简体繁体 English

AWS VPC公共Web应用程序通过VPN连接到数据库

[英]AWS VPC public web application connecting to database via VPN

原文 2013-11-05 15:54:01 3 2 amazon-web-services/ vpn/ amazon-vpc

What I am trying to do is set up a web application that is public facing but makes calls to a database that is on an internal network. 我要做的是设置面向公众的Web应用程序，但调用内部网络上的数据库。 I have been trying to set up an AWS VPC with a public subnet, private subnet, and hardware VPN access but I can't seem to get it to work. 我一直在尝试使用公有子网，私有子网和硬件VPN访问来设置AWS VPC，但我似乎无法使其工作。

Can someone help me understand what the process flow here should be? 有人可以帮我理解这里的流程应该是什么？ My understanding is that I need a public subnet to handle the website requests and then a private subnet to connect to the VPN but what I do not understand is how to send requests down the chain and get the response. 我的理解是我需要一个公共子网来处理网站请求，然后一个私有子网连接到VPN，但我不明白的是如何向链中发送请求并获得响应。 Basically what I am asking is how can I query the database via VPN from that public website? 基本上我要问的是如何从该公共网站通过VPN查询数据库？

I've tried during rout forwarding but I can't successfully complete the process. 我已尝试在路由转发期间但我无法成功完成此过程。

Does anyone have any advice on something I can read on this subject or an FAQ on setting something like this up? 有没有人对我可以阅读的关于这个主题的内容或关于设置这样的东西的常见问题解答有任何建议？ Is it even possible? 它甚至可能吗？ If it matters, all of these servers will be running Windows Server 如果重要，所有这些服务器都将运行Windows Server

I'm out of my league here, this is not my area of expertise but I'm being asked to solve this problem. 我不在这里，这不是我的专业领域，但我被要求解决这个问题。 Any help would be appreciated. 任何帮助，将不胜感激。

Thanks 谢谢

2 个解决方案

The terminology of VPC is a little bit counter-intuitive to those of us who are familiar with IP networks, routing and NAT, so this might help: 对于那些熟悉IP网络，路由和NAT的人来说，VPC的术语有点违反直觉，所以这可能会有所帮助：

Obviously, VPC allows you to create multiple subnets and route traffic between them. 显然，VPC允许您创建多个子网并在它们之间路由流量。 It also allows you to route traffic to additional subnets at your own data center over a tunnel established between a hardware VPN device at your side, and a companion virtual device provided by VPC. 它还允许您通过在您身边的硬件VPN设备与VPC提供的配套虚拟设备之间建立的隧道将流量路由到您自己的数据中心的其他子网。

You provision a "Virtual Private Gateway" -- that's AWS's "equipment" that terminates the VPN on their side; 您提供了“虚拟专用网关” - 这是AWS的“设备”，可以终止VPN; then you declare your own "Customer Gateway" with its public IP address (the device on your side, such as a Cisco ASA); 然后，您使用其公共IP地址（您身边的设备，例如Cisco ASA）声明您自己的“客户网关”; then you bind those two entities together by declaring a "VPN Connection" between them. 然后通过在它们之间声明“VPN连接”将这两个实体绑定在一起。 Right there in "VPN Connection" is where you declare static routes from the VPC network to your corporate network's private IP address space. 在“VPN连接”中，您可以在此处声明从VPC网络到公司网络的专用IP地址空间的静态路由。 In your local device, you configure routes through the tunnel to the private IP address space you will use inside VPC. 在本地设备中，通过隧道将路由配置到将在VPC内使用的专用IP地址空间。

Still in VPC configuration, you declare your VPC's routing tables, and under "Route Propagation," you can "select the virtual private gateways which are allowed to update this route table." 仍在VPC配置中，您声明了VPC的路由表，在“路由传播”下，您可以“选择允许更新此路由表的虚拟专用网关”。 This injects routes pointing to your corporate network (discovered from the VPN Connection configuration) into the VPC routing tables. 这会将指向公司网络的路由（从VPN连接配置中发现）注入到VPC路由表中。

One of the biggest points of confusion in VPC is the terminology of "public subnet" and "private subnet," which means something different in VPC than it means anywhere else, because all of the subnets in VPC are on private IP address space. VPC中最大的混淆点之一是“公有子网”和“私有子网”的术语，这意味着VPC中的某些内容与其他任何地方不同，因为VPC中的所有子网都位于专用IP地址空间。 The public/private distinction is this: 公共/私人的区别是这样的：

A public subnet in VPC uses the "Internet Gateway" as its default route, while a private subnet uses a "NAT Instance" or the VPN tunnel as its default route. VPC中的公有子网使用“Internet网关”作为其默认路由，而私有子网使用“NAT实例”或VPN隧道作为其默认路由。 The Internet Gateway is a virtual object, essentially just a placeholder with no real configuration, that can be used for Internet access by an EC2 instance with a public IP address -- and only by instances with public IP addresses. Internet网关是一个虚拟对象，实际上只是一个没有实际配置的占位符，可以用于具有公共IP地址的EC2实例的Internet访问 - 并且只能由具有公共IP地址的实例访问。 A NAT Instance is an EC2 machine running a custom software image that will accept traffic from internal machines that lack their own public IP address, and masquerade that traffic as having originated from its external IP address, so that the traffic can be sent across the Internet even though it originated internally from an EC2 instance without a public IP address. NAT实例是运行自定义软件映像的EC2计算机，该映像将接受来自内部计算机的流量，这些计算机缺少自己的公共IP地址，并将流量伪装成源自其外部IP地址，以便可以通过Internet发送流量即使它是从没有公共IP地址的EC2实例内部发起的。 The return traffic from the Internet is addressed to the NAT instance, when then rewrites the headers and sends the packet back to the instance that originated the request. 来自Internet的返回流量将发送到NAT实例，然后重写标头并将数据包发送回发起请求的实例。

