Azure 负载均衡器介绍

您现在访问的是微软AZURE全球版技术文档网站，若需要访问由世纪互联运营的MICROSOFT AZURE中国区技术文档网站，请访问 https://docs.azure.cn.

Azure 负载均衡器概述Azure Load Balancer overview

本文内容

1. 负载均衡器的功能
2. 负载均衡器之间的差异
3. 限制
4. 后续步骤

Azure 负载均衡器可提高应用程序的可用性和网络性能。Azure Load Balancer delivers high availability and network performance to your applications. 它是第 4 层（TCP、UDP）类型的负载均衡器，可在负载均衡集中定义的运行状况良好的服务实例之间分配传入流量。It is a Layer 4 (TCP, UDP) load balancer that distributes incoming traffic among healthy instances of services defined in a load-balanced set.

重要

Azure 负载均衡器支持两种不同的类型：“基本”和“标准”。Azure Load Balancer supports two different types: Basic and Standard. 本文介绍基本负载均衡器。This article discusses Basic Load Balancer. 虽然基本负载均衡器已推出正式版，但标准负载均衡器目前仍以公共预览版提供。Although Basic Load Balancer is generally available, Standard Load Balancer is currently in public preview. 有关标准负载均衡器的详细信息，请参阅标准负载均衡器概述。For more information about Standard Load Balancer, see Standard Load Balancer overview.

可以将 Azure 负载均衡器配置为：Azure Load Balancer can be configured to:

• 对传入到虚拟机的 Internet 流量进行负载均衡。Load balance incoming Internet traffic to virtual machines. 此配置称为面向 Internet 的负载均衡。This configuration is known as Internet-facing load balancing.
• 对虚拟网络中虚拟机之间的流量、云服务中虚拟机之间的流量或本地计算机和跨界虚拟网络中虚拟机之间的流量进行负载均衡。Load balance traffic between virtual machines in a virtual network, between virtual machines in cloud services, or between on-premises computers and virtual machines in a cross-premises virtual network. 此配置称为内部负载均衡。This configuration is known as internal load balancing.
• 将外部流量转发到特定的虚拟机。Forward external traffic to a specific virtual machine.

云中的所有资源都需要通过公共 IP 地址从 Internet 进行访问。All resources in the cloud need a public IP address to be reachable from the Internet. Azure 中的云基础结构对其资源使用不可路由的 IP 地址。The cloud infrastructure in Azure uses non-routable IP addresses for its resources. 为了与 Internet 通信，Azure 对公共 IP 地址使用网络地址转换 (NAT)。Azure uses network address translation (NAT) with public IP addresses to communicate to the Internet.

负载均衡器的功能Load Balancer features

• 基于哈希的分发Hash-based distribution

  Azure 负载均衡器使用基于哈希的分发算法。Azure Load Balancer uses a hash-based distribution algorithm. 默认情况下，它使用 5 元组哈希（包括源 IP、源端口、目标 IP、目标端口和协议类型）将流量映射到可用服务器。By default, it uses a 5-tuple hash composed of source IP, source port, destination IP, destination port, and protocol type to map traffic to available servers. 它仅在传输会话内部提供粘性。It provides stickiness only within a transport session. 同一 TCP 或 UDP 会话中的数据包会定向到负载均衡的终结点后面的同一实例。Packets in the same TCP or UDP session will be directed to the same instance behind the load-balanced endpoint. 当客户端关闭连接后再重新将其打开，或者从同一源 IP 启动新的会话时，源端口会变化。When the client closes and reopens the connection or starts a new session from the same source IP, the source port changes. 这可能会导致流量转到其他数据中心的其他终结点。This may cause the traffic to go to a different endpoint in a different datacenter.

  有关详细信息，请参阅负载均衡器分发模式。For more details, see Load balancer distribution mode. 下图显示了基于哈希的分发：The following graphic shows the hash-based distribution:

  

  图 - 基于哈希的分发Figure - Hash based distribution

• 端口转发Port forwarding

  可以使用 Azure 负载均衡器对入站通信的管理方式进行控制。Azure Load Balancer gives you control over how inbound communication is managed. 该通信包括从 Internet 主机、其他云服务或虚拟网络中的虚拟机发出的流量。This communication includes traffic initiated from Internet hosts, virtual machines in other cloud services, or virtual networks. 终结点（也称输入终结点）代表的就是这种控制。This control is represented by an endpoint (also called an input endpoint).

