azurerm terraform scaleset,带内部负载平衡器
我一直在寻找一种合适的方法,用一个内部负载平衡器来实现我的内部vm规模集的地形化,这个内部负载平衡器不暴露于具有公共IP的internet。但是,节点应该可以访问internet以下载位于github中的一些包 我面临着这样一个问题,负载平衡器和规模集都部署了,但是,我没有从规模集的节点进行internet带外连接 我读了这篇文章,但没有告诉你 根据我的理解,我应该从我的节点上访问internet以下载包,因为我使用标准负载平衡器,但它不起作用 我错过了什么?我宁愿避免使用 下面是我完整的terraform脚本,它创建RG、Vnet子网、LB规则,最后是VMS和一个虚拟机azurerm terraform scaleset,带内部负载平衡器,azure,terraform,azure-virtual-machine,terraform-provider-azure,azure-rm,Azure,Terraform,Azure Virtual Machine,Terraform Provider Azure,Azure Rm,我一直在寻找一种合适的方法,用一个内部负载平衡器来实现我的内部vm规模集的地形化,这个内部负载平衡器不暴露于具有公共IP的internet。但是,节点应该可以访问internet以下载位于github中的一些包 我面临着这样一个问题,负载平衡器和规模集都部署了,但是,我没有从规模集的节点进行internet带外连接 我读了这篇文章,但没有告诉你 根据我的理解,我应该从我的节点上访问internet以下载包,因为我使用标准负载平衡器,但它不起作用 我错过了什么?我宁愿避免使用 下面是我完整的ter
provider "azurerm" {
features {}
subscription_id = var.azure-subscription-id
client_id = var.azure-client-app-id
client_secret = var.azure-client-secret-password
tenant_id = var.azure-tenant-id
}
resource "azurerm_resource_group" "existing_terraform_rg" {
name = "rg-ict-spoke1-001"
location = "westeurope"
#depends_on = [var.rg_depends_on]
}
# Create storage account for boot diagnostics
resource "azurerm_storage_account" "mystorageaccount" {
name = "diag${random_id.randomId.hex}"
resource_group_name = azurerm_resource_group.existing_terraform_rg.name
location = "westeurope"
account_tier = "Standard"
account_replication_type = "LRS"
}
resource "azurerm_virtual_network" "existing_terraform_vnet" {
name = "vnet-spoke1-001"
location = "westeurope"
resource_group_name = azurerm_resource_group.existing_terraform_rg.name
address_space = ["10.0.0.0/16"]
#depends_on = [azurerm_resource_group.existing_terraform_rg]
}
// Subnets
# Create subnet
resource "azurerm_subnet" "spk1-jbx-subnet" {
name = "spk1-jbx-subnet"
resource_group_name = azurerm_resource_group.existing_terraform_rg.name
virtual_network_name = azurerm_virtual_network.existing_terraform_vnet.name
address_prefixes = ["10.0.0.0/24"]
}
resource "azurerm_subnet" "new_terraform_subnet_web" {
name = "snet-webtier-${var.environment}-vdc-001"
resource_group_name = azurerm_resource_group.existing_terraform_rg.name
virtual_network_name = azurerm_virtual_network.existing_terraform_vnet.name
address_prefix = var.webtier_address_prefix
depends_on = [azurerm_virtual_network.existing_terraform_vnet]
}
# Create Network Security Group and rule
resource "azurerm_network_security_group" "generic-nsg" {
name = "generic-nsg"
location = "westeurope"
resource_group_name = azurerm_resource_group.existing_terraform_rg.name
security_rule {
name = "GENERIC-RULE"
priority = 1001
direction = "Inbound"
access = "Allow"
protocol = "Tcp"
source_port_range = "*"
#destination_port_range = "3389"
#destination_port_ranges = "["22","3389","80","8080"]"
destination_port_ranges = ["22","3389","80","8080","443"]
source_address_prefix = "*"
destination_address_prefix = "*"
}
}
# Connect the security group to the network interface
resource "azurerm_subnet_network_security_group_association" "new_terraform_subnet_web-asso-nsg" {
subnet_id = azurerm_subnet.new_terraform_subnet_web.id