The extremely counter-intuitive thing about a NAT instance is that it must be provisioned on a "public" subnet, yet it serves as the default gateway for instances provisioned on "private" subnets. 关于NAT实例的极端反直觉是它必须在“公共”子网上进行配置，但它作为在“私有”子网上配置的实例的默认网关。 Traditionally, your default gateway is on your own subnet, but in VPC, that's not the case -- still, it works perfectly. 传统上，您的默认网关位于您自己的子网上，但在VPC中，情况并非如此 - 仍然可以完美运行。

What should take away from what I've written so far is that you don't actually "need" a private subnet -- yet -- in your VPC, based on what you're trying to accomplish, and based on what a "private" subnet means in VPC -- although I would recommend setting one up anyway using the wizard so that you have it later if you want it. 从我到目前为止所写的内容中可以看出，你实际上“不需要”一个私有子网 - 但是 - 在你的VPC中，基于你想要完成的东西，并基于什么“私有“子网意味着在VPC中 - 虽然我建议使用向导设置一个，以便您以后可以使用它。 The reason you don't need a private subnet is that a private subnet is where you configure EC2 instances that do not need to be Internet-accessible, and you haven't mentioned that need in your question. 你并不需要一个专用子网的原因是一个私人子网可以在其中配置不需要为Internet访问EC2实例，你没有提到你的问题的需要。

If, for example, your corporate network is 172.16.0.0/16 and the private IP network 192.168.0.0/16 does not conflict with your corporate network numbering, you could declare the VPC as 192.168.0.0/16, then declare, for example, 192.168.20.0/24 (which falls inside 192.168.0.0/16) as a public subnet. 例如，如果您的公司网络是172.16.0.0/16并且专用IP网络192.168.0.0/16与您的公司网络编号不冲突，您可以将VPC声明为192.168.0.0/16，然后声明，例如，192.168.20.0/24（位于192.168.0.0/16内）作为公有子网。 On your hardware VPN device, route 192.168.0.0/16 through the tunnel toward VPC, and then, inside VPC, route 172.16.0.0/16 through the tunnel, back to the corporate network. 在您的硬件VPN设备上，通过隧道将192.168.0.0/16路由到VPC，然后在VPC内，通过隧道路由172.16.0.0/16，返回公司网络。

What I've described is primarily " VPC Scenario 3 " with the addition of the NAT Instance you can see in VPC Scenario 2 . 我所描述的主要是“ VPC场景3 ”，添加了您在VPC场景2中可以看到的NAT实例。 The reason for the NAT instance is that if you do place servers on a "private" VPC subnet, Scenario 3 provides them no ability to access the Internet on an outbound basis (for fetching software updates, for example) other than by routing back to your corporate network to access the Internet that way, which to me seems an unnecessary trip, but would depend on your security philosophy. NAT实例的原因是，如果您将服务器放置在“私有”VPC子网上，则方案3使他们无法在出站的基础上访问Internet（例如，用于获取软件更新），而不是通过路由返回到你的企业网络以这种方式访问互联网，这对我来说似乎是一次不必要的旅行，但这取决于你的安全理念。

Another thing to keep in mind, if you are considering using Elastic Load Balancer, is that the ELB needs to be provisioned on a "public" subnet, but the instances serving the ELB can be places on a "private" subnet, since in this case, only the ELB needs to be directly accessible from the Internet, and ELBs can access instances on any subnet in the VPC if the security groups and VPC routing tables permit it. 另外要记住的是，如果您正在考虑使用Elastic Load Balancer，那么ELB需要在“公共”子网上进行配置，但是为ELB提供服务的实例可以位于“私有”子网上，因为在此例如，只有ELB需要可以从Internet直接访问，并且如果安全组和VPC路由表允许，ELB可以访问VPC中任何子网上的实例。

In the setup you described in the original question, though, there is no "private" subnet needed based on the VPC definition of what a "private" subnet is. 但是，在原始问题中描述的设置中，根据“私有”子网的VPC定义，不需要“私有”子网。 The web server goes on a "public" subnet with private IP addresses, and uses Elastic IPs from the public address space and that network is directly routable to your corporate network via the VPN. Web服务器使用私有IP地址进入“公共”子网，并使用来自公共地址空间的弹性IP，并且该网络可通过VPN直接路由到公司网络。

I'm using stunnel in my linux boxes. 我在我的linux盒子里使用stunnel。 It seems like windows is supported too, check out the link: 看起来似乎也支持Windows，请查看链接：

http://www.stunnel.org/downloads.html http://www.stunnel.org/downloads.html

There is a tutorial talking about windows configuration. 有一个关于Windows配置的教程。 You can adapt your solution from this document: http://home.arcor.de/lightsky/docs/stunnel_openssl_synergy.pdf 您可以从此文档调整您的解决方案： http ： //home.arcor.de/lightsky/docs/stunnel_openssl_synergy.pdf