我在其中构建了一个带有一些AWS资源的VPC。如果我在VPC中,并且VPC内部的资源可以相互通信,我可以访问Internet。例如,我有一个Lambda函数,可以与Internet通信,也可以到达VPC内的RDS实例。但是,当我尝试从本地计算机连接到RDS实例时,会出现此问题。
我尝试更新VPCSecurityGroup以允许所有传入流量,但仍然无法正常工作。唯一可行的是,如果我将所有路由表切换为使用IGW而不是NAT,但我不喜欢这种情况。此外,我甚至不确定是否可以这样做,因为我非常确定lambda函数必须存在于私有子网中。
vpc.yml
AWSTemplateFormatVersion: 2010-09-09
Description: VPC Stack
Resources:
Vpc:
Type: 'AWS::EC2::VPC'
Properties:
CidrBlock: 10.0.0.0/16
EnableDnsSupport: true
EnableDnsHostnames: true
InstanceTenancy: default
InternetGateway:
Type: 'AWS::EC2::InternetGateway'
VpcGatewayAttachment:
Type: 'AWS::EC2::VPCGatewayAttachment'
Properties:
VpcId: !Ref Vpc
InternetGatewayId: !Ref InternetGateway
ElasticIP:
Type: 'AWS::EC2::EIP'
Properties:
Domain: vpc
NatGateway:
Type: 'AWS::EC2::NatGateway'
DependsOn:
- VpcGatewayAttachment
Properties:
AllocationId: !GetAtt
- ElasticIP
- AllocationId
SubnetId: !Ref SubnetAPublic
SubnetAPublic:
Type: 'AWS::EC2::Subnet'
Properties:
AvailabilityZone: !Select
- '0'
- !GetAZs ''
CidrBlock: 10.0.0.0/19
MapPublicIpOnLaunch: true
VpcId: !Ref Vpc
SubnetBPublic:
Type: 'AWS::EC2::Subnet'
Properties:
AvailabilityZone: !Select
- '1'
- !GetAZs ''
CidrBlock: 10.0.32.0/19
MapPublicIpOnLaunch: true
VpcId: !Ref Vpc
SubnetAPrivate:
Type: 'AWS::EC2::Subnet'
Properties:
AvailabilityZone: !Select
- '0'
- !GetAZs ''
CidrBlock: 10.0.64.0/19
VpcId: !Ref Vpc
SubnetBPrivate:
Type: 'AWS::EC2::Subnet'
Properties:
AvailabilityZone: !Select
- '1'
- !GetAZs ''
CidrBlock: 10.0.96.0/19
VpcId: !Ref Vpc
RouteTableAPublic:
Type: 'AWS::EC2::RouteTable'
Properties:
VpcId: !Ref Vpc
RouteTableBPublic:
Type: 'AWS::EC2::RouteTable'
Properties:
VpcId: !Ref Vpc
RouteTableAPrivate:
Type: 'AWS::EC2::RouteTable'
Properties:
VpcId: !Ref Vpc
RouteTableBPrivate:
Type: 'AWS::EC2::RouteTable'
Properties:
VpcId: !Ref Vpc
RouteTableAssociationAPublic:
Type: 'AWS::EC2::SubnetRouteTableAssociation'
Properties:
SubnetId: !Ref SubnetAPublic
RouteTableId: !Ref RouteTableAPublic
RouteTableAssociationBPublic:
Type: 'AWS::EC2::SubnetRouteTableAssociation'
Properties:
SubnetId: !Ref SubnetBPublic
RouteTableId: !Ref RouteTableBPublic
RouteTableAssociationAPrivate:
Type: 'AWS::EC2::SubnetRouteTableAssociation'
Properties:
SubnetId: !Ref SubnetAPrivate
RouteTableId: !Ref RouteTableAPrivate
RouteTableAssociationBPrivate:
Type: 'AWS::EC2::SubnetRouteTableAssociation'
Properties:
SubnetId: !Ref SubnetBPrivate
RouteTableId: !Ref RouteTableBPrivate
