMs as I specify and will automatically switch to another zone if one goes down. Azure虚拟机规模集实现了我指定的尽可能多的VM,并且如果一个VM出现故障,它将自动切换到另一个区域。 I have no need for the scalability aspect, so I disabled this and I'm only using the Load balancing aspect. 我不需要可伸缩性方面,因此我禁用了此功能,而仅使用负载平衡方面。
NB This setup only exposes a PUBLIC IP and you cannot assign an internal load balancer in conjunction with the default public load balancer 注意:此设置仅公开PUBLIC IP,并且您不能将内部负载均衡器与默认的公共负载均衡器一起分配
Here's some info: 这是一些信息:
Quickstart: Create a virtual machine scale set in the Azure portal 快速入门:在Azure门户中创建虚拟机规模集
Create a virtual machine scale set that uses Availability Zones 创建使用可用区的虚拟机规模集
Networking for Azure virtual machine scale sets Azure虚拟机规模集的联网
Virtual Machine Scale Sets 虚拟机规模集
The cost is exactly what you'd pay for individual VMs, but the loadbalancing is included. 费用恰好是您为单个VM支付的费用,但其中包括负载平衡。 So it's cheaper than the solution I described in my question. 因此,它比我在问题中描述的解决方案便宜。 Bonus! 奖金!
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.