AWS Prefix 实际上是什么?
What is AWS Prefix actually?
问题
What/where是AWS Prefix的定义?
背景
在寻找列出 S3 端点 CIDR 的方法时,遇到了 AWS prefix list 这个词,但不确定它的确切含义以及定义术语的位置。
混乱
Prefix表示一个词放在前面。对于S3,根据Listing Keys Hierarchically Using a Prefix and Delimiter,应该是一个对象的起始路径。
但是,显然它指的是一个IP地址范围。为什么 prefix 用于 IP 范围?历史或原因是什么?
This can be used both to validate a prefix list given in a variable and to obtain the CIDR blocks (IP address ranges) for the associated AWS service.
Describes available AWS services in a prefix list format, which includes the prefix list name and prefix list ID of the service and the IP address range for the service.
SERVICE="S3"
REGION="us-west-1"
$ curl -s https://ip-ranges.amazonaws.com/ip-ranges.json | \
jq -r --arg SERVICE "$SERVICE" --arg REGION "${REGION}" '.prefixes[] \
| select(.service==$SERVICE and .region==$REGION)'
{
"ip_prefix": "52.92.48.0/22",
"region": "us-west-1",
"service": "S3"
}
{
"ip_prefix": "54.231.232.0/21",
"region": "us-west-1",
"service": "S3"
}
{
"ip_prefix": "52.219.20.0/22",
"region": "us-west-1",
"service": "S3"
}
{
"ip_prefix": "52.219.24.0/21",
"region": "us-west-1",
"service": "S3"
}
更新
Specify the VPC in which to create the endpoint, and the service to which you're connecting. A service is identified by a prefix list—the name and ID of a service for a Region. A prefix list ID uses the form pl-xxxxxxx and a prefix list name uses the form "com.amazonaws.region.service". Use the prefix list name (service name) to create an endpoint.
what is the meaning of Prefix ?
suppose you have a network like 10.5.10.0/24
so you will have the 10.5.10 prefix in that subnet from 1 to 255 and your network address will be 10.5.10.0
我想 (10.0.0.0/24) 表示具有的网络的(32 位 IP 的前 24 位部分)
从 1 到 254 的 254 个 ip 地址(0 是网络,255 是广播)。前缀是前 24 位,后缀 (?) 是后 8 位。标识网络的前N位列表是IP前缀列表。
前缀列表一词来源于路由技术。 CIDR 格式的 IP 地址具有 IP 前缀和网络前缀 (10.1.0.0/16)。 IP前缀为10.1,网络前缀为/16。
因此,如果您使用 CIDR 格式的 IP 地址列表,我们将其称为 IP 前缀列表。
如果您要查找的是 vpc endpoint 的前缀列表 ID,例如 dynamodb/s3,那么它与 IP 或 CIDR 无关。正如文档中提到的那样:
A prefix list ID is required for creating an outbound security group rule that allows traffic from a VPC to access an AWS service through a gateway VPC endpoint.
