带有内部负载平衡器的 azurerm terraform 秤

Question

我一直在寻找一种正确的方法来使用内部负载均衡器来改造我的内部虚拟机规模集，该负载均衡器不会通过公共(public) IP 暴露在互联网上。但是，节点应该能够访问互联网来下载 github 中的一些包。

我遇到了这个问题，其中部署了负载均衡器以及规模集，但是我没有来自规模集节点的互联网带外连接...

我读了这篇文章，但它没有告诉我how to proceed

根据我的理解，我应该可以从我的节点访问互联网来下载软件包，因为我使用标准负载均衡器，但它不起作用。

我错过了什么？我宁愿避免使用 NAT Gateway ..

下面是我的完整 terraform 脚本，用于创建 RG、Vnet SUbnet、LB 规则，最后是 VMSS 和 jumbpox。

        provider "azurerm" {       
                
        features {}        
        subscription_id = var.azure-subscription-id       
            client_id       = var.azure-client-app-id       
            client_secret   = var.azure-client-secret-password       
            tenant_id       = var.azure-tenant-id   
            }

        resource "azurerm_resource_group" "existing_terraform_rg" {
        name                     = "rg-ict-spoke1-001"
        location                 = "westeurope"
        #depends_on = [var.rg_depends_on]
        }
        # Create storage account for boot diagnostics
        resource "azurerm_storage_account" "mystorageaccount" {
            name                        = "diag${random_id.randomId.hex}"
            resource_group_name         = azurerm_resource_group.existing_terraform_rg.name
            location                    = "westeurope"
            account_tier                = "Standard"
            account_replication_type    = "LRS"
        }
        resource "azurerm_virtual_network" "existing_terraform_vnet" {
            name                = "vnet-spoke1-001"
            location            = "westeurope"
            resource_group_name = azurerm_resource_group.existing_terraform_rg.name
            address_space       = ["10.0.0.0/16"]
            #depends_on = [azurerm_resource_group.existing_terraform_rg]
        }
        // Subnets
        # Create subnet
        resource "azurerm_subnet" "spk1-jbx-subnet" {
            name                 = "spk1-jbx-subnet"
            resource_group_name  = azurerm_resource_group.existing_terraform_rg.name
            virtual_network_name = azurerm_virtual_network.existing_terraform_vnet.name
            address_prefixes       = ["10.0.0.0/24"]
        }

        resource "azurerm_subnet" "new_terraform_subnet_web" {
        name                 = "snet-webtier-${var.environment}-vdc-001"
        resource_group_name  =  azurerm_resource_group.existing_terraform_rg.name
        virtual_network_name =  azurerm_virtual_network.existing_terraform_vnet.name
        address_prefix       = var.webtier_address_prefix
        depends_on = [azurerm_virtual_network.existing_terraform_vnet]
        }

        # Create Network Security Group and rule
        resource "azurerm_network_security_group" "generic-nsg" {
            name                = "generic-nsg"
            location            = "westeurope"
            resource_group_name = azurerm_resource_group.existing_terraform_rg.name
            
            security_rule {
                name                       = "GENERIC-RULE"
                priority                   = 1001
                direction                  = "Inbound"
                access                     = "Allow"
                protocol                   = "Tcp"
                source_port_range          = "*"
                #destination_port_range     = "3389"
                #destination_port_ranges     = "["22","3389","80","8080"]" 
                destination_port_ranges     = ["22","3389","80","8080","443"]
                source_address_prefix      = "*"
                destination_address_prefix = "*"
            }
        }

        # Connect the security group to the network interface
        resource "azurerm_subnet_network_security_group_association" "new_terraform_subnet_web-asso-nsg" {
        subnet_id                 = azurerm_subnet.new_terraform_subnet_web.id
        network_security_group_id = azurerm_network_security_group.generic-nsg.id
        }


        resource "azurerm_subnet_network_security_group_association" "spk1-jbx-subnet-asso-nsg" {
        subnet_id                 = azurerm_subnet.spk1-jbx-subnet.id
        network_security_group_id = azurerm_network_security_group.generic-nsg.id
        }