network_security_group_id = azurerm_network_security_group.generic-nsg.id
}
resource "azurerm_subnet_network_security_group_association" "spk1-jbx-subnet-asso-nsg" {
subnet_id = azurerm_subnet.spk1-jbx-subnet.id
network_security_group_id = azurerm_network_security_group.generic-nsg.id
}
# Generate random text for a unique storage account name
resource "random_id" "randomId" {
keepers = {
# Generate a new ID only when a new resource group is defined
resource_group = azurerm_resource_group.existing_terraform_rg.name
}
byte_length = 8
}
resource "azurerm_lb" "new_terraform_lb_web" {
name = "lb-${var.web_lb_name}-${var.environment}-vdc-001"
location = azurerm_resource_group.existing_terraform_rg.location
resource_group_name = azurerm_resource_group.existing_terraform_rg.name
sku = var.lb_Sku
frontend_ip_configuration {
name = "PrivateIPAddress-${var.web_lb_name}"
subnet_id = azurerm_subnet.new_terraform_subnet_web.id
private_ip_address = var.web_lb_private_IP
private_ip_address_allocation = "Static"
}
}
resource "azurerm_lb_backend_address_pool" "new_terraform_bpepool_web" {
resource_group_name = azurerm_resource_group.existing_terraform_rg.name
loadbalancer_id = azurerm_lb.new_terraform_lb_web.id
name = "${var.web_lb_name}-BackEndAddressPool"
}
resource "azurerm_lb_probe" "new_terraform_lb_probe_web" {
resource_group_name = azurerm_resource_group.existing_terraform_rg.name
loadbalancer_id = azurerm_lb.new_terraform_lb_web.id
name = "${var.web_lb_name}-probe-${var.web_lb_probe_protocol}"
protocol = var.web_lb_probe_protocol
request_path = var.web_lb_probe_request_path
port = var.web_lb_probe_port
}
resource "azurerm_lb_rule" "new_terraform_bpepool_web_rule_http" {
resource_group_name = azurerm_resource_group.existing_terraform_rg.name
loadbalancer_id = azurerm_lb.new_terraform_lb_web.id
backend_address_pool_id = azurerm_lb_backend_address_pool.new_terraform_bpepool_web.id
probe_id = azurerm_lb_probe.new_terraform_lb_probe_web.id
disable_outbound_snat = true
name = "new_terraform_bpepool_web_rule_http"
protocol = "Tcp"
frontend_port = 80
backend_port = 80
frontend_ip_configuration_name = "PrivateIPAddress-${var.web_lb_name}"
}
resource "azurerm_lb_rule" "new_terraform_bpepool_web_rule_https" {
resource_group_name = azurerm_resource_group.existing_terraform_rg.name
loadbalancer_id = azurerm_lb.new_terraform_lb_web.id
backend_address_pool_id = azurerm_lb_backend_address_pool.new_terraform_bpepool_web.id
probe_id = azurerm_lb_probe.new_terraform_lb_probe_web.id
disable_outbound_snat = true
name = "new_terraform_bpepool_web_rule_https"
protocol = "Tcp"
frontend_port = 443
backend_port = 443
frontend_ip_configuration_name = "PrivateIPAddress-${var.web_lb_name}"
}
resource "azurerm_windows_virtual_machine_scale_set" "new_terraform_vmss_web" {
depends_on = [azurerm_lb_rule.new_terraform_bpepool_web_rule_http,azurerm_lb_rule.new_terraform_bpepool_web_rule_https]
name = "vmss-001"
resource_group_name = azurerm_resource_group.existing_terraform_rg.name
location = azurerm_resource_group.existing_terraform_rg.location
