允许私有子网中的资源在它们之间访问并出口到互联网
Allow resources in a private subnet access access between them and egress to internet
我有一个 VPC
- 1 个 VPC
- 1 个私有子网附加到 VPC
- 1 个 NAT 网关
- 带有出口和入口规则的安全组附加到我的 VPC
- 具有附加到 VPC 和子网的出口和入口规则的 ACL
我尝试连接的资源是:
- 1 个 Elastic Cache 集群,有一个
aws_elasticache_subnet_group 连接到子网
- 1 个为相同 VPC 和子网 ID 获取 VPC 配置的 CodeBuild 实例
- 已通过附加的 public 个子网访问互联网的 Fargate 实例,但应通过私有子网
与 Elastic Cache 节点通信
当我尝试 运行 CodeBuild 时,无法连接到 S3 以下载构建源。在对构建项目编辑 VPC 配置之前,这不会发生。换句话说,如果我从 CodeBuild 中删除 vpc 和子网配置,它将立即运行,但我需要连接设置。
特别是,我得到的错误是:
dial tcp 52.216.129.171:443: i/o timeout for primary source and source version arn:aws:s3:::blog-us-setup/blog-us-pipe/source_out/8ADWIXv"
我还设置了其他配置,例如:
- 路线table
- 路线
- 路线table关联
- 网络 ACL
到目前为止运气不好。无法将第一个重要资源连接到 Internet,甚至无法确定它是否会连接到同一私有 VPC 中的 Elastic Cache 集群
这是我在 terraform 中的网络配置定义:
resource "aws_subnet" "audible_blog_resources" {
vpc_id = "vpc-xxxxx"
cidr_block = "10.0.2.0/24"
}
resource "aws_eip" "nat_eip" {
vpc = true
}
resource "aws_route_table" "private" {
vpc_id = "vpc-xxxxx"
}
resource "aws_nat_gateway" "nat" {
allocation_id = aws_eip.nat_eip.id
subnet_id = aws_subnet.audible_blog_resources.id
}
resource "aws_route" "private_nat_gateway" {
route_table_id = aws_route_table.private.id
destination_cidr_block = "0.0.0.0/0"
nat_gateway_id = aws_nat_gateway.nat.id
}
resource "aws_route_table_association" "private" {
subnet_id = aws_subnet.audible_blog_resources.id
route_table_id = aws_route_table.private.id
}
resource "aws_security_group" "allow_redis_ingress" {
name = "allow_redis_ingress"
description = "Allow Redis inbound traffic"
vpc_id = "vpc-xxxxx"
ingress {
description = "Redis"
from_port = 6379
to_port = 6379
protocol = "tcp"
cidr_blocks = ["10.0.2.0/24"]
}
egress {
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
ipv6_cidr_blocks = ["::/0"]
}
}
resource "aws_network_acl" "main" {
vpc_id = "vpc-xxxxx"
subnet_ids = [ aws_subnet.audible_blog_resources.id ]
egress {
rule_no = "200"
protocol = "tcp"
action = "allow"
cidr_block = "0.0.0.0/0"
from_port = 0
to_port = 65535
}
ingress {
rule_no = "100"
protocol = "tcp"
action = "allow"
cidr_block = "10.0.2.0/24"
from_port = 6379
to_port = 6379
}
}
output "networking_details" {
value = {
subnet = {
arn = aws_subnet.audible_blog_resources.arn
id = aws_subnet.audible_blog_resources.id
}
security_group = {
arn = aws_security_group.allow_redis_ingress.arn
id = aws_security_group.allow_redis_ingress.id
}
}
}
编辑 1
添加了一个 public 子网,为其路由 table 并且 NAT 移动到同一个 public 子网:
resource "aws_subnet" "audible_blog_resources" {
vpc_id = "vpc-xxxxx"
cidr_block = "10.0.2.0/24"
}
resource "aws_subnet" "public" {
vpc_id = "vpc-xxxxx"
cidr_block = "10.0.5.0/24"
}
resource "aws_eip" "nat_eip" {
vpc = true
}
resource "aws_route_table" "private" {
vpc_id = "vpc-xxxxx"
}
resource "aws_route_table" "public" {
vpc_id = "vpc-xxxxx"
}
resource "aws_nat_gateway" "nat" {
allocation_id = aws_eip.nat_eip.id
subnet_id = aws_subnet.public.id
}
resource "aws_route" "public_to_internet" {
route_table_id = aws_route_table.public.id
destination_cidr_block = "0.0.0.0/0"
gateway_id = "igw-igw-id"
}
resource "aws_route_table_association" "public" {
subnet_id = aws_subnet.public.id
route_table_id = aws_route_table.public.id