  输入终结点侦听公共端口，并将流量转发到内部端口。An input endpoint listens on a public port and forwards traffic to an internal port. 可以对内部或外部终结点映射相同端口，也可以对其使用其他端口。You can map the same ports for an internal or external endpoint or use a different port for them. 例如，可以将 Web 服务器配置为侦听端口 81，而公共终结点映射则为端口 80。For example, you can have a web server configured to listen to port 81 while the public endpoint mapping is port 80. 创建公共终结点这一操作会触发负载均衡器实例的创建。The creation of a public endpoint triggers the creation of a load balancer instance.

  使用 Azure 门户进行创建时，该门户会针对远程桌面协议 (RDP) 和远程 Windows PowerShell 会话流量自动创建虚拟机的终结点。When created using the Azure portal, the portal automatically creates endpoints to the virtual machine for the Remote Desktop Protocol (RDP) and remote Windows PowerShell session traffic. 可以使用这些终结点通过 Internet 远程管理虚拟机。You can use these endpoints to remotely administer the virtual machine over the Internet.

• 自动重新配置Automatic reconfiguration

  增加或减少实例时，Azure 负载均衡器会立即自行重新配置。Azure Load Balancer instantly reconfigures itself when you scale instances up or down. 例如，增加云服务中 Web 角色/辅助角色的实例计数时，或者向同一负载均衡集中添加更多虚拟机时，会发生这样的重新配置。For example, this reconfiguration happens when you increase the instance count for web/worker roles in a cloud service or when you add additional virtual machines into the same load-balanced set.

• 服务监视Service monitoring

  Azure 负载均衡器可以探测各种服务器实例的运行状况。Azure Load Balancer can probe the health of the various server instances. 当探测无法响应时，负载均衡器会停止向状况不良的实例发送新连接。When a probe fails to respond, the load balancer stops sending new connections to the unhealthy instances. 现有连接不受影响。Existing connections are not impacted.

  支持三种类型的探测：Three types of probes are supported:

  • 来宾代理探测（仅用于平台即服务虚拟机）：负载均衡器利用虚拟机中的来宾代理。Guest agent probe (on Platform as a Service Virtual Machines only): The load balancer utilizes the guest agent inside the virtual machine. 该来宾代理仅在实例处于“就绪”状态（即实例不处于“忙”、“正在回收”或“正在停止”这样的状态）时侦听并使用“HTTP 200 正常”响应消息进行响应。The guest agent listens and responds with an HTTP 200 OK response only when the instance is in the ready state (i.e. the instance is not in a state like busy, recycling, or stopping). 如果代理没有使用“HTTP 200 正常”进行响应，则负载均衡器会将实例标记为无响应，并停止向该实例发送流量。If the agent fails to respond with an HTTP 200 OK, the load balancer marks the instance as unresponsive and stops sending traffic to that instance. 负载均衡器将继续 ping 实例。The load balancer continues to ping the instance. 如果来宾代理使用 HTTP 200 进行了响应，则负载均衡器将再次向该实例发送流量。If the guest agent responds with an HTTP 200, the load balancer will send traffic to that instance again. 使用 Web 角色时，网站代码通常在不受 Azure 结构或来宾代理监视的 w3wp.exe 中运行。When you're using a web role, your website code typically runs in w3wp.exe, which is not monitored by the Azure fabric or guest agent. 这意味着，系统不会向来宾代理报告 w3wp.exe 中的失败（例如，HTTP 500 响应），并且负载均衡器不会知道将该实例退出轮转。This means that failures in w3wp.exe (e.g. HTTP 500 responses) will not be reported to the guest agent, and the load balancer will not know to take that instance out of rotation.
  • HTTP 自定义探测：此探测将替代默认（来宾代理）探测。HTTP custom probe: This probe overrides the default (guest agent) probe. 可以使用此探测来创建自己的自定义逻辑，以便确定角色实例的运行状况。You can use it to create your own custom logic to determine the health of the role instance. 负载均衡器将定期探测终结点（默认情况下，每隔 15 秒探测 1 次）。The load balancer will regularly probe your endpoint (every 15 seconds, by default). 如果实例在超时期限内（默认为 31 秒）使用 TCP ACK 或 HTTP 200 进行了响应，则认为该实例处于轮换状态。The instance is considered to be in rotation if it responds with a TCP ACK or HTTP 200 within the timeout period (default of 31 seconds). 若要实现自己的逻辑以便从负载均衡器轮换中删除实例，这非常有用。This is useful for implementing your own logic to remove instances from the load balancer's rotation. 例如，可以将实例配置为在实例的 CPU 使用率超出 90% 时返回非 200 状态。For example, you can configure the instance to return a non-200 status if the instance is above 90% CPU. 如果 Web 角色使用 w3wp.exe，则也可以自动监视网站，因为网站代码出错会导致探测时返回非 200 状态。For web roles that use w3wp.exe, you also get automatic monitoring of your website, since failures in your website code return a non-200 status to the probe.

