AWS RDS 使用动态 IP 保持用户访问
AWS RDS keep user access with dynamic IP
在 AWS rds 上,我添加了几个 postgres 用户。有 Security groups 需要 IP 地址才能访问数据库实例吗?
所以如果用户有静态 IP 地址,那么我会添加一次,没有问题。
但是如果用户有动态地址,我看到的唯一方法是定期更新 IP 以保持用户有效连接。
我的问题是:是否可以在不手动更新安全组数据的情况下保持动态IP用户的有效连接?
谢谢!
以下是一些选项;
-
如果用户使用办公室 network/VPN 和固定 私有 IP CIDR 进行连接,则允许 入站 用于 安全组 中的 IP CIDR。注意:* 这可能会打开对您组织的更广泛专用网络的访问。 RDS 将在本地可用,前提是您从您的组织专用网络获得 AWS VPC 连接。
基于 @amitd's 答案,您可以而且应该使用堡垒主机,但是您仍然需要为您的动态 IP 打开该主机。要将允许访问该主机的 IP 地址更新为我分配的 IP,我使用以下脚本
#! /bin/bash
# This script makes it easier to maintain security groups that allow SSH access
# from a computer with a dynamic IP, such as a computer on a home network or ISP.
#
# Using the script will allow you to SSH to an EC2 without having to allow
# access to the whole world (0.0.0.0/0). If you run this script whenever your IP
# changes then the security groups in your account specified by your AWS profile
# will be updated.
#
# The script will find any security groups for your current profile that are
# tagged with a Tag with a Key of "ssh-from-my-ip" and a case insensitive value
# of "true" or "yes".
#
# For each security group found it will revoke any existing tcp ingress on
# port 22 and authorize ingress on port 22 for your current IP.
#
# Dependencies - AWS CLI and jq
# need my current ip
MY_IP=$(curl --silent https://checkip.amazonaws.com)
echo "Your IP is ${MY_IP}"
# need security group id(s) and existing CIDR for the SG
pairs=$(aws ec2 describe-security-groups | aws ec2 describe-security-groups | jq -c '.SecurityGroups[]? | select( (.Tags[]? | select(.Key == "ssh-from-my-ip") | .Value | test("true|yes"; "i"))) | if .IpPermissions | length == 0 then {sg: .GroupId, cidr: null } else {sg: .GroupId, cidr: .IpPermissions[].IpRanges[].CidrIp} end')
for p in $pairs
do
SG=$(echo "$p" | jq -r '.sg')
OLD_CIDR=$(echo "$p" | jq -r '.cidr')
echo "Updating security group ${SG}"
if [[ $OLD_CIDR != 'null' ]]
then
echo "Revoking ingress permission for ${OLD_CIDR} in security group ${SG}"
# remove the existing ingress permission
aws ec2 revoke-security-group-ingress \
--group-id "${SG}" \
--protocol tcp \
--port 22 \
--cidr "${OLD_CIDR}"
fi
# authorize my new IP CIDR
NEW_CIDR="${MY_IP}"/32
echo "Authorizing ingress permission for ${NEW_CIDR} in security group ${SG}"
aws ec2 authorize-security-group-ingress --group-id "${SG}" --ip-permissions '[{"IpProtocol": "tcp", "FromPort": 22, "ToPort": 22, "IpRanges": [{"CidrIp": "'"${NEW_CIDR}"'", "Description": "Rule0"}]}]'
done
在 AWS rds 上,我添加了几个 postgres 用户。有 Security groups 需要 IP 地址才能访问数据库实例吗?
所以如果用户有静态 IP 地址,那么我会添加一次,没有问题。
但是如果用户有动态地址,我看到的唯一方法是定期更新 IP 以保持用户有效连接。
我的问题是:是否可以在不手动更新安全组数据的情况下保持动态IP用户的有效连接?
谢谢!
以下是一些选项;
如果用户使用办公室 network/VPN 和固定 私有 IP CIDR 进行连接,则允许 入站 用于 安全组 中的 IP CIDR。注意:* 这可能会打开对您组织的更广泛专用网络的访问。 RDS 将在本地可用,前提是您从您的组织专用网络获得 AWS VPC 连接。
基于 @amitd's 答案,您可以而且应该使用堡垒主机,但是您仍然需要为您的动态 IP 打开该主机。要将允许访问该主机的 IP 地址更新为我分配的 IP,我使用以下脚本
#! /bin/bash
# This script makes it easier to maintain security groups that allow SSH access
# from a computer with a dynamic IP, such as a computer on a home network or ISP.
#
# Using the script will allow you to SSH to an EC2 without having to allow
# access to the whole world (0.0.0.0/0). If you run this script whenever your IP
# changes then the security groups in your account specified by your AWS profile
# will be updated.
#
# The script will find any security groups for your current profile that are
# tagged with a Tag with a Key of "ssh-from-my-ip" and a case insensitive value
# of "true" or "yes".
#
# For each security group found it will revoke any existing tcp ingress on
# port 22 and authorize ingress on port 22 for your current IP.
#
# Dependencies - AWS CLI and jq
# need my current ip
MY_IP=$(curl --silent https://checkip.amazonaws.com)
echo "Your IP is ${MY_IP}"
# need security group id(s) and existing CIDR for the SG
pairs=$(aws ec2 describe-security-groups | aws ec2 describe-security-groups | jq -c '.SecurityGroups[]? | select( (.Tags[]? | select(.Key == "ssh-from-my-ip") | .Value | test("true|yes"; "i"))) | if .IpPermissions | length == 0 then {sg: .GroupId, cidr: null } else {sg: .GroupId, cidr: .IpPermissions[].IpRanges[].CidrIp} end')
for p in $pairs
do
SG=$(echo "$p" | jq -r '.sg')
OLD_CIDR=$(echo "$p" | jq -r '.cidr')
echo "Updating security group ${SG}"
if [[ $OLD_CIDR != 'null' ]]
then
echo "Revoking ingress permission for ${OLD_CIDR} in security group ${SG}"
# remove the existing ingress permission
aws ec2 revoke-security-group-ingress \
--group-id "${SG}" \
--protocol tcp \
--port 22 \
--cidr "${OLD_CIDR}"
fi
# authorize my new IP CIDR
NEW_CIDR="${MY_IP}"/32
echo "Authorizing ingress permission for ${NEW_CIDR} in security group ${SG}"
aws ec2 authorize-security-group-ingress --group-id "${SG}" --ip-permissions '[{"IpProtocol": "tcp", "FromPort": 22, "ToPort": 22, "IpRanges": [{"CidrIp": "'"${NEW_CIDR}"'", "Description": "Rule0"}]}]'
done