因此,如果在 ec2 或 vpc-lambda 的安全组输出中没有前缀列表 ID,则在连接到 dynamodb 或s3。
您可以通过 运行
获取前缀列表
aws ec2 describe-prefix-lists
{
"PrefixLists": [
{
"Cidrs": [
"54.231.0.0/17",
"52.216.0.0/15"
],
"PrefixListId": "pl-63c5400k",
"PrefixListName": "com.amazonaws.us-east-1.s3"
},
{
"Cidrs": [
"52.94.0.0/22",
"52.119.224.0/20"
],
"PrefixListId": "pl-02ad2a6c",
"PrefixListName": "com.amazonaws.us-east-1.dynamodb"
}
]
}
然后您可以通过 aws web 控制台将此 PrefixListId 放入您的出站安全组。如果你对不同的区域使用 terraform,它可能是这样的:
resource "aws_security_group_rule" "MyService_to_DynamoDB_east" {
count = "${ lower(var.region) == "us-east-1" ? 1 : 0 }"
security_group_id = "${aws_security_group.MyService_Ext_Api.id}"
description = "DynamoDB"
type = "egress"
protocol = "tcp"
from_port = 443
to_port = 443
prefix_list_ids = ["pl-02ad2a6c"]
}
resource "aws_security_group_rule" "MyService_to_DynamoDB_west" {
count = "${ lower(var.region) == "us-west-2" ? 1 : 0 }"
security_group_id = "${aws_security_group.MyService_Ext_Api.id}"
description = "DynamoDB"
type = "egress"
protocol = "tcp"
from_port = 443
to_port = 443
prefix_list_ids = ["pl-0ca54061"]
}
什么是 AWS VPC 上下文中的前缀列表
前缀列表是CIDR格式的IP范围,分配给区域中的VPC Gateway Endpoint(S3或DynamoDB)。它是特定于区域的。
例如,截至 2020 年 2 月 24 日,us-east-2 区域中 DynamoDB 的前缀列表为“52.94.4.0/24”,其中 52.94.4 是 IP 前缀,网络前缀是 /24 正如@John Hanley 所解释的那样。 DynamoDB 的 VPC 网关端点可以使用的 IP 在 52.94.4.1 - 52.94.4.254 之间(AWS 可能保留了一些 IP)。
$ aws ec2 describe-prefix-lists
{
"PrefixLists": [
{
"Cidrs": [
"52.94.4.0/24"
],
"PrefixListId": "pl-4ca54025",
"PrefixListName": "com.amazonaws.us-east-2.dynamodb"
},
{
"Cidrs": [
"52.219.80.0/20",
"3.5.128.0/22",
"3.5.132.0/23",
"52.219.96.0/20",
"52.92.76.0/22"
],
"PrefixListId": "pl-7ba54012",
"PrefixListName": "com.amazonaws.us-east-2.s3"
}
]
}
那些前缀列表有一个 ID 和一个名称。我们可以在 VPC 路由 table 和安全组中指定 前缀列表 ID,但不能在 NACL 中指定。我们需要为 NACL 使用 CIDR。
- Gateway VPC Endpoints
You canNOT use a prefix list ID in an outbound rule in a network ACL to allow or deny outbound traffic to the service specified in an endpoint. If your network ACL rules restrict traffic, you must specify the CIDR block (IP address range) for the service instead. You can, however, use a prefix list ID in an outbound security group rule. For more information, see Security Groups.
Terraform 示例
NACL
resource "aws_vpc_endpoint" "private_s3" {
vpc_id = "${aws_vpc.foo.id}"
service_name = "com.amazonaws.us-west-2.s3"
}
data "aws_prefix_list" "private_s3" {
prefix_list_id = "${aws_vpc_endpoint.private_s3.prefix_list_id}"
}
resource "aws_network_acl" "bar" {
vpc_id = "${aws_vpc.foo.id}"
}
resource "aws_network_acl_rule" "private_s3" {
network_acl_id = "${aws_network_acl.bar.id}"
rule_number = 200
egress = false
protocol = "tcp"
rule_action = "allow"
cidr_block = "${data.aws_prefix_list.private_s3.cidr_blocks[0]}"
from_port = 443
to_port = 443
}
安全组由@LeOn - Han Li 在他的回答中提供。
resource "aws_security_group_rule" "MyService_to_DynamoDB_east" {
count = "${ lower(var.region) == "us-east-1" ? 1 : 0 }"
