无法连接到VPC中的MariaDB RDS实例

时间:2017-11-27 18:56:16

标签: amazon-web-services aws-lambda amazon-rds amazon-cloudformation amazon-vpc

我在其中构建了一个带有一些AWS资源的VPC。如果我在VPC中,并且VPC内部的资源可以相互通信,我可以访问Internet。例如,我有一个Lambda函数,可以与Internet通信,也可以到达VPC内的RDS实例。但是,当我尝试从本地计算机连接到RDS实例时,会出现此问题。

我尝试更新VPCSecurityGroup以允许所有传入流量,但仍然无法正常工作。唯一可行的是,如果我将所有路由表切换为使用IGW而不是NAT,但我不喜欢这种情况。此外,我甚至不确定是否可以这样做,因为我非常确定lambda函数必须存在于私有子网中。

vpc.yml

AWSTemplateFormatVersion: 2010-09-09
Description: VPC Stack
Resources:
  Vpc:
    Type: 'AWS::EC2::VPC'
    Properties:
      CidrBlock: 10.0.0.0/16
      EnableDnsSupport: true
      EnableDnsHostnames: true
      InstanceTenancy: default    
  InternetGateway:
    Type: 'AWS::EC2::InternetGateway'
  VpcGatewayAttachment:
    Type: 'AWS::EC2::VPCGatewayAttachment'
    Properties:
      VpcId: !Ref Vpc
      InternetGatewayId: !Ref InternetGateway
  ElasticIP:
    Type: 'AWS::EC2::EIP'
    Properties:
      Domain: vpc
  NatGateway:
    Type: 'AWS::EC2::NatGateway'
    DependsOn:
      - VpcGatewayAttachment
    Properties:
      AllocationId: !GetAtt 
        - ElasticIP
        - AllocationId
      SubnetId: !Ref SubnetAPublic
  SubnetAPublic:
    Type: 'AWS::EC2::Subnet'
    Properties:
      AvailabilityZone: !Select 
        - '0'
        - !GetAZs ''
      CidrBlock: 10.0.0.0/19
      MapPublicIpOnLaunch: true
      VpcId: !Ref Vpc
  SubnetBPublic:
    Type: 'AWS::EC2::Subnet'
    Properties:
      AvailabilityZone: !Select 
        - '1'
        - !GetAZs ''
      CidrBlock: 10.0.32.0/19
      MapPublicIpOnLaunch: true
      VpcId: !Ref Vpc
  SubnetAPrivate:
    Type: 'AWS::EC2::Subnet'
    Properties:
      AvailabilityZone: !Select 
        - '0'
        - !GetAZs ''
      CidrBlock: 10.0.64.0/19
      VpcId: !Ref Vpc
  SubnetBPrivate:
    Type: 'AWS::EC2::Subnet'
    Properties:
      AvailabilityZone: !Select 
        - '1'
        - !GetAZs ''
      CidrBlock: 10.0.96.0/19
      VpcId: !Ref Vpc
  RouteTableAPublic:
    Type: 'AWS::EC2::RouteTable'
    Properties:
      VpcId: !Ref Vpc
  RouteTableBPublic:
    Type: 'AWS::EC2::RouteTable'
    Properties:
      VpcId: !Ref Vpc
  RouteTableAPrivate:
    Type: 'AWS::EC2::RouteTable'
    Properties:
      VpcId: !Ref Vpc
  RouteTableBPrivate:
    Type: 'AWS::EC2::RouteTable'
    Properties:
      VpcId: !Ref Vpc
  RouteTableAssociationAPublic:
    Type: 'AWS::EC2::SubnetRouteTableAssociation'
    Properties:
      SubnetId: !Ref SubnetAPublic
      RouteTableId: !Ref RouteTableAPublic
  RouteTableAssociationBPublic:
    Type: 'AWS::EC2::SubnetRouteTableAssociation'
    Properties:
      SubnetId: !Ref SubnetBPublic
      RouteTableId: !Ref RouteTableBPublic
  RouteTableAssociationAPrivate:
    Type: 'AWS::EC2::SubnetRouteTableAssociation'
    Properties:
      SubnetId: !Ref SubnetAPrivate
      RouteTableId: !Ref RouteTableAPrivate
  RouteTableAssociationBPrivate:
    Type: 'AWS::EC2::SubnetRouteTableAssociation'
    Properties:
      SubnetId: !Ref SubnetBPrivate
      RouteTableId: !Ref RouteTableBPrivate
  RouteTableAPrivateInternetRoute:
    Type: 'AWS::EC2::Route'
    DependsOn:
      - VpcGatewayAttachment
    Properties:
      RouteTableId: !Ref RouteTableAPrivate
      DestinationCidrBlock: 0.0.0.0/0
      NatGatewayId: !Ref NatGateway
  RouteTableBPrivateInternetRoute:
    Type: 'AWS::EC2::Route'
    DependsOn:
      - VpcGatewayAttachment
    Properties:
      RouteTableId: !Ref RouteTableBPrivate