        # Generate random text for a unique storage account name
        resource "random_id" "randomId" {
            keepers = {
                # Generate a new ID only when a new resource group is defined
                resource_group = azurerm_resource_group.existing_terraform_rg.name
            }
            byte_length = 8
        }









        resource "azurerm_lb" "new_terraform_lb_web" {
        name                = "lb-${var.web_lb_name}-${var.environment}-vdc-001"
        location            =  azurerm_resource_group.existing_terraform_rg.location
        resource_group_name =  azurerm_resource_group.existing_terraform_rg.name
        sku = var.lb_Sku
        frontend_ip_configuration {
            name                 = "PrivateIPAddress-${var.web_lb_name}"
            subnet_id            = azurerm_subnet.new_terraform_subnet_web.id
            private_ip_address   = var.web_lb_private_IP
            private_ip_address_allocation = "Static"
        }
        }
        resource "azurerm_lb_backend_address_pool" "new_terraform_bpepool_web" {
        resource_group_name =  azurerm_resource_group.existing_terraform_rg.name
        loadbalancer_id     = azurerm_lb.new_terraform_lb_web.id
        name                = "${var.web_lb_name}-BackEndAddressPool"
        }
        resource "azurerm_lb_probe" "new_terraform_lb_probe_web" {
        resource_group_name =  azurerm_resource_group.existing_terraform_rg.name
        loadbalancer_id     = azurerm_lb.new_terraform_lb_web.id
        name                = "${var.web_lb_name}-probe-${var.web_lb_probe_protocol}"
        protocol            = var.web_lb_probe_protocol
        request_path        = var.web_lb_probe_request_path
        port                = var.web_lb_probe_port
        }

        resource "azurerm_lb_rule" "new_terraform_bpepool_web_rule_http" {
        resource_group_name            = azurerm_resource_group.existing_terraform_rg.name
        loadbalancer_id                = azurerm_lb.new_terraform_lb_web.id
        backend_address_pool_id        = azurerm_lb_backend_address_pool.new_terraform_bpepool_web.id
        probe_id                       = azurerm_lb_probe.new_terraform_lb_probe_web.id
        disable_outbound_snat          = true 
        name                           = "new_terraform_bpepool_web_rule_http"
        protocol                       = "Tcp"
        frontend_port                  = 80
        backend_port                   = 80
        frontend_ip_configuration_name = "PrivateIPAddress-${var.web_lb_name}"
        }

        resource "azurerm_lb_rule" "new_terraform_bpepool_web_rule_https" {
        resource_group_name            = azurerm_resource_group.existing_terraform_rg.name
        loadbalancer_id                = azurerm_lb.new_terraform_lb_web.id
        backend_address_pool_id        = azurerm_lb_backend_address_pool.new_terraform_bpepool_web.id
        probe_id                       = azurerm_lb_probe.new_terraform_lb_probe_web.id
        disable_outbound_snat          = true 
        name                           = "new_terraform_bpepool_web_rule_https"
        protocol                       = "Tcp"
        frontend_port                  = 443
        backend_port                   = 443
        frontend_ip_configuration_name = "PrivateIPAddress-${var.web_lb_name}"
        }

        resource "azurerm_windows_virtual_machine_scale_set" "new_terraform_vmss_web" {
        depends_on = [azurerm_lb_rule.new_terraform_bpepool_web_rule_http,azurerm_lb_rule.new_terraform_bpepool_web_rule_https]
        name                = "vmss-001"
        resource_group_name =  azurerm_resource_group.existing_terraform_rg.name
        location            =  azurerm_resource_group.existing_terraform_rg.location
        sku                 = var.webtier_vmss_sku
        instances           = var.webtier_vmss_instance_count
        admin_password      = var.webtier_vmss_admin_password
        admin_username      = var.webtier_vmss_admin_uname
        zone_balance = true
        zones = [1,2,3]
        upgrade_mode = "Manual"
            #automatic_os_upgrade_policy {
            #    disable_automatic_rollback  = false
            #    enable_automatic_os_upgrade = true
            #}
            #rolling_upgrade_policy {
            #  max_batch_instance_percent              = 20
            #  max_unhealthy_instance_percent          = 20
            #  max_unhealthy_upgraded_instance_percent = 5
            #  pause_time_between_batches              = "PT0S"
            #}    
        #health_probe_id = azurerm_lb_probe.new_terraform_lb_probe_web.id

