如何使用 VPC 防火墙的 NAT 规则重定向 GCP 计算实例的端口
How to redirect port for GCP compute instance using NAT rule for VPC Firewall
我已经将 Apache Tomcat 9 部署到 GCP 计算实例(通过带有标签的云控制台创建:tomcat-web-host
、http-server
和 https-server
),它在默认端口 8080 和 8443(通过下面的 terraform 在 VPC 防火墙中创建)。
resource "google_compute_firewall" "tomcat-on-vm" {
project = var.project_id
name = "tomcat-on-vm"
network = var.network
description = "Creates firewall rule targeting tagged instances"
allow {
protocol = "tcp"
ports = ["8080", "8443"]
}
target_tags = ["tomcat-web-host"]
}
现在我正在尝试将 HTTP(端口 80)和 HTTPS(端口 443)映射到 8080 和 8443,我将采用与本地 NAT 相同的方式:
firewall-cmd --permanent --direct --add-rule ipv4 nat OUTPUT 0 -p tcp -o eth0 --dport 80 -j REDIRECT --to-ports 8080;
但这不会生效(端口 80 仍然无法访问)。我如何在计算实例的 GCP VPC 防火墙中做同样的事情?
基于 Google 支持响应,我的方法在那里不起作用,外部负载平衡器可能是解决该问题的方法
The GCP doesn't implement unsolicited inbound connections from the
internet. DNAT is only performed for packets that arrive as responses
to outbound packets.
Going with your case description, I understand what you are doing can
be achieved via Load Balancer, for which you can setup LB to listen on
frontend port 80 and send traffic on backend port 8080.
我已经将 Apache Tomcat 9 部署到 GCP 计算实例(通过带有标签的云控制台创建:tomcat-web-host
、http-server
和 https-server
),它在默认端口 8080 和 8443(通过下面的 terraform 在 VPC 防火墙中创建)。
resource "google_compute_firewall" "tomcat-on-vm" {
project = var.project_id
name = "tomcat-on-vm"
network = var.network
description = "Creates firewall rule targeting tagged instances"
allow {
protocol = "tcp"
ports = ["8080", "8443"]
}
target_tags = ["tomcat-web-host"]
}
现在我正在尝试将 HTTP(端口 80)和 HTTPS(端口 443)映射到 8080 和 8443,我将采用与本地 NAT 相同的方式:
firewall-cmd --permanent --direct --add-rule ipv4 nat OUTPUT 0 -p tcp -o eth0 --dport 80 -j REDIRECT --to-ports 8080;
但这不会生效(端口 80 仍然无法访问)。我如何在计算实例的 GCP VPC 防火墙中做同样的事情?
基于 Google 支持响应,我的方法在那里不起作用,外部负载平衡器可能是解决该问题的方法
The GCP doesn't implement unsolicited inbound connections from the internet. DNAT is only performed for packets that arrive as responses to outbound packets.
Going with your case description, I understand what you are doing can be achieved via Load Balancer, for which you can setup LB to listen on frontend port 80 and send traffic on backend port 8080.