security_group_id = "${aws_security_group.MyService_Ext_Api.id}"
description = "DynamoDB"
type = "egress"
protocol = "tcp"
from_port = 443
to_port = 443
prefix_list_ids = ["pl-02ad2a6c"]
}
resource "aws_security_group_rule" "MyService_to_DynamoDB_west" {
count = "${ lower(var.region) == "us-west-2" ? 1 : 0 }"
security_group_id = "${aws_security_group.MyService_Ext_Api.id}"
description = "DynamoDB"
type = "egress"
protocol = "tcp"
from_port = 443
to_port = 443
prefix_list_ids = ["pl-0ca54061"]
}
访问控制
Why can’t I connect to an S3 bucket using a gateway VPC endpoint? 关于 S3 VPC 网关端点和前缀列表 ID 和 CIDR 的布局综合列表将在那里发挥作用。
- 您的 VPC 中的 DNS 设置
重要提示:必须在您的 VPC 中启用 DNS 解析(请参阅网关端点限制)。如果您使用自己的 DNS 服务器,请确保对 AWS 服务的 DNS 请求解析为 AWS 维护的 IP 地址。
- 将 table 设置路由到 Amazon S3
- 安全组出站规则
- 网络 ACL 规则
- 网关 VPC 端点策略
- S3 存储桶策略
- IAM 政策
参考资料
- Gateway VPC Endpoints
Specify the VPC in which to create the endpoint, and the service to which you're connecting. A service is identified by a prefix list—the name and ID of a service for a Region. A prefix list ID uses the form pl-xxxxxxx and a prefix list name uses the form "com.amazonaws.region.service". Use the prefix list name (service name) to create an endpoint.
虽然关于 VPC 的前缀定义的问题得到了回答,但我没有看到与 S3 相关的前缀定义的答案(除了 CIDR 相关的)。如果您有一个文件夹 Photos 并且其中有 yourpic.jpg 文件,只需将其放入 S3,那么它应该看起来像这样 photos/yourpic.jpg。文件夹 photos/ 的部分在 S3 术语中称为前缀。正如最新的 AWS Performance tuning guide for S3 中提到的,我们可以使用前缀来进行并行处理并提高性能。无论如何,我仍在学习 AWS,所以对它持保留态度。查看下方 link 以供参考。
https://docs.aws.amazon.com/AmazonS3/latest/user-guide/using-folders.html
问题
What/where是AWS Prefix的定义?
背景
在寻找列出 S3 端点 CIDR 的方法时,遇到了 AWS prefix list 这个词,但不确定它的确切含义以及定义术语的位置。
混乱
Prefix表示一个词放在前面。对于S3,根据Listing Keys Hierarchically Using a Prefix and Delimiter,应该是一个对象的起始路径。
但是,显然它指的是一个IP地址范围。为什么 prefix 用于 IP 范围?历史或原因是什么?
This can be used both to validate a prefix list given in a variable and to obtain the CIDR blocks (IP address ranges) for the associated AWS service.
Describes available AWS services in a prefix list format, which includes the prefix list name and prefix list ID of the service and the IP address range for the service.
SERVICE="S3"
REGION="us-west-1"
$ curl -s https://ip-ranges.amazonaws.com/ip-ranges.json | \
jq -r --arg SERVICE "$SERVICE" --arg REGION "${REGION}" '.prefixes[] \
| select(.service==$SERVICE and .region==$REGION)'
{
"ip_prefix": "52.92.48.0/22",
"region": "us-west-1",
"service": "S3"
}
{
"ip_prefix": "54.231.232.0/21",
"region": "us-west-1",
"service": "S3"
}
{
"ip_prefix": "52.219.20.0/22",
"region": "us-west-1",
"service": "S3"
}
{
"ip_prefix": "52.219.24.0/21",
"region": "us-west-1",
"service": "S3"
}
更新
Specify the VPC in which to create the endpoint, and the service to which you're connecting. A service is identified by a prefix list—the name and ID of a service for a Region. A prefix list ID uses the form pl-xxxxxxx and a prefix list name uses the form "com.amazonaws.region.service". Use the prefix list name (service name) to create an endpoint.
what is the meaning of Prefix ?