        source_image_reference {
            publisher = "MicrosoftWindowsServer"
            offer     = "WindowsServer"
            sku       = var.webtier_vmss_image_sku
            version   = "latest"
        }

        os_disk {
            storage_account_type = "Standard_LRS"
            caching              = "ReadWrite"
        }

        network_interface {
            name    = "vmss-001-nic-1"
            primary = true
            ip_configuration {
            name      = "vmss-001-nic-1-Configuration"
            primary   = true
            subnet_id = azurerm_subnet.new_terraform_subnet_web.id
            load_balancer_backend_address_pool_ids = [azurerm_lb_backend_address_pool.new_terraform_bpepool_web.id]
            #load_balancer_inbound_nat_rules_ids    = [azurerm_lb_nat_pool.lbnatpool-1.id]
            }
        }
        }

        resource "azurerm_virtual_machine_scale_set_extension" "new_terraform_vmss_web_ext_1" {
        name                         = "new_terraform_vmss_web_ext_1"
        virtual_machine_scale_set_id = azurerm_windows_virtual_machine_scale_set.new_terraform_vmss_web.id
            publisher = "Microsoft.Compute"
            type = "CustomScriptExtension"
            type_handler_version = "1.9"
            settings = <<SETTINGS
                {
                    "fileUris": ["https://raw.githubusercontent.com/Azure-Samples/compute-automation-configurations/master/automate-iis-v2.ps1"]
                }
                    SETTINGS
            protected_settings = <<PROTECTED_SETTINGS
                { 
                    "commandToExecute": "powershell -ExecutionPolicy Unrestricted -File automate-iis-v2.ps1"
                }
                    PROTECTED_SETTINGS
        }




    # Create public IPs
    resource "azurerm_public_ip" "spk1-jbx-puip" {
        name                         = "spk1-jbx-puip"
        location                     = "westeurope"
        resource_group_name          = azurerm_resource_group.existing_terraform_rg.name
        allocation_method            = "Dynamic"
    }



    # Create network interface
    resource "azurerm_network_interface" "spk1-jbx-nic" {
        name                      = "spk1-jbx-nic"
        location                  = "westeurope"
        resource_group_name       = azurerm_resource_group.existing_terraform_rg.name
        ip_configuration {
            name                          = "spk1-jbx-nic-conf"
            subnet_id                     = azurerm_subnet.spk1-jbx-subnet.id
            private_ip_address_allocation = "Dynamic"
            public_ip_address_id          = azurerm_public_ip.spk1-jbx-puip.id
        }
    }

    resource "azurerm_virtual_machine" "spk1-jbx-vm" {
    name                  = "spk1-jbx-vm"
    location              = "westeurope" 
    resource_group_name   = azurerm_resource_group.existing_terraform_rg.name
    network_interface_ids = ["${azurerm_network_interface.spk1-jbx-nic.id}"]
    vm_size               = "Standard_D2s_v3"
    storage_image_reference {
        publisher = "MicrosoftWindowsServer"
        offer     = "WindowsServer"
        sku       =  "2016-Datacenter"
        version   = "latest"
    }

    storage_os_disk {
        name              = "spk1-jbx-vm-mtwin-disk-os"
        caching           = "ReadWrite"
        create_option     = "FromImage"
        managed_disk_type = "Standard_LRS"
    }
    os_profile {
        computer_name  = "spk1-jbx-vm"
        admin_username = "demouser"
        admin_password = "M0nP@ssw0rd!" 
    }
    os_profile_windows_config {
        provision_vm_agent = true
    }

    }

Answer 1

您需要一个公共(public)负载均衡器来对出站流量进行端口伪装 SNAT (PAT)。您可以按照您引用的 Azure 文档中的说明配置内部负载均衡器和公共(public)负载均衡器。

Outbound NAT for internal Standard Load Balancer scenarios When usingan internal Standard Load Balancer, outbound NAT is not availableuntil outbound connectivity has been explicitly declared. You candefine outbound connectivity using an outbound rule to create outboundconnectivity for VMs behind an internal Standard Load Balancer withthese steps: 1. Create a public Standard Load Balancer. 2. Create abackend pool and place the VMs into a backend pool of the public LoadBalancer in addition to the internal Load Balancer. 3. Configure anoutbound rule on the public Load Balancer to program outbound NAT forthese VMs.