RouteTableAPrivateInternetRoute:
Type: 'AWS::EC2::Route'
DependsOn:
- VpcGatewayAttachment
Properties:
RouteTableId: !Ref RouteTableAPrivate
DestinationCidrBlock: 0.0.0.0/0
NatGatewayId: !Ref NatGateway
RouteTableBPrivateInternetRoute:
Type: 'AWS::EC2::Route'
DependsOn:
- VpcGatewayAttachment
Properties:
RouteTableId: !Ref RouteTableBPrivate
DestinationCidrBlock: 0.0.0.0/0
NatGatewayId: !Ref NatGateway
RouteTableAPublicInternetRoute:
Type: 'AWS::EC2::Route'
Properties:
RouteTableId: !Ref RouteTableAPublic
DestinationCidrBlock: 0.0.0.0/0
GatewayId: !Ref InternetGateway
RouteTableBPublicInternetRoute:
Type: 'AWS::EC2::Route'
Properties:
RouteTableId: !Ref RouteTableBPublic
DestinationCidrBlock: 0.0.0.0/0
GatewayId: !Ref InternetGateway
NetworkAclPublic:
Type: 'AWS::EC2::NetworkAcl'
Properties:
VpcId: !Ref Vpc
NetworkAclPrivate:
Type: 'AWS::EC2::NetworkAcl'
Properties:
VpcId: !Ref Vpc
SubnetNetworkAclAssociationAPublic:
Type: 'AWS::EC2::SubnetNetworkAclAssociation'
Properties:
SubnetId: !Ref SubnetAPublic
NetworkAclId: !Ref NetworkAclPublic
SubnetNetworkAclAssociationBPublic:
Type: 'AWS::EC2::SubnetNetworkAclAssociation'
Properties:
SubnetId: !Ref SubnetBPublic
NetworkAclId: !Ref NetworkAclPublic
SubnetNetworkAclAssociationAPrivate:
Type: 'AWS::EC2::SubnetNetworkAclAssociation'
Properties:
SubnetId: !Ref SubnetAPrivate
NetworkAclId: !Ref NetworkAclPrivate
SubnetNetworkAclAssociationBPrivate:
Type: 'AWS::EC2::SubnetNetworkAclAssociation'
Properties:
SubnetId: !Ref SubnetBPrivate
NetworkAclId: !Ref NetworkAclPrivate
NetworkAclEntryInPublicAllowAll:
Type: 'AWS::EC2::NetworkAclEntry'
Properties:
NetworkAclId: !Ref NetworkAclPublic
RuleNumber: 99
Protocol: -1
RuleAction: allow
Egress: false
CidrBlock: 0.0.0.0/0
NetworkAclEntryOutPublicAllowAll:
Type: 'AWS::EC2::NetworkAclEntry'
Properties:
NetworkAclId: !Ref NetworkAclPublic
RuleNumber: 99
Protocol: -1
RuleAction: allow
Egress: true
CidrBlock: 0.0.0.0/0
NetworkAclEntryInPrivateAllowVpc:
Type: 'AWS::EC2::NetworkAclEntry'
Properties:
NetworkAclId: !Ref NetworkAclPrivate
RuleNumber: 99
Protocol: -1
RuleAction: allow
Egress: false
CidrBlock: 0.0.0.0/0
NetworkAclEntryOutPrivateAllowVpc:
Type: 'AWS::EC2::NetworkAclEntry'
Properties:
NetworkAclId: !Ref NetworkAclPrivate
RuleNumber: 99
Protocol: -1
RuleAction: allow
Egress: true
CidrBlock: 0.0.0.0/0
LambdaSecurityGroup:
Type: 'AWS::EC2::SecurityGroup'
Properties:
GroupDescription: Lambdas security group
