我在带有CidrBlock 172.18.18.133的子网上有一台aws ec2机器(172.18.18.0/23)。
让10.0.0.0/8和172.23.0.0/18(忽略"0.0.0.0/0"在防火墙中打开secureshell ingress ip,因为我正在使用它,因为特定的源CidrBlock无法正常工作)
aws ec2 describe-security-groups --group-ids sg-659fd31p --profile aws-federated --region us-west-2
{
"SecurityGroups": [
{
"IpPermissionsEgress": [
{
"IpProtocol": "-1",
"PrefixListIds": [],
"IpRanges": [
{
"CidrIp": "0.0.0.0/0"
}
],
"UserIdGroupPairs": [],
"Ipv6Ranges": []
}
],
"Description": "VPC Security Group",
"Tags": [
{
"Value": "restapi-dev",
"Key": "elasticbeanstalk:environment-name"
},
{
"Value": "awseb-e-8gx8kmq9dj-stack",
"Key": "aws:cloudformation:stack-name"
},
{
"Value": "AWSEBSecurityGroup",
"Key": "aws:cloudformation:logical-id"
},
{
"Value": "restapi-dev",
"Key": "Name"
},
{
"Value": "arn:aws:cloudformation:us-west-2:033814027302:stack/awseb-e-8gx8kmq9dj-stack/605642e0-3eb8-11e7-a388-503ac9ec2499",
"Key": "aws:cloudformation:stack-id"
},
{
"Value": "e-8gx8kmq9dj",
"Key": "elasticbeanstalk:environment-id"
}
],
"IpPermissions": [
{
"PrefixListIds": [],
"FromPort": 80,
"IpRanges": [],
"ToPort": 80,
"IpProtocol": "tcp",
"UserIdGroupPairs": [
{
"UserId": "033814027302",
"GroupId": "sg-ee81cd95"
}
],
"Ipv6Ranges": []
},
{
"PrefixListIds": [],
"FromPort": 22,
"IpRanges": [
{
"CidrIp": "10.0.0.0/8"
},
{
"CidrIp": "0.0.0.0/0"
},
{
"CidrIp": "172.23.0.0/18"
}
],
"ToPort": 22,
"IpProtocol": "tcp",
"UserIdGroupPairs": [],
"Ipv6Ranges": []
}
],
"GroupName": "awseb-e-8gx8kmq9dj-stack-AWSEBSecurityGroup-4J0FPNXL840U",
"VpcId": "vpc-5374e434",
"OwnerId": "033814027302",
"GroupId": "sg-659fd31p"
}
]
}
我想从另一台不同的VPC 和CidrBlock 172.23.0.0/18上的机器上安装到上面的机器上。
但我无法通过IP地址172.23.38.167连接ec2机器
上面的目标机器。
[ec2-user@ip-172-23-38-167 ~]$ ssh -v -i /home/ec2-user/.ssh/staging-api.pem ec2-user@172.18.18.133
OpenSSH_6.6.1, OpenSSL 1.0.1e-fips 11 Feb 2013
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 56: Applying options for *
debug1: Connecting to 172.18.18.133 [172.18.18.133] port 22.