sku = var.webtier_vmss_sku
instances = var.webtier_vmss_instance_count
admin_password = var.webtier_vmss_admin_password
admin_username = var.webtier_vmss_admin_uname
zone_balance = true
zones = [1,2,3]
upgrade_mode = "Manual"
#automatic_os_upgrade_policy {
# disable_automatic_rollback = false
# enable_automatic_os_upgrade = true
#}
#rolling_upgrade_policy {
# max_batch_instance_percent = 20
# max_unhealthy_instance_percent = 20
# max_unhealthy_upgraded_instance_percent = 5
# pause_time_between_batches = "PT0S"
#}
#health_probe_id = azurerm_lb_probe.new_terraform_lb_probe_web.id
source_image_reference {
publisher = "MicrosoftWindowsServer"
offer = "WindowsServer"
sku = var.webtier_vmss_image_sku
version = "latest"
}
os_disk {
storage_account_type = "Standard_LRS"
caching = "ReadWrite"
}
network_interface {
name = "vmss-001-nic-1"
primary = true
ip_configuration {
name = "vmss-001-nic-1-Configuration"
primary = true
subnet_id = azurerm_subnet.new_terraform_subnet_web.id
load_balancer_backend_address_pool_ids = [azurerm_lb_backend_address_pool.new_terraform_bpepool_web.id]
#load_balancer_inbound_nat_rules_ids = [azurerm_lb_nat_pool.lbnatpool-1.id]
}
}
}
resource "azurerm_virtual_machine_scale_set_extension" "new_terraform_vmss_web_ext_1" {
name = "new_terraform_vmss_web_ext_1"
virtual_machine_scale_set_id = azurerm_windows_virtual_machine_scale_set.new_terraform_vmss_web.id
publisher = "Microsoft.Compute"
type = "CustomScriptExtension"
type_handler_version = "1.9"
settings = <<SETTINGS
{
"fileUris": ["https://raw.githubusercontent.com/Azure-Samples/compute-automation-configurations/master/automate-iis-v2.ps1"]
}
SETTINGS
protected_settings = <<PROTECTED_SETTINGS
{
"commandToExecute": "powershell -ExecutionPolicy Unrestricted -File automate-iis-v2.ps1"
}
PROTECTED_SETTINGS
}
# Create public IPs
resource "azurerm_public_ip" "spk1-jbx-puip" {
name = "spk1-jbx-puip"
location = "westeurope"
resource_group_name = azurerm_resource_group.existing_terraform_rg.name
allocation_method = "Dynamic"
}
# Create network interface
resource "azurerm_network_interface" "spk1-jbx-nic" {
name = "spk1-jbx-nic"
location = "westeurope"
resource_group_name = azurerm_resource_group.existing_terraform_rg.name
ip_configuration {
name = "spk1-jbx-nic-conf"
subnet_id = azurerm_subnet.spk1-jbx-subnet.id
private_ip_address_allocation = "Dynamic"
public_ip_address_id = azurerm_public_ip.spk1-jbx-puip.id
}
}
resource "azurerm_virtual_machine" "spk1-jbx-vm" {
name = "spk1-jbx-vm"
location = "westeurope"
resource_group_name = azurerm_resource_group.existing_terraform_rg.name
network_interface_ids = ["${azurerm_network_interface.spk1-jbx-nic.id}"]
vm_size = "Standard_D2s_v3"
storage_image_reference {
publisher = "MicrosoftWindowsServer"
offer = "WindowsServer"
sku = "2016-Datacenter"
version = "latest"
}
storage_os_disk {
name = "spk1-jbx-vm-mtwin-disk-os"
caching = "ReadWrite"
create_option = "FromImage"
managed_disk_type = "Standard_LRS"
}
os_profile {
computer_name = "spk1-jbx-vm"
admin_username = "demouser"
admin_password = "M0nP@ssw0rd!"