suppose you have a network like 10.5.10.0/24 so you will have the 10.5.10 prefix in that subnet from 1 to 255 and your network address will be 10.5.10.0
我想 (10.0.0.0/24) 表示具有的网络的(32 位 IP 的前 24 位部分) 从 1 到 254 的 254 个 ip 地址(0 是网络,255 是广播)。前缀是前 24 位,后缀 (?) 是后 8 位。标识网络的前N位列表是IP前缀列表。
前缀列表一词来源于路由技术。 CIDR 格式的 IP 地址具有 IP 前缀和网络前缀 (10.1.0.0/16)。 IP前缀为10.1,网络前缀为/16。
因此,如果您使用 CIDR 格式的 IP 地址列表,我们将其称为 IP 前缀列表。
如果您要查找的是 vpc endpoint 的前缀列表 ID,例如 dynamodb/s3,那么它与 IP 或 CIDR 无关。正如文档中提到的那样:
A prefix list ID is required for creating an outbound security group rule that allows traffic from a VPC to access an AWS service through a gateway VPC endpoint.
因此,如果在 ec2 或 vpc-lambda 的安全组输出中没有前缀列表 ID,则在连接到 dynamodb 或s3。
您可以通过 运行
获取前缀列表aws ec2 describe-prefix-lists
{
"PrefixLists": [
{
"Cidrs": [
"54.231.0.0/17",
"52.216.0.0/15"
],
"PrefixListId": "pl-63c5400k",
"PrefixListName": "com.amazonaws.us-east-1.s3"
},
{
"Cidrs": [
"52.94.0.0/22",
"52.119.224.0/20"
],
"PrefixListId": "pl-02ad2a6c",
"PrefixListName": "com.amazonaws.us-east-1.dynamodb"
}
]
}
然后您可以通过 aws web 控制台将此 PrefixListId 放入您的出站安全组。如果你对不同的区域使用 terraform,它可能是这样的:
resource "aws_security_group_rule" "MyService_to_DynamoDB_east" {
count = "${ lower(var.region) == "us-east-1" ? 1 : 0 }"
security_group_id = "${aws_security_group.MyService_Ext_Api.id}"
description = "DynamoDB"
type = "egress"
protocol = "tcp"
from_port = 443
to_port = 443
prefix_list_ids = ["pl-02ad2a6c"]
}
resource "aws_security_group_rule" "MyService_to_DynamoDB_west" {
count = "${ lower(var.region) == "us-west-2" ? 1 : 0 }"
security_group_id = "${aws_security_group.MyService_Ext_Api.id}"
description = "DynamoDB"
type = "egress"
protocol = "tcp"
from_port = 443
to_port = 443
prefix_list_ids = ["pl-0ca54061"]
}
什么是 AWS VPC 上下文中的前缀列表
前缀列表是CIDR格式的IP范围,分配给区域中的VPC Gateway Endpoint(S3或DynamoDB)。它是特定于区域的。
例如,截至 2020 年 2 月 24 日,us-east-2 区域中 DynamoDB 的前缀列表为“52.94.4.0/24”,其中 52.94.4 是 IP 前缀,网络前缀是 /24 正如@John Hanley 所解释的那样。 DynamoDB 的 VPC 网关端点可以使用的 IP 在 52.94.4.1 - 52.94.4.254 之间(AWS 可能保留了一些 IP)。
$ aws ec2 describe-prefix-lists
{
"PrefixLists": [
{
"Cidrs": [
"52.94.4.0/24"
],
"PrefixListId": "pl-4ca54025",
"PrefixListName": "com.amazonaws.us-east-2.dynamodb"
},
{
"Cidrs": [
"52.219.80.0/20",
"3.5.128.0/22",
"3.5.132.0/23",
"52.219.96.0/20",
"52.92.76.0/22"
],
"PrefixListId": "pl-7ba54012",
"PrefixListName": "com.amazonaws.us-east-2.s3"
}
]
}
那些前缀列表有一个 ID 和一个名称。我们可以在 VPC 路由 table 和安全组中指定 前缀列表 ID,但不能在 NACL 中指定。我们需要为 NACL 使用 CIDR。
- Gateway VPC Endpoints
You canNOT use a prefix list ID in an outbound rule in a network ACL to allow or deny outbound traffic to the service specified in an endpoint. If your network ACL rules restrict traffic, you must specify the CIDR block (IP address range) for the service instead. You can, however, use a prefix list ID in an outbound security group rule. For more information, see Security Groups.