  • TCP 自定义探测：此探测依赖于在定义的探测端口上成功建立 TCP 会话。TCP custom probe: This probe relies on successful TCP session establishment to a defined probe port.

    有关详细信息，请参阅 LoadBalancerProbe 架构。For more information, see the LoadBalancerProbe schema.

• 源 NATSource NAT

  所有源自服务且流向 Internet 的出站流量都使用与传入流量相同的 VIP 地址进行源 NAT (SNAT) 操作。All outbound traffic to the Internet that originates from your service undergoes source NAT (SNAT) by using the same VIP address as the incoming traffic. SNAT 的重要优势在于：SNAT provides important benefits:

  • 可以轻松地对服务进行升级和灾难恢复操作，因为 VIP 可以动态映射到服务的其他实例。It enables easy upgrade and disaster recovery of services, since the VIP can be dynamically mapped to another instance of the service.

  • 简化了访问控制列表 (ACL) 管理。It makes access control list (ACL) management easier. 以 VIP 表示的 ACL 不会随着服务的增加、减少或重新部署而更改。ACLs expressed in terms of VIPs do not change as services scale up, down, or get redeployed.

    负载均衡器配置支持适用于 UDP 的完整圆锥型 NAT。The load balancer configuration supports full cone NAT for UDP. 完整圆锥型 NAT 是一种类型的 NAT，其中的端口允许入站连接来自任何外部主机（响应出站请求）。Full cone NAT is a type of NAT where the port allows inbound connections from any external host (in response to an outbound request).

    对于虚拟机启动的每个新的出站连接，还会由负载均衡器分配出站端口。For each new outbound connection that a virtual machine initiates, an outbound port is also allocated by the load balancer. 外部主机会看到分配了虚拟 IP (VIP) 的端口的流量。The external host sees traffic with a virtual IP (VIP)-allocated port. 对于需要大量出站连接的方案，建议使用实例层级公共 IP 地址，这样 VM 就有一个专用于 SNAT 的出站 IP 地址。For scenarios that require a large number of outbound connections, it is recommended to use instance-level public IP addresses so that the VMs have a dedicated outbound IP address for SNAT. 这可降低端口耗尽的风险。This reduces the risk of port exhaustion.

    有关此主题的更多详细信息，请参阅出站连接一文。Please see outbound connections article for more details on this topic.

支持为虚拟机提供多个负载均衡的 IP 地址Support for multiple load-balanced IP addresses for virtual machines

可将多个负载均衡的公共 IP 地址分配给一组虚拟机。You can assign more than one load-balanced public IP address to a set of virtual machines. 可以通过此功能在同一组虚拟机上托管多个 SSL 网站和/或多个 SQL Server AlwaysOn 可用性组侦听器。With this ability, you can host multiple SSL websites and/or multiple SQL Server AlwaysOn Availability Group listeners on the same set of virtual machines. 有关详细信息，请参阅每个云服务多个 VIP。For more information, see Multiple VIPs per cloud service.

负载均衡器之间的差异Load Balancer differences

使用 Microsoft Azure 分配网络流量有不同的选项。There are different options to distribute network traffic using Microsoft Azure. 这些选项的工作方式彼此不同，具有不同的功能集，并支持不同的方案。These options work differently from each other, having a different feature set and support different scenarios. 这些选项每个都能单独使用，也可以组合使用。They can each be used in isolation, or combining them.

• Azure 负载均衡器 在传输层（OSI 网络参考堆栈中的第 4 层）工作。Azure Load Balancer works at the transport layer (Layer 4 in the OSI network reference stack). 它可对同一 Azure 数据中心中运行的应用程序实例间的流量进行网络级分配。It provides network-level distribution of traffic across instances of an application running in the same Azure data center.
• 应用程序网关在应用程序层（OSI 网络参考堆栈中的第 7 层）工作。Application Gateway works at the application layer (Layer 7 in the OSI network reference stack). 它充当反向代理服务，终止客户端连接，并将请求转发到后端终结点。It acts as a reverse-proxy service, terminating the client connection and forwarding requests to back-end endpoints.
• 流量管理器在 DNS 级别工作。Traffic Manager works at the DNS level. 它使用 DNS 响应将最终用户流量定向到全球分布的终结点。It uses DNS responses to direct end-user traffic to globally distributed endpoints. 客户端然后直接连接到这些终结点。Clients then connect to those endpoints directly.

