私有子网通过AWS中的NAT实例访问Internet

时间:2016-10-05 07:26:53

标签: amazon-web-services networking nat subnet

我试图通过NAT实例从私有子网实例访问互联网。我已按照以下网址中的步骤操作。

http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_NAT_Instance.html

  1. 创建了2个子网(公共和私有)
  2. 将互联网网关连接到VPC
  3. 主路由表包括私有子网和路由到NAT实例ID(目的地0.0.0.0/0)
  4. 自定义路由表包括公共子网和通过Internet网关的路由(目标0.0.0.0/0)
  5. NAT安全组从22,80,443,所有ICMP(全部来自公共IP范围CIDR 10.0.0.0/16),出站到22,80,443,所有ICMP(22到私有IP实例,休息到CIDR 0.0.0.0/0)
  6. 在NAT实例上禁用源/目标检查
  7. 通过以上所有步骤,我可以在NAT实例上访问互联网。但无法从私有IP实例访问互联网。

    From NAT Instance
    
        $ ping ietf.org
        PING ietf.org (4.31.198.44) 56(84) bytes of data.
        64 bytes from mail.ietf.org (4.31.198.44): icmp_seq=1 ttl=49 time=23.8 ms
        64 bytes from mail.ietf.org (4.31.198.44): icmp_seq=2 ttl=49 time=23.9 ms
        64 bytes from mail.ietf.org (4.31.198.44): icmp_seq=3 ttl=49 time=23.9 ms
        ^C
        --- ietf.org ping statistics ---
        3 packets transmitted, 3 received, 0% packet loss, time 2003ms
        rtt min/avg/max/mdev = 23.888/23.940/23.976/0.037 ms
    
    From Private IP Instances
    
    $ ping ietf.org
    PING ietf.org (4.31.198.44) 56(84) bytes of data.
    ^C
    --- ietf.org ping statistics ---
    7 packets transmitted, 0 received, 100% packet loss, time 5999ms
    

    我可以从私有IP实例ping NAT实例。

    我已检查上述网址中提供的以下所有步骤。一切都很好看。

    If the ping command fails, check the following information:
    
    Check that your NAT instance's security group rules allow inbound ICMP traffic from your private subnet. If not, your NAT instance cannot receive the ping command from your private instance.
    Check that you've configured your route tables correctly. For more information, see Updating the Main Route Table.
    Ensure that you've disabled source/destination checking for your NAT instance. For more information, see Disabling Source/Destination Checks.
    Ensure that you are pinging a website that has ICMP enabled. If not, you will not receive reply packets. To test this, perform the same ping command from the command line terminal on your own computer.
    

    一些帮助将不胜感激。感谢。

2 个答案:

答案 0 :(得分:0)

根据您提供的信息,您的架构设置的所有填充似乎是我在NAT即时安全组中发现的唯一错误。

根据aws推荐的NAT即时配置:

入站:

80,443 - 私有IP实例/私有IP地址Rang私有子网

22 - 家庭网络的公共IP地址范围

出站:

80,443-- 0.0.0.0/0

试试这个会起作用

参考:http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_NAT_Instance.html

请在上述文件中找到NATSG:推荐规则部分。

答案 1 :(得分:0)

每一个看起来都很好但只有你错过的是子网协会

  • 在NAT路由表中
  • 子网关联选项卡
  • 添加私有子网,然后它将起作用
  • 然后,您将在私人子网中访问您的实例。

如果您需要有关子网关联的更多信息,请参阅以下URL:

http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Route_Tables.html