}
resource "aws_route" "private_nat_gateway" {
route_table_id = aws_route_table.private.id
destination_cidr_block = "0.0.0.0/0"
nat_gateway_id = aws_nat_gateway.nat.id
}
resource "aws_route_table_association" "private" {
subnet_id = aws_subnet.audible_blog_resources.id
route_table_id = aws_route_table.private.id
}
resource "aws_security_group" "allow_redis_ingress" {
name = "allow_redis_ingress"
description = "Allow Redis inbound traffic"
vpc_id = "vpc-xxxxx"
ingress {
description = "Redis"
from_port = 6379
to_port = 6379
protocol = "tcp"
cidr_blocks = ["10.0.2.0/24"]
}
egress {
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
ipv6_cidr_blocks = ["::/0"]
}
}
resource "aws_network_acl" "main" {
vpc_id = "vpc-xxxxx"
subnet_ids = [ aws_subnet.audible_blog_resources.id ]
egress {
rule_no = "200"
protocol = "tcp"
action = "allow"
cidr_block = "0.0.0.0/0"
from_port = 0
to_port = 65535
}
ingress {
rule_no = "100"
protocol = "tcp"
action = "allow"
cidr_block = "10.0.2.0/24"
from_port = 6379
to_port = 6379
}
}
output "networking_details" {
value = {
subnet = {
arn = aws_subnet.audible_blog_resources.arn
id = aws_subnet.audible_blog_resources.id
}
security_group = {
arn = aws_security_group.allow_redis_ingress.arn
id = aws_security_group.allow_redis_ingress.id
}
}
}
您的 VPC 设计不正确:
- 缺少 public 子网和互联网网关,
- 没有 public 个子网到互联网的路由表,
- NAT 放错地方了 - 它必须在 public 子网中,而不是私有的。
以下修改版本,但 SG 和 NACL 可能仍需要进一步审查(我已将其从代码中删除)。
resource "aws_vpc" "vpc" {
cidr_block = "10.0.0.0/16"
}
resource "aws_subnet" "public" {
vpc_id = aws_vpc.vpc.id
cidr_block = "10.0.1.0/24"
}
resource "aws_subnet" "audible_blog_resources" {
vpc_id = aws_vpc.vpc.id
cidr_block = "10.0.2.0/24"
}
resource "aws_internet_gateway" "gw" {
vpc_id = aws_vpc.vpc.id
}
resource "aws_eip" "nat_eip" {
vpc = true
}
resource "aws_route_table" "private" {
vpc_id = aws_vpc.vpc.id
}
resource "aws_route_table" "public" {
vpc_id = aws_vpc.vpc.id
}
resource "aws_nat_gateway" "nat" {
allocation_id = aws_eip.nat_eip.id
subnet_id = aws_subnet.public.id
}
resource "aws_route" "public_to_internet" {
route_table_id = aws_route_table.public.id
destination_cidr_block = "0.0.0.0/0"
gateway_id = aws_internet_gateway.gw.id
}
resource "aws_route_table_association" "public" {
subnet_id = aws_subnet.public.id
route_table_id = aws_route_table.public.id
}
resource "aws_route" "private_nat_gateway" {
route_table_id = aws_route_table.private.id
destination_cidr_block = "0.0.0.0/0"
nat_gateway_id = aws_nat_gateway.nat.id
}
resource "aws_route_table_association" "private" {
subnet_id = aws_subnet.audible_blog_resources.id
route_table_id = aws_route_table.private.id
}
resource "aws_security_group" "allow_redis_ingress" {
name = "allow_redis_ingress"
description = "Allow Redis inbound traffic"
vpc_id = aws_vpc.vpc.id
ingress {
description = "Redis"
from_port = 6379
to_port = 6379
protocol = "tcp"
cidr_blocks = ["10.0.2.0/24"]
}
egress {
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
ipv6_cidr_blocks = ["::/0"]
}
}
output "networking_details" {
value = {
subnet = {
arn = aws_subnet.audible_blog_resources.arn
id = aws_subnet.audible_blog_resources.id
}
security_group = {
arn = aws_security_group.allow_redis_ingress.arn
