AWS - 在172.168.0.0/16 CIDR块中偶然创建了VPC,效果如何?

时间:2015-02-10 05:36:02

标签: amazon-web-services vpc

我们意外地在172.168.0.0/16 CIDR块中创建了一个VPC,我们意识到我们需要改变它,但是,是否有人知道这种问题的不良影响?

每次拨打本地IP(我们预期)是否真的通过互联网进行?

我们是否可以与采用这些IP的人发生IP冲突?

如果有人在这个区块中拥有IP,我们的内部流量是否真的可以上网?

编辑:

我们的子网路由表将此范围内的流量路由到本地网络,但我确信仍然会产生不利影响。

1 个答案:

答案 0 :(得分:8)

VPC允许您为自己的私人用途创建AWS网络的隔离部分。

您可以在VPC中选择任何范围的IP地址(最大大小为/ 16),并且不会与其他AWS客户发生冲突。

默认情况下,VPC网络不会通过互联网公开。要将子网公开到Internet,您需要以下内容:

  • 将互联网网关连接到您的VPC
  • 有一个路由表附加到您的子网,路由规则为'0.0.0.0/0 IGW-ID“(您的Internet网关的ID)
  • 将公共IP地址附加到您的服务(EC2,RDS,ElasticCache ...)对于EC2实例,可以在实例启动时(子网级别的参数)或稍后的任何时刻(使用时)自动分配公共IP弹性IP地址)

现在您的VPC已创建,您将无法修改其IP地址范围。您需要创建一个新的VPC。

我们在http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Introduction.html

的文档中详细解释了VPC

[UPDATE]

我测试了使用一系列可公共路由的IP地址创建VPC的用例。我确认 - 毫不奇怪 - 您无法连接到在VPC范围内使用IP地址的基于Internet的计算机(没有到主机的路由)。当VPC尝试在本地路由这些地址时,会出现此行为。

测试详情。

在54.72.0.0/16地址范围内创建一个VPC。

$ aws ec2 describe-vpcs --region us-west-2 --filters Name=tag:Name,Values=test
{
    "Vpcs": [
        {
            "VpcId": "vpc-e5df7680",
            "InstanceTenancy": "default",
            "Tags": [
                {
                    "Value": "test",
                    "Key": "Name"
                }
            ],
            "State": "available",
            "DhcpOptionsId": "dopt-73848e11",
            "CidrBlock": "54.72.0.0/16",
            "IsDefault": false
        }
    ]
}

在该VPC中创建EC2实例,并自动分配公共IP地址

$ aws ec2 describe-instances --region us-west-2 --query 'Reservations[].Instances[].NetworkInterfaces[?VpcId == `vpc-e5df7680`]'
[
    [
        {
            "Status": "in-use",
            "MacAddress": "0a:9c:b1:82:d5:ed",
            "SourceDestCheck": true,
            "VpcId": "vpc-e5df7680",
            "Description": "Primary network interface",
            "Association": {
                "PublicIp": "54.213.235.16",
                "PublicDnsName": "ec2-54-213-235-16.us-west-2.compute.amazonaws.com",
                "IpOwnerId": "amazon"
            },
            "NetworkInterfaceId": "eni-7d37d025",
            "PrivateIpAddresses": [
                {
                    "PrivateDnsName": "ip-54-72-24-135.us-west-2.compute.internal",
                    "Association": {
                        "PublicIp": "54.213.235.16",
                        "PublicDnsName": "ec2-54-213-235-16.us-west-2.compute.amazonaws.com",
                        "IpOwnerId": "amazon"
                    },
                    "Primary": true,
                    "PrivateIpAddress": "54.72.24.135"
                }
            ],
            "PrivateDnsName": "ip-54-72-24-135.us-west-2.compute.internal",
            "Attachment": {
                "Status": "attached",
                "DeviceIndex": 0,
                "DeleteOnTermination": true,
                "AttachmentId": "eni-attach-aaa7e1a2",
                "AttachTime": "2015-02-11T19:05:34.000Z"
            },
            "Groups": [
                {
                    "GroupName": "SSH",
                    "GroupId": "sg-f2752e97"
                }
            ],
            "SubnetId": "subnet-7978bc20",
            "OwnerId": "577031028568",
            "PrivateIpAddress": "54.72.24.135"
        }
    ],
    []
]

连接到该实例

$ ssh ec2-user@54.213.235.16
Warning: Permanently added '54.213.235.16' (RSA) to the list of known hosts.

       __|  __|_  )
       _|  (     /   Amazon Linux AMI
      ___|\___|___|

https://aws.amazon.com/amazon-linux-ami/2014.09-release-notes/

检查私人IP地址(无效范围!)

[ec2-user@ip-54-72-24-135 ~]$ ifconfig eth0
eth0      Link encap:Ethernet  HWaddr 0A:9C:B1:82:D5:ED
          inet addr:54.72.24.135  Bcast:54.72.24.255  Mask:255.255.255.0
          inet6 addr: fe80::89c:b1ff:fe82:d5ed/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:9001  Metric:1
          RX packets:23418 errors:0 dropped:0 overruns:0 frame:0
          TX packets:2930 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:33618848 (32.0 MiB)  TX bytes:274735 (268.2 KiB)

测试互联网连接

[ec2-user@ip-54-72-24-135 ~]$ ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
64 bytes from 8.8.8.8: icmp_seq=1 ttl=54 time=7.75 ms
64 bytes from 8.8.8.8: icmp_seq=2 ttl=54 time=7.81 ms
64 bytes from 8.8.8.8: icmp_seq=3 ttl=54 time=7.79 ms
^C
--- 8.8.8.8 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2489ms
rtt min/avg/max/mdev = 7.756/7.790/7.815/0.024 ms

[ec2-user@ip-54-72-24-135 ~]$ curl -I www.stormacq.com
HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
Date: Wed, 11 Feb 2015 19:23:04 GMT
Server: Apache/2.4.10 (Amazon) PHP/5.5.20
X-Powered-By: PHP/5.5.20
Cache-Control: max-age=3, must-revalidate
WP-Super-Cache: Served supercache file from PHP
Vary: Accept-Encoding,Cookie
X-Cache: Miss from cloudfront
Via: 1.1 4f4f94bdda0837b3f79484c70f2d1348.cloudfront.net (CloudFront)
X-Amz-Cf-Id: us5_V9oNZak_8WAqsbBu6q9wNm4A0S6VRXGu10nDoQnWS5PYnVMwgg==

工作!

现在,使用与我们的VPC相同的IP地址测试与互联网机器的连接

[ec2-user@ip-54-72-24-135 ~]$ ssh 54.72.24.171
ssh: connect to host 54.72.24.171 port 22: No route to host

[ec2-user@ip-54-72-24-135 ~]$ sudo traceroute 54.72.24.171
traceroute to 54.72.24.171 (54.72.24.171), 30 hops max, 60 byte packets
 1  ec2-54-72-24-135.eu-west-1.compute.amazonaws.com (54.72.24.135)  2997.785 ms !H  2997.769 ms !H  2997.765 ms !H

失败。