限制对跨区域EC2实例亚马逊的访问
[英]Restrict access to Cross-region ec2 instances amazon
问题描述
I need to design a cross-region cross-VPC architecture and i am not sure how i can restrict access to my resources The requirement is that i need to run my web app in one region and my database in an another region. 
我需要设计一个跨区域的跨VPC架构,我不确定如何限制对资源的访问。要求是我需要在一个区域中运行Web应用程序,而在另一个区域中运行数据库。 Both the servers are inside private subnets. 两台服务器都在专用子网内。 The web app has an auto scaling group and load balancer attached. 该Web应用程序具有一个自动扩展组和负载均衡器。 The database server in the other region should only be accessible from this web app. 只能从此Web应用程序访问其他区域中的数据库服务器。 I cannot use ip based restrictions as the IP of load balancer changes with time. 我不能使用基于ip的限制,因为负载均衡器的IP会随着时间而变化。 What other option do i have? 我还有什么其他选择?
1 个解决方案
解决方案1
2 已采纳 2017-02-08 11:15:00
The IP address of your Load Balancer is irrelevant because the Load Balancer is only used for incoming connections to your web server. 负载平衡器的IP地址无关紧要,因为负载平衡器仅用于与Web服务器的传入连接。
First, I should point out that having your database remote from your application is a poor architectural decision , which will slow down your application. 首先,我应该指出, 使数据库远离应用程序是一个糟糕的体系结构决策 ,这将降低应用程序的速度。 Please reconsider it if possible! 如果可能,请重新考虑!
You have not provided much information, so I will make the following assumptions: 您没有提供太多信息,所以我将作以下假设:
- VPC in Region A contains: 区域A中的VPC包含:
- A Load Balancer in a public subnet 公共子网中的负载均衡器
- Web servers in a private subnet 专用子网中的Web服务器
- A Load Balancer in a public subnet
- VPC in Region B contains: 区域B中的VPC包含:
- A database in a private subnet 专用子网中的数据库
- A database in a private subnet
In this situation, you wish to communicate between two private subnets in different VPCs that reside in different regions. 在这种情况下,您希望在位于不同区域的不同VPC中的两个专用子网之间进行通信。 For this, you could consider creating a private VPN connection via Amazon EC2 instances located in the public subnets of each VPC. 为此,您可以考虑通过位于每个VPC的公共子网中的Amazon EC2实例创建专用VPN连接 。 This would use a software VPN such as OpenVPN or OpenSwan . 这将使用软件VPN,例如OpenVPN或OpenSwan 。
You should also consider how to achieve a High Availability option for this solution. 您还应该考虑如何为该解决方案实现高可用性选项 。 A well-architected VPC would have your web servers deployed across multiple Availability Zones in Region A, with your database preferably in a multi-AZ configuration in Region B (assuming that you are using Amazon RDS). 架构良好的VPC将在区域A的多个可用区中部署您的Web服务器,并且您的数据库最好以区域B的多可用区配置进行部署(假设您正在使用Amazon RDS)。 You should similarly design your VPN solution to be highly-available in case of failure. 同样,您应该将VPN解决方案设计为在出现故障时具有高可用性。
An alternative is to put a NAT Server in the public subnet of the VPC in Region A and configure the private Route Table to send traffic through the NAT Server. 一种替代方法是将NAT服务器放置在区域A中VPC的公共子网中,并配置专用路由表以通过NAT服务器发送流量。 This means that traffic going from the web servers to the Internet would all come from the public IP address associate with the NAT Server ( not the Load Balancer). 这意味着从Web服务器到Internet的流量全部来自与NAT Server关联的公共IP地址( 而不是负载均衡器)。
However, the database is in a private subnet, so the traffic cannot be directly routed to the database so this is only half a solution. 但是,数据库位于专用子网中,因此无法将流量直接路由到数据库,因此这只是解决方案的一半。 It would then either require the database to be in a public subnet (with a Security Group that only accepts connections from the NAT Server) or some type of proxy server in the public subnet that would forward traffic to the database. 然后,它将要求数据库位于公共子网中(具有仅接受来自NAT服务器的连接的安全组),或者要求将公共流量转发到数据库的公共子网中的某种类型的代理服务器。 This would become way too complex compared to the Software VPN option. 与软件VPN选项相比,这将变得过于复杂。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.