下表总结了每个服务提供的功能：The following table summarizes the features offered by each service:

服务Service	Azure 负载均衡器Azure Load Balancer	应用程序网关Application Gateway	流量管理器Traffic Manager
技术Technology	传输层（第 4 层）Transport level (Layer 4)	应用程序层（第 7 层）Application level (Layer 7)	DNS 级别DNS level
支持的应用程序协议Application protocols supported	任意Any	HTTP、HTTPS 和 WebSocketHTTP, HTTPS, and WebSockets	任何（HTTP 终结点是终结点监视所必需的）Any (An HTTP endpoint is required for endpoint monitoring)
终结点Endpoints	Azure VM 和云服务角色实例Azure VMs and Cloud Services role instances	任何 Azure 内部 IP 地址、公共 Internet IP 地址、Azure VM 或 Azure 云服务Any Azure internal IP address, public internet IP address, Azure VM, or Azure Cloud Service	Azure VM、云服务、Azure Web 应用和外部终结点Azure VMs, Cloud Services, Azure Web Apps, and external endpoints
虚拟网络支持Vnet support	可用于面向 Internet 的应用程序和内部 (Vnet) 应用程序Can be used for both Internet facing and internal (Vnet) applications	可用于面向 Internet 的应用程序和内部 (Vnet) 应用程序Can be used for both Internet facing and internal (Vnet) applications	仅支持面向 Internet 的应用程序Only supports Internet-facing applications
终结点监视Endpoint Monitoring	通过探测支持Supported via probes	通过探测支持Supported via probes	通过 HTTP/HTTPS GET 支持Supported via HTTP/HTTPS GET

Azure 负载均衡器和应用程序网关都将网络流量路由到终结点，但它们具有处理流量的不同使用方案。Azure Load Balancer and Application Gateway route network traffic to endpoints but they have different usage scenarios to which traffic to handle. 下表有助于了解这两种负载均衡器之间的区别：The following table helps understanding the difference between the two load balancers:

类型Type	Azure 负载均衡器Azure Load Balancer	应用程序网关Application Gateway
协议Protocols	UDP/TCPUDP/TCP	HTTP、HTTPS 和 WebSocketHTTP, HTTPS, and WebSockets
IP 保留IP reservation	支持Supported	不支持Not supported
负载均衡模式Load balancing mode	5 元组（源 IP、源端口、目标 IP、目标端口、协议类型）5-tuple(source IP, source port, destination IP, destination port, protocol type)	轮循机制Round Robin 基于 URL 的路由Routing based on URL
负载均衡模式（源 IP/粘性会话）Load balancing mode (source IP /sticky sessions)	2 元组（源 IP 和目标 IP）、3 元组（源 IP、目标 IP 和端口）。2-tuple (source IP and destination IP), 3-tuple (source IP, destination IP, and port). 可以根据虚拟机数增加或减少Can scale up or down based on the number of virtual machines	基于 Cookie 的相关性Cookie-based affinity 基于 URL 的路由Routing based on URL
运行状况探测Health probes	默认值：探测间隔 - 15 秒。Default: probe interval - 15 secs. 退出循环：2 次连续失败。Taken out of rotation: 2 Continuous failures. 支持用户定义的探测Supports user-defined probes	空闲探测间隔 30 秒。Idle probe interval 30 secs. 在 5 次连续实时通信失败或空闲模式下单次探测失败后取出。Taken out after 5 consecutive live traffic failures or a single probe failure in idle mode. 支持用户定义的探测Supports user-defined probes
SSL 卸载SSL offloading	不支持Not supported	支持Supported
基于 URL 的路由Url-based routing	不支持Not supported	支持Supported
SSL 策略SSL Policy	不支持Not supported	支持Supported

限制Limitations

负载均衡器后端池可以包含任意 VM SKU，基本层除外。Load Balancer backend pools can contain any VM SKU except Basic tier.

后续步骤Next steps

• 详细了解面向 Internet 的负载均衡器Learn more about Internet-facing load balancer

• 详细了解内部负载均衡器概述Learn more about Internal load balancer overview

• 创建面向 Internet 的负载均衡器Create an Internet-facing load balancer

• 了解 Azure 的部分其他关键网络功能Learn about some of the other key networking capabilities of Azure