Azure里面有三个负载均衡的resource,分别是Load Balancer, Traffic Manager还有Application Gateway,
这次先介绍Azure Load Balancer(LB):
LB分为两种,一种对公网的(internel load balancer),另一种是对Azure内网的(internal load balancer)。
公网的LB需要关联公网IP, 内网的只需要一个内网IP即可。在Azure中不管是公网还是内网LB,要是配置多台虚拟机,这些虚拟机需要加入同一个Availability set 。
对于Availability Set, 在ASM模式下虚拟机是可以修改或者添加的,但是在ARM模式下,是没法修改和添加的,所以在创建虚拟机的时候就需要配置好。
Azure LB 工作示意图下:
这是一个将80端口的流量分配给后面几个虚机,在Azure里面除了轮询还有其他方式的负载均衡,这个下次再说, 下面介绍下LB的几个需要的配置项:
1.Backend pools 这个配置是添加后端虚拟机的,在这个pool里面的虚拟机会被LB探测和发送数据包。
2.Health Probes 这个是LB的健康监测,查询后端的虚拟机状的(这个是针对服务端口的探测,不会检查性能)
3.Load Balancer rules 这个是负载均衡的规则,按照配置将network traffic发送到后端的虚拟机上。
4.Inbound NAT rules这个是LB的NAT规则,比如说创建的虚拟机都不带公网IP,关联一个公网LB给这些虚拟机,我们可以通过不同的端口来SSH或者RDP后面的虚拟机。
5.Front IP configuration 这个是配置前端IP地址的,主要是为了防止端口(TCP 65535)被占用满了,不能提供更多的服务,在前端地址池里面添加IP,就可以提高上限。
Backend pools的配置截图如下:
Health probes的配置截图如下:
Load balancer rules的配置截图如下:
实验如下:
配置了两台Azure VM(centos 7.3)和一个LB(internal):
client1:10.0.0.4
client2:10.0.0.5 (httpd)
internal LB: 10.0.0.6
由于Azure虚拟机会被Azure平台探测存活状态,探测的端口是80,所以我将httpd的服务端口配置成443,这样抓包更容易看到结果。
我用client1(10.0.0.4)去访问LB(10.0.0.6), 在client1 和client2上分别抓包,抓包结果如下:
从client1上抓包:
[root@client1 ~]# tcpdump -i eth0 dst 10.0.0.6 and port 443
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
07:21:55.799369 IP client1.35046 > 10.0.0.6.https: Flags [S], seq 1441485309, win 29200, options [mss 1460,sackOK,TS val 5049399 ecr 0,nop,wscale 7], length 0
07:21:55.800724 IP client1.35046 > 10.0.0.6.https: Flags [.], ack 579316472, win 229, options [nop,nop,TS val 5049401 ecr 4638028], length 0
07:21:55.800769 IP client1.35046 > 10.0.0.6.https: Flags [P.], seq 0:76, ack 1, win 229, options [nop,nop,TS val 5049401 ecr 4638028], length 76
07:21:55.802488 IP client1.35046 > 10.0.0.6.https: Flags [.], ack 331, win 237, options [nop,nop,TS val 5049402 ecr 4638030], length 0
07:21:55.802556 IP client1.35046 > 10.0.0.6.https: Flags [F.], seq 76, ack 331, win 237, options [nop,nop,TS val 5049402 ecr 4638030], length 0
07:21:55.803639 IP client1.35046 > 10.0.0.6.https: Flags [.], ack 332, win 237, options [nop,nop,TS val 5049404 ecr 4638031], length 0
07:22:26.062352 IP client1.35086 > 10.0.0.6.https: Flags [S], seq 684931516, win 29200, options [mss 1460,sackOK,TS val 5079662 ecr 0,nop,wscale 7], length 0
07:22:26.063752 IP client1.35086 > 10.0.0.6.https: Flags [.], ack 796501626, win 229, options [nop,nop,TS val 5079664 ecr 4668291], length 0
07:22:26.063836 IP client1.35086 > 10.0.0.6.https: Flags [P.], seq 0:76, ack 1, win 229, options [nop,nop,TS val 5079664 ecr 4668291], length 76
07:22:26.066056 IP client1.35086 > 10.0.0.6.https: Flags [.], ack 331, win 237, options [nop,nop,TS val 5079666 ecr 4668293], length 0
07:22:26.066171 IP client1.35086 > 10.0.0.6.https: Flags [F.], seq 76, ack 331, win 237, options [nop,nop,TS val 5079666 ecr 4668293], length 0
07:22:26.069555 IP client1.35086 > 10.0.0.6.https: Flags [.], ack 332, win 237, options [nop,nop,TS val 5079669 ecr 4668295], length 0
[root@client2 html]# tcpdump -i eth0 dst 10.0.0.4 and port 443
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
07:22:26.065738 IP client2.https > 10.0.0.4.35086: Flags [S.], seq 796501625, ack 684931517, win 28960, options [mss 1460,sackOK,TS val 4668291 ecr 5079662,nop,wscale 7], length 0
07:22:26.067679 IP client2.https > 10.0.0.4.35086: Flags [.], ack 77, win 227, options [nop,nop,TS val 4668293 ecr 5079664], length 0
07:22:26.067853 IP client2.https > 10.0.0.4.35086: Flags [P.], seq 1:331, ack 77, win 227, options [nop,nop,TS val 4668293 ecr 5079664], length 330
07:22:26.070761 IP client2.https > 10.0.0.4.35086: Flags [F.], seq 331, ack 78, win 227, options [nop,nop,TS val 4668295 ecr 5079666], length 0
07:34:04.756133 IP client2.https > 10.0.0.4.35934: Flags [S.], seq 2629948836, ack 605258536, win 28960, options [mss 1460,sackOK,TS val 5366982 ecr 5778353,nop,wscale 7], length 0
07:34:04.760315 IP client2.https > 10.0.0.4.35934: Flags [.], ack 77, win 227, options [nop,nop,TS val 5366986 ecr 5778356], length 0
07:34:04.760519 IP client2.https > 10.0.0.4.35934: Flags [P.], seq 1:331, ack 77, win 227, options [nop,nop,TS val 5366986 ecr 5778356], length 330
07:34:04.761525 IP client2.https > 10.0.0.4.35934: Flags [F.], seq 331, ack 78, win 227, options [nop,nop,TS val 5366987 ecr 5778359], length 0
从抓包结果我们可以看出:
Azure LB 不会将后端的地址暴露出来,后端的虚拟机会收到请求的IP。