Terraform 示例
NACL
resource "aws_vpc_endpoint" "private_s3" {
vpc_id = "${aws_vpc.foo.id}"
service_name = "com.amazonaws.us-west-2.s3"
}
data "aws_prefix_list" "private_s3" {
prefix_list_id = "${aws_vpc_endpoint.private_s3.prefix_list_id}"
}
resource "aws_network_acl" "bar" {
vpc_id = "${aws_vpc.foo.id}"
}
resource "aws_network_acl_rule" "private_s3" {
network_acl_id = "${aws_network_acl.bar.id}"
rule_number = 200
egress = false
protocol = "tcp"
rule_action = "allow"
cidr_block = "${data.aws_prefix_list.private_s3.cidr_blocks[0]}"
from_port = 443
to_port = 443
}
安全组由@LeOn - Han Li 在他的回答中提供。
resource "aws_security_group_rule" "MyService_to_DynamoDB_east" {
count = "${ lower(var.region) == "us-east-1" ? 1 : 0 }"
security_group_id = "${aws_security_group.MyService_Ext_Api.id}"
description = "DynamoDB"
type = "egress"
protocol = "tcp"
from_port = 443
to_port = 443
prefix_list_ids = ["pl-02ad2a6c"]
}
resource "aws_security_group_rule" "MyService_to_DynamoDB_west" {
count = "${ lower(var.region) == "us-west-2" ? 1 : 0 }"
security_group_id = "${aws_security_group.MyService_Ext_Api.id}"
description = "DynamoDB"
type = "egress"
protocol = "tcp"
from_port = 443
to_port = 443
prefix_list_ids = ["pl-0ca54061"]
}
访问控制
Why can’t I connect to an S3 bucket using a gateway VPC endpoint? 关于 S3 VPC 网关端点和前缀列表 ID 和 CIDR 的布局综合列表将在那里发挥作用。
- 您的 VPC 中的 DNS 设置
重要提示:必须在您的 VPC 中启用 DNS 解析(请参阅网关端点限制)。如果您使用自己的 DNS 服务器,请确保对 AWS 服务的 DNS 请求解析为 AWS 维护的 IP 地址。 - 将 table 设置路由到 Amazon S3
- 安全组出站规则
- 网络 ACL 规则
- 网关 VPC 端点策略
- S3 存储桶策略
- IAM 政策
参考资料
- Gateway VPC Endpoints
Specify the VPC in which to create the endpoint, and the service to which you're connecting. A service is identified by a prefix list—the name and ID of a service for a Region. A prefix list ID uses the form pl-xxxxxxx and a prefix list name uses the form "com.amazonaws.region.service". Use the prefix list name (service name) to create an endpoint.
虽然关于 VPC 的前缀定义的问题得到了回答,但我没有看到与 S3 相关的前缀定义的答案(除了 CIDR 相关的)。如果您有一个文件夹 Photos 并且其中有 yourpic.jpg 文件,只需将其放入 S3,那么它应该看起来像这样 photos/yourpic.jpg。文件夹 photos/ 的部分在 S3 术语中称为前缀。正如最新的 AWS Performance tuning guide for S3 中提到的,我们可以使用前缀来进行并行处理并提高性能。无论如何,我仍在学习 AWS,所以对它持保留态度。查看下方 link 以供参考。
https://docs.aws.amazon.com/AmazonS3/latest/user-guide/using-folders.html