      DestinationCidrBlock: 0.0.0.0/0
      NatGatewayId: !Ref NatGateway
  RouteTableAPublicInternetRoute:
    Type: 'AWS::EC2::Route'
    Properties:
      RouteTableId: !Ref RouteTableAPublic
      DestinationCidrBlock: 0.0.0.0/0
      GatewayId: !Ref InternetGateway
  RouteTableBPublicInternetRoute:
    Type: 'AWS::EC2::Route'
    Properties:
      RouteTableId: !Ref RouteTableBPublic
      DestinationCidrBlock: 0.0.0.0/0
      GatewayId: !Ref InternetGateway
  NetworkAclPublic:
    Type: 'AWS::EC2::NetworkAcl'
    Properties:
      VpcId: !Ref Vpc
  NetworkAclPrivate:
    Type: 'AWS::EC2::NetworkAcl'
    Properties:
      VpcId: !Ref Vpc
  SubnetNetworkAclAssociationAPublic:
    Type: 'AWS::EC2::SubnetNetworkAclAssociation'
    Properties:
      SubnetId: !Ref SubnetAPublic
      NetworkAclId: !Ref NetworkAclPublic
  SubnetNetworkAclAssociationBPublic:
    Type: 'AWS::EC2::SubnetNetworkAclAssociation'
    Properties:
      SubnetId: !Ref SubnetBPublic
      NetworkAclId: !Ref NetworkAclPublic
  SubnetNetworkAclAssociationAPrivate:
    Type: 'AWS::EC2::SubnetNetworkAclAssociation'
    Properties:
      SubnetId: !Ref SubnetAPrivate
      NetworkAclId: !Ref NetworkAclPrivate
  SubnetNetworkAclAssociationBPrivate:
    Type: 'AWS::EC2::SubnetNetworkAclAssociation'
    Properties:
      SubnetId: !Ref SubnetBPrivate
      NetworkAclId: !Ref NetworkAclPrivate
  NetworkAclEntryInPublicAllowAll:
    Type: 'AWS::EC2::NetworkAclEntry'
    Properties:
      NetworkAclId: !Ref NetworkAclPublic
      RuleNumber: 99
      Protocol: -1
      RuleAction: allow
      Egress: false
      CidrBlock: 0.0.0.0/0
  NetworkAclEntryOutPublicAllowAll:
    Type: 'AWS::EC2::NetworkAclEntry'
    Properties:
      NetworkAclId: !Ref NetworkAclPublic
      RuleNumber: 99
      Protocol: -1
      RuleAction: allow
      Egress: true
      CidrBlock: 0.0.0.0/0
  NetworkAclEntryInPrivateAllowVpc:
    Type: 'AWS::EC2::NetworkAclEntry'
    Properties:
      NetworkAclId: !Ref NetworkAclPrivate
      RuleNumber: 99
      Protocol: -1
      RuleAction: allow
      Egress: false
      CidrBlock: 0.0.0.0/0
  NetworkAclEntryOutPrivateAllowVpc:
    Type: 'AWS::EC2::NetworkAclEntry'
    Properties:
      NetworkAclId: !Ref NetworkAclPrivate
      RuleNumber: 99
      Protocol: -1
      RuleAction: allow
      Egress: true
      CidrBlock: 0.0.0.0/0
  LambdaSecurityGroup:
    Type: 'AWS::EC2::SecurityGroup'
    Properties:
      GroupDescription: Lambdas security group
      SecurityGroupEgress:
        - CidrIp: 0.0.0.0/0
          IpProtocol: '-1'
      SecurityGroupIngress:
        - CidrIp: 0.0.0.0/0
          IpProtocol: '-1'
      VpcId: !Ref Vpc
Outputs:
  VpcId:
    Description: VPC ID
    Value: !Ref Vpc
    Export:
      Name: !Sub "Portal-VpcId"
  SubnetAPrivate:
    Description: Subnet A Private
    Value: !Ref SubnetAPrivate
    Export:
      Name: !Sub "SubnetAPrivate"
  SubnetBPrivate:
    Description: Subnet B Private
    Value: !Ref SubnetBPrivate
    Export:
      Name: !Sub "SubnetBPrivate"     
  SubnetAPublic:
    Description: Subnet A Public
    Value: !Ref SubnetAPublic
    Export:
      Name: !Sub "SubnetAPublic"
  SubnetBPublic:
    Description: Subnet B Public
    Value: !Ref SubnetBPublic
    Export:
      Name: !Sub "SubnetBPublic"  
  LambdaSecurityGroup:
    Description: Access to Lambda functions
    Value: !Ref LambdaSecurityGroup
    Export:
      Name: !Sub "LambdaSecurityGroup"