id = aws_security_group.allow_redis_ingress.id
}
}
}
我有一个 VPC
- 1 个 VPC
- 1 个私有子网附加到 VPC
- 1 个 NAT 网关
- 带有出口和入口规则的安全组附加到我的 VPC
- 具有附加到 VPC 和子网的出口和入口规则的 ACL
我尝试连接的资源是:
- 1 个 Elastic Cache 集群,有一个
aws_elasticache_subnet_group连接到子网 - 1 个为相同 VPC 和子网 ID 获取 VPC 配置的 CodeBuild 实例
- 已通过附加的 public 个子网访问互联网的 Fargate 实例,但应通过私有子网 与 Elastic Cache 节点通信
当我尝试 运行 CodeBuild 时,无法连接到 S3 以下载构建源。在对构建项目编辑 VPC 配置之前,这不会发生。换句话说,如果我从 CodeBuild 中删除 vpc 和子网配置,它将立即运行,但我需要连接设置。
特别是,我得到的错误是:
dial tcp 52.216.129.171:443: i/o timeout for primary source and source version arn:aws:s3:::blog-us-setup/blog-us-pipe/source_out/8ADWIXv"
我还设置了其他配置,例如:
- 路线table
- 路线
- 路线table关联
- 网络 ACL
到目前为止运气不好。无法将第一个重要资源连接到 Internet,甚至无法确定它是否会连接到同一私有 VPC 中的 Elastic Cache 集群
这是我在 terraform 中的网络配置定义:
resource "aws_subnet" "audible_blog_resources" {
vpc_id = "vpc-xxxxx"
cidr_block = "10.0.2.0/24"
}
resource "aws_eip" "nat_eip" {
vpc = true
}
resource "aws_route_table" "private" {
vpc_id = "vpc-xxxxx"
}
resource "aws_nat_gateway" "nat" {
allocation_id = aws_eip.nat_eip.id
subnet_id = aws_subnet.audible_blog_resources.id
}
resource "aws_route" "private_nat_gateway" {
route_table_id = aws_route_table.private.id
destination_cidr_block = "0.0.0.0/0"
nat_gateway_id = aws_nat_gateway.nat.id
}
resource "aws_route_table_association" "private" {
subnet_id = aws_subnet.audible_blog_resources.id
route_table_id = aws_route_table.private.id
}
resource "aws_security_group" "allow_redis_ingress" {
name = "allow_redis_ingress"
description = "Allow Redis inbound traffic"
vpc_id = "vpc-xxxxx"
ingress {
description = "Redis"
from_port = 6379
to_port = 6379
protocol = "tcp"
cidr_blocks = ["10.0.2.0/24"]
}
egress {
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
ipv6_cidr_blocks = ["::/0"]
}
}
resource "aws_network_acl" "main" {
vpc_id = "vpc-xxxxx"
subnet_ids = [ aws_subnet.audible_blog_resources.id ]
egress {
rule_no = "200"
protocol = "tcp"
action = "allow"
cidr_block = "0.0.0.0/0"
from_port = 0
to_port = 65535
}
ingress {
rule_no = "100"
protocol = "tcp"
action = "allow"
cidr_block = "10.0.2.0/24"
from_port = 6379
to_port = 6379
}
}
output "networking_details" {
value = {
subnet = {
arn = aws_subnet.audible_blog_resources.arn
id = aws_subnet.audible_blog_resources.id
}
security_group = {
arn = aws_security_group.allow_redis_ingress.arn
id = aws_security_group.allow_redis_ingress.id
}
}
}
编辑 1
添加了一个 public 子网,为其路由 table 并且 NAT 移动到同一个 public 子网:
resource "aws_subnet" "audible_blog_resources" {
vpc_id = "vpc-xxxxx"
cidr_block = "10.0.2.0/24"
}
resource "aws_subnet" "public" {
vpc_id = "vpc-xxxxx"
cidr_block = "10.0.5.0/24"
}
resource "aws_eip" "nat_eip" {
vpc = true
}
resource "aws_route_table" "private" {
vpc_id = "vpc-xxxxx"
}
resource "aws_route_table" "public" {
vpc_id = "vpc-xxxxx"
}
resource "aws_nat_gateway" "nat" {
allocation_id = aws_eip.nat_eip.id
subnet_id = aws_subnet.public.id
}
resource "aws_route" "public_to_internet" {
route_table_id = aws_route_table.public.id
destination_cidr_block = "0.0.0.0/0"
gateway_id = "igw-igw-id"
}
resource "aws_route_table_association" "public" {
subnet_id = aws_subnet.public.id
route_table_id = aws_route_table.public.id
}
resource "aws_route" "private_nat_gateway" {