SecurityGroupEgress:
- CidrIp: 0.0.0.0/0
IpProtocol: '-1'
SecurityGroupIngress:
- CidrIp: 0.0.0.0/0
IpProtocol: '-1'
VpcId: !Ref Vpc
Outputs:
VpcId:
Description: VPC ID
Value: !Ref Vpc
Export:
Name: !Sub "Portal-VpcId"
SubnetAPrivate:
Description: Subnet A Private
Value: !Ref SubnetAPrivate
Export:
Name: !Sub "SubnetAPrivate"
SubnetBPrivate:
Description: Subnet B Private
Value: !Ref SubnetBPrivate
Export:
Name: !Sub "SubnetBPrivate"
SubnetAPublic:
Description: Subnet A Public
Value: !Ref SubnetAPublic
Export:
Name: !Sub "SubnetAPublic"
SubnetBPublic:
Description: Subnet B Public
Value: !Ref SubnetBPublic
Export:
Name: !Sub "SubnetBPublic"
LambdaSecurityGroup:
Description: Access to Lambda functions
Value: !Ref LambdaSecurityGroup
Export:
Name: !Sub "LambdaSecurityGroup"
rds.yml
DBSubnetGroup:
Type: 'AWS::RDS::DBSubnetGroup'
Properties:
DBSubnetGroupDescription: Subnets available for the RDS DB Instance
SubnetIds:
- !Ref SubnetAPublic
- !Ref SubnetBPublic
VPCSecurityGroup:
Type: 'AWS::EC2::SecurityGroup'
Properties:
GroupDescription: Security group for RDS DB Instance.
VpcId: !Ref VpcId
SecurityGroupIngress:
-
IpProtocol: "tcp"
FromPort: "3306"
ToPort: "3306"
CidrIp: "[my IP]"
-
IpProtocol: "tcp"
FromPort: "3306"
ToPort: "3306"
CidrIp: "10.0.64.0/19"
-
IpProtocol: "tcp"
FromPort: "3306"
ToPort: "3306"
CidrIp: "10.0.96.0/19"
DBInstance:
Type: 'AWS::RDS::DBInstance'
Properties:
DBName: !Join
- ''
- - portal
- !Ref Environment
AllocatedStorage: !Ref DBAllocatedStorage
DBInstanceClass: !Ref DBClass
Engine: MariaDB
EngineVersion: '10.1.23'
MasterUsername: !Ref DBUsername
MasterUserPassword: !Ref DBPassword
DBSubnetGroupName: !Ref DBSubnetGroup
StorageEncrypted: true
PubliclyAccessible: true
VPCSecurityGroups:
- !Ref VPCSecurityGroup
DatabaseDnsRecord:
Type: AWS::Route53::RecordSet
Properties:
HostedZoneName: !Join
- ''
- - !Ref HostedZoneName
- .
Name: !Join
- ''
- - portal
- !Ref Environment
- 'db'
- .
- !Ref HostedZoneName
- .
Type: CNAME
TTL: '60'
ResourceRecords:
- !GetAtt
- DBInstance
- Endpoint.Address
DependsOn: DBInstance
答案 0 :(得分:0)
你的问题是这个
唯一可行的是我切换所有路线 使用IGW而不是NAT的表
您的实例位于私有子网中,无法从公共Internet(您的家庭PC)访问。您有三个(或更多)解决方案:
1)将您的实例移动到公有子网。不推荐。
2)将您的私有子网转换为公有子网(从NAT切换到IGW)。不推荐。
3)从家庭网络创建VPN到位于公有子网中的新EC2实例,该实例将流量路由到私有子网中的实例。的推荐强>
OpenVPN是一个非常酷的解决方案。您可以自己构建,也可以免费从亚马逊商城推出OpenVPN实例(我认为免费仅限2位用户)。 OpenVPN Access Server
OpenVPN访问服务器运行时将收取EC2实例费用。我所做的是在我不需要它时关闭该实例,并在使用存储在批处理文件中的AWS CLI命令时重新启动它。