在没有公共IP地址的情况下从AWS VPC实例访问Internet
[英]Access Internet from AWS VPC instance without public IP address
问题描述
We're setting up an Amazon VPC in which we will provision (for now) a single EC2 instance and one RDS instance. 
我们正在设置一个Amazon VPC,在其中我们将(现在)配置一个EC2实例和一个RDS实例。 This is to 'extend our data center', and should only be using private subnet(s). 这是为了“扩展我们的数据中心”,并且只能使用私有子网。
So actually, we have this setup, and it is working well (insert smiley face icon). 因此,实际上,我们有了此设置,并且运行良好(插入笑脸图标)。 For all intents and purposes, we're mirroring the VPC scenario 4 outlined by Amazon here: http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Scenario4.html 出于所有目的和目的,我们在此处镜像了Amazon概述的VPC场景4: http : //docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Scenario4.html
tl;dr: A single VCP, with a VPN connecting to our corporate network. tl; dr:单个VCP,VPN连接到我们的公司网络。 The VPN uses a Virtual Private Gateway (VPC end) and Customer Gateway (our end) to allow us access as necessary to the EC2, which contains a webserver connecting to the RDS instance as needed. VPN使用虚拟专用网关(VPC端)和客户网关(我们的端)来允许我们根据需要访问EC2,其中EC2包含根据需要连接到RDS实例的Web服务器。 Anyone on our network has access to the web server running on the EC2 via a URL. 我们网络上的任何人都可以通过URL访问EC2上运行的Web服务器。 All this is working as expected. 所有这些都按预期工作。
The problem comes when the EC2 instance needs to access a resource on the Internet - The idea is for us to NOT have any public subnets, but to route all traffic from the EC2 instance through our VPN and out the 'standard' path of our corporate Internet access. 问题出在EC2实例需要访问Internet上的资源时-这个想法是让我们没有任何公共子网,而是将来自EC2实例的所有流量通过我们的VPN路由到公司的“标准”路径之外互联网。 However we're having trouble setting this up. 但是,我们在设置时遇到了麻烦。
The fact that it can be done is hightlighted in Amazon's FAQ here: https://aws.amazon.com/vpc/faqs/ 可以在Amazon的常见问题解答中找到要解决的事实: https : //aws.amazon.com/vpc/faqs/
Q. How do instances without public IP addresses access the Internet?
Instances without public IP addresses can access the Internet in one of two ways:
Instances without public IP addresses can route their traffic through a NAT gateway or a NAT instance to access the Internet.
For VPCs with a hardware VPN connection or Direct Connect connection, instances can route their Internet traffic down the virtual private gateway to your existing datacenter.
We are trying to avoid option #1 as there is a cost involved (along with complexity and security issues). 我们试图避免选择#1,因为这涉及成本(以及复杂性和安全性问题)。 #2 is the perfect resolution for us, but understanding the process to set it up has been eluding us for a while. #2对我们来说是完美的解决方案,但是了解设置它的过程已经使我们望而却步了。
Can anyone walk us through what we need to do (or point us to the correct resources) to ensure the EC2 instance* can access the Internet by routing the traffic down the VPN, through our corporate datacenter, and our our existing Internet access point? 谁能指导我们完成需要做的事情(或将我们指向正确的资源),以确保EC2实例*可以通过将流量路由到VPN,通过我们的公司数据中心以及我们现有的Internet访问点来访问Internet?
* and anything within the private subnet for that matter * 以及与此相关的私有子网中的任何内容
1 个解决方案
解决方案1
4 2016-10-27 16:00:09
If you are using scenario #2, then all there is to do on the AWS end is to ensure that traffic destined for the internet, 0.0.0.0/0 is routed to your Virtual Private Gateway. 如果您使用的是方案2,那么AWS端要做的就是确保将发往Internet的流量0.0.0.0/0路由到您的虚拟专用网关。
Once traffic heads there, it will go to your Customer Gateway, and into your corporate datacenter. 流量到达那里之后,它将转到您的客户网关和公司数据中心。 It's up to your local IT guys on that end to get Internet-destined traffic heading out, if it's even possible. 如果可能的话,最终由当地的IT人员来决定是否可以访问Internet流量。 But at that point, it's no longer an AWS issue. 但是到那时,它不再是AWS问题。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.