route_table_id = aws_route_table.private.id
destination_cidr_block = "0.0.0.0/0"
nat_gateway_id = aws_nat_gateway.nat.id
}
resource "aws_route_table_association" "private" {
subnet_id = aws_subnet.audible_blog_resources.id
route_table_id = aws_route_table.private.id
}
resource "aws_security_group" "allow_redis_ingress" {
name = "allow_redis_ingress"
description = "Allow Redis inbound traffic"
vpc_id = "vpc-xxxxx"
ingress {
description = "Redis"
from_port = 6379
to_port = 6379
protocol = "tcp"
cidr_blocks = ["10.0.2.0/24"]
}
egress {
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
ipv6_cidr_blocks = ["::/0"]
}
}
resource "aws_network_acl" "main" {
vpc_id = "vpc-xxxxx"
subnet_ids = [ aws_subnet.audible_blog_resources.id ]
egress {
rule_no = "200"
protocol = "tcp"
action = "allow"
cidr_block = "0.0.0.0/0"
from_port = 0
to_port = 65535
}
ingress {
rule_no = "100"
protocol = "tcp"
action = "allow"
cidr_block = "10.0.2.0/24"
from_port = 6379
to_port = 6379
}
}
output "networking_details" {
value = {
subnet = {
arn = aws_subnet.audible_blog_resources.arn
id = aws_subnet.audible_blog_resources.id
}
security_group = {
arn = aws_security_group.allow_redis_ingress.arn
id = aws_security_group.allow_redis_ingress.id
}
}
}
您的 VPC 设计不正确:
- 缺少 public 子网和互联网网关,
- 没有 public 个子网到互联网的路由表,
- NAT 放错地方了 - 它必须在 public 子网中,而不是私有的。
以下修改版本,但 SG 和 NACL 可能仍需要进一步审查(我已将其从代码中删除)。
resource "aws_vpc" "vpc" {
cidr_block = "10.0.0.0/16"
}
resource "aws_subnet" "public" {
vpc_id = aws_vpc.vpc.id
cidr_block = "10.0.1.0/24"
}
resource "aws_subnet" "audible_blog_resources" {
vpc_id = aws_vpc.vpc.id
cidr_block = "10.0.2.0/24"
}
resource "aws_internet_gateway" "gw" {
vpc_id = aws_vpc.vpc.id
}
resource "aws_eip" "nat_eip" {
vpc = true
}
resource "aws_route_table" "private" {
vpc_id = aws_vpc.vpc.id
}
resource "aws_route_table" "public" {
vpc_id = aws_vpc.vpc.id
}
resource "aws_nat_gateway" "nat" {
allocation_id = aws_eip.nat_eip.id
subnet_id = aws_subnet.public.id
}
resource "aws_route" "public_to_internet" {
route_table_id = aws_route_table.public.id
destination_cidr_block = "0.0.0.0/0"
gateway_id = aws_internet_gateway.gw.id
}
resource "aws_route_table_association" "public" {
subnet_id = aws_subnet.public.id
route_table_id = aws_route_table.public.id
}
resource "aws_route" "private_nat_gateway" {
route_table_id = aws_route_table.private.id
destination_cidr_block = "0.0.0.0/0"
nat_gateway_id = aws_nat_gateway.nat.id
}
resource "aws_route_table_association" "private" {
subnet_id = aws_subnet.audible_blog_resources.id
route_table_id = aws_route_table.private.id
}
resource "aws_security_group" "allow_redis_ingress" {
name = "allow_redis_ingress"
description = "Allow Redis inbound traffic"
vpc_id = aws_vpc.vpc.id
ingress {
description = "Redis"
from_port = 6379
to_port = 6379
protocol = "tcp"
cidr_blocks = ["10.0.2.0/24"]
}
egress {
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
ipv6_cidr_blocks = ["::/0"]
}
}
output "networking_details" {
value = {
subnet = {
arn = aws_subnet.audible_blog_resources.arn
id = aws_subnet.audible_blog_resources.id
}
security_group = {
arn = aws_security_group.allow_redis_ingress.arn
id = aws_security_group.allow_redis_ingress.id
}
}
}