rds.yml

DBSubnetGroup:
    Type: 'AWS::RDS::DBSubnetGroup'
    Properties:
      DBSubnetGroupDescription: Subnets available for the RDS DB Instance
      SubnetIds: 
        - !Ref SubnetAPublic
        - !Ref SubnetBPublic
  VPCSecurityGroup:
    Type: 'AWS::EC2::SecurityGroup'
    Properties:
      GroupDescription: Security group for RDS DB Instance.
      VpcId: !Ref VpcId
      SecurityGroupIngress: 
        - 
          IpProtocol: "tcp"
          FromPort: "3306"
          ToPort: "3306"
          CidrIp: "[my IP]"
        - 
          IpProtocol: "tcp"
          FromPort: "3306"
          ToPort: "3306"
          CidrIp: "10.0.64.0/19"
        - 
          IpProtocol: "tcp"
          FromPort: "3306"
          ToPort: "3306"
          CidrIp: "10.0.96.0/19"
  DBInstance:
    Type: 'AWS::RDS::DBInstance'
    Properties:
      DBName: !Join
        - ''
        - - portal
          - !Ref Environment
      AllocatedStorage: !Ref DBAllocatedStorage
      DBInstanceClass: !Ref DBClass
      Engine: MariaDB
      EngineVersion: '10.1.23'
      MasterUsername: !Ref DBUsername
      MasterUserPassword: !Ref DBPassword
      DBSubnetGroupName: !Ref DBSubnetGroup
      StorageEncrypted: true
      PubliclyAccessible: true
      VPCSecurityGroups:
        - !Ref VPCSecurityGroup
  DatabaseDnsRecord:
    Type: AWS::Route53::RecordSet
    Properties:
      HostedZoneName: !Join 
        - ''
        - - !Ref HostedZoneName
          - .
      Name: !Join
      - ''
      - - portal
        - !Ref Environment
        - 'db'
        - .
        - !Ref HostedZoneName
        - .
      Type: CNAME
      TTL: '60'
      ResourceRecords: 
        - !GetAtt 
          - DBInstance
          - Endpoint.Address
    DependsOn: DBInstance

1 个答案:

答案 0 :(得分:0)

你的问题是这个

  

唯一可行的是我切换所有路线   使用IGW而不是NAT的表

您的实例位于私有子网中,无法从公共Internet(您的家庭PC)访问。您有三个(或更多)解决方案:

1)将您的实例移动到公有子网。不推荐。

2)将您的私有子网转换为公有子网(从NAT切换到IGW)。不推荐。

3)从家庭网络创建VPN到位于公有子网中的新EC2实例,该实例将流量路由到私有子网中的实例。的推荐

OpenVPN是一个非常酷的解决方案。您可以自己构建,也可以免费从亚马逊商城推出OpenVPN实例(我认为免费仅限2位用户)。 OpenVPN Access Server

OpenVPN访问服务器运行时将收取EC2实例费用。我所做的是在我不需要它时关闭该实例,并在使用存储在批处理文件中的AWS CLI命令时重新启动它。