}
os_profile_windows_config {
provision_vm_agent = true
}
}
提供程序“azurerm”{
特征{}
订阅\u id=var.azure-subscription-id
client_id=var.azure-client-app-id
client_secret=var.azure-client-secret-password
租户id=var.azure-tenant-id
}
资源“azurerm\u资源组”“现有地形\u rg”{
name=“rg-ict-spoke1-001”
地点=“西欧”
#依赖=[var.rg依赖]
}
#为启动诊断创建存储帐户
资源“azurerm_存储帐户”“mystorageaccount”{
name=“diag${random\u id.randomId.hex}”
resource\u group\u name=azurerm\u resource\u group.existing\u terraform\u rg.name
地点=“西欧”
账户_tier=“标准”
帐户\u复制\u type=“LRS”
}
资源“azurerm\u虚拟网络”“现有地形网络”{
name=“vnet-spoke1-001”
地点=“西欧”
resource\u group\u name=azurerm\u resource\u group.existing\u terraform\u rg.name
地址空间=[“10.0.0.0/16”]
#依赖于=[azurerm\u资源\u组。现有的\u地形\u rg]
}
//子网
#创建子网
资源“azurerm_子网”“spk1 jbx子网”{
name=“spk1 jbx子网”
resource\u group\u name=azurerm\u resource\u group.existing\u terraform\u rg.name
virtual_network_name=azurerm_virtual_network.existing_terraform_vnet.name
地址前缀=[“10.0.0.0/24”]
}
资源“azurerm\u子网”“新地形\u子网\u web”{
name=“snet webtier-${var.environment}-vdc-001”
resource\u group\u name=azurerm\u resource\u group.existing\u terraform\u rg.name
virtual_network_name=azurerm_virtual_network.existing_terraform_vnet.name
地址\前缀=var.webtier\地址\前缀
依赖于=[azurerm虚拟网络。现有地形网络]
}
#创建网络安全组和规则
资源“azurerm\u网络安全组”“通用nsg”{
name=“通用nsg”
地点=“西欧”
resource\u group\u name=azurerm\u resource\u group.existing\u terraform\u rg.name
安全规则{
name=“通用规则”
优先级=1001
direction=“入站”
access=“允许”
协议=“Tcp”
source\u port\u range=“*”
#目的地\端口\范围=“3389”
#目的地港口范围=“[“22”、“3389”、“80”、“8080]”
目的地港口范围=[“22”、“3389”、“80”、“8080”、“443”]
源地址前缀=“*”
目的地地址前缀=“*”
}
}
#将安全组连接到网络接口
资源“azurerm\u子网\u网络\u安全\u组\u协会”“新地形\u子网\u web-asso-nsg”{
subnet\u id=azurerm\u subnet.new\u terraform\u subnet\u web.id
网络安全组id=azurerm网络安全组。通用-nsg.id
}
资源“azurerm子网网络安全组关联”“spk1 jbx子网关联nsg”{
subnet_id=azurerm_subnet.spk1-jbx-subnet.id
网络安全组id=azurerm网络安全组。通用-nsg.id
}
#为唯一的存储帐户名生成随机文本
资源“随机id”“随机id”{
看守人={
#仅在定义新资源组时生成新ID
resource\u group=azurerm\u resource\u group.existing\u terraform\u rg.name
}
字节长度=8
}
资源“azurerm_lb”“新地形_lb_web”{
name=“lb-${var.web\u lb_name}-${var.environment}-vdc-001”
位置=azurerm\u资源\u组。现有\u地形\u rg位置
resource\u group\u name=azurerm\u resource\u group.existing\u terraform\u rg.name
sku=变量磅单位sku
前端ip配置{
name=“PrivateIPAddress-${var.web\u lb\u name}”
subnet\u id=azurerm\u subnet.new\u terraform\u subnet\u web.id
私有ip地址=var.web\u lb\u私有ip
私有\u ip\u地址\u分配=“静态”
}
}
资源“azurerm\u lb\u后端\u地址\u池”“新的\u地形\u bpepool\u web”{
resource\u group\u name=azurerm\u resource\u group.existing\u terraform\u rg.name
loadbalancer_id=azurerm_lb.new_terraform_lb_web.id
name=“${var.web_lb_name}-BackEndAddressPool”
}
决议