debug1: connect to address 172.18.18.133 port 22: Connection timed out
ssh: connect to host 172.18.18.133 port 22: Connection timed out
我有.pem档~/.ssh
[ec2-user@ip-172-23-38-167 ~]$ ll ~/.ssh/
total 20
-rw-------. 1 ec2-user ec2-user 1675 May 24 02:45 staging-api.pem
-rw-------. 1 ec2-user ec2-user 398 Apr 8 21:29 authorized_keys
-rw-------. 1 root root 1766 Apr 23 20:06 gitkey_rsa
-rw-r--r--. 1 root root 386 Apr 23 20:06 gitkey_rsa.pub
-rw-r--r--. 1 ec2-user ec2-user 413 May 20 21:02 known_hosts
注意:我在同一子网中有几个ec2虚拟机,我可以在它们之间进行安全保护。
不确定但问题可能出在routing table on the VPC。
我想要secureshell进入的目标机器的VPC的路由表配置如下。不知道所有这些6/7路由的目的,但了解NAT gateway以使私有子网中的VM能够连接到Internet或其他AWS服务。
$ aws ec2 describe-route-tables --route-table-ids rtb-9e0337f9 --profile aws-federated --region us-west-2
{
"RouteTables": [
{
"Associations": [
{
"SubnetId": "subnet-a1ec23e8",
"RouteTableAssociationId": "rtbassoc-d8ffbbbe",
"Main": false,
"RouteTableId": "rtb-9e0337f9"
}
],
"RouteTableId": "rtb-9e0337f9",
"VpcId": "vpc-5374e434",
"PropagatingVgws": [],
"Tags": [
{
"Value": "fff000",
"Key": "Permissions"
},
{
"Value": "us-west-2b",
"Key": "PhysicalLocation"
},
{
"Value": "InternalSubnet01AZ1RouteTable",
"Key": "aws:cloudformation:logical-id"
},
{
"Value": "fff000-vpc-nonprod-prayagupd-vpc-01-VPCTeamNestedStackTemplate-1EH2K9THBASPW",
"Key": "aws:cloudformation:stack-name"
},
{
"Value": "rtb_nonprod-prayagupd-vpc-01_internal_az1",
"Key": "Name"
},
{
"Value": "arn:aws:cloudformation:us-west-2:033814027302:stack/fff000-vpc-nonprod-prayagupd-vpc-01-VPCTeamNestedStackTemplate-1EH2K9THBASPW/f7e06c10-ee60-11e6-92e6-503a90a9c435",
"Key": "aws:cloudformation:stack-id"
},
{
"Value": "internal",
"Key": "Designation"
}
],
"Routes": [
{
"Origin": "CreateRoute",
"DestinationCidrBlock": "172.16.2.0/23",
"State": "active",
"VpcPeeringConnectionId": "pcx-c67fffaf"
},
{
"Origin": "CreateRoute",
"DestinationCidrBlock": "172.16.4.0/23",
"State": "active",
"VpcPeeringConnectionId": "pcx-c67fffaf"
},
{
"Origin": "CreateRoute",
"DestinationCidrBlock": "172.16.122.0/23",
"State": "active",
"VpcPeeringConnectionId": "pcx-f0f76299"
},
{
"Origin": "CreateRoute",
"DestinationCidrBlock": "172.16.104.0/21",
"State": "active",
"VpcPeeringConnectionId": "pcx-7483081d"
},
{
"GatewayId": "local",
"DestinationCidrBlock": "172.18.16.0/21",
"State": "active",
"Origin": "CreateRouteTable"
},
{
"GatewayId": "vgw-cb23fbd5",
"DestinationCidrBlock": "192.168.0.0/16",
"State": "active",
"Origin": "CreateRoute"
},
{
"GatewayId": "vgw-cb23fbd5",
"DestinationCidrBlock": "10.0.0.0/8",
"State": "active",
"Origin": "CreateRoute"
},
{
"Origin": "CreateRoute",
"DestinationCidrBlock": "0.0.0.0/0",
"NatGatewayId": "nat-0dbd1eca0fe1fcb8e",
"State": "active"
}
]
}
]
}
对于源VPC,类似路由配置为目标VPC,
{
"Origin": "CreateRoute",
"DestinationCidrBlock": "0.0.0.0/0",
"NatGatewayId": "nat-0b6d136887df6f792",
"State": "active"
}
源VPC的NAT配置是
$ aws ec2 describe-nat-gateways --nat-gateway-id nat-0b6d136887df6f792 --profile aws-federated --region us-west-2
{
"NatGateways": [
{
"NatGatewayAddresses": [
{
"PublicIp": "34.208.30.85",
"NetworkInterfaceId": "eni-43d8c630",
"AllocationId": "eipalloc-d47488b2",
"PrivateIp": "172.23.248.220"
}
],
"VpcId": "vpc-a77a82c2",
"State": "available",
"NatGatewayId": "nat-0b6d136887df6f792",
"SubnetId": "subnet-b267b2d7",
"CreateTime": "2017-03-30T18:16:05.767Z"
}
]
}
Possible reasons for timeout when trying to access EC2 instance