[英]Route public traffic to VPC
I have an Aurora database on a VPC. 我在VPC上有一个Aurora数据库。 Today I needed to connect to that database through Lambda. 今天,我需要通过Lambda连接到该数据库。 Not really an issue except I needed internet access in that Lambda and so I had to setup the following: 除了我需要在该Lambda中访问互联网以外,这不是什么大问题,因此我必须设置以下各项:
igw
and associated that table with the new subnet I created in step 1. 我添加了一个新的路由表,该表将所有流量路由到igw
,并将该表与在步骤1中创建的新子网相关联。 Main
route table and routed all traffic to the NAT. 我修改了Main
路由表,并将所有流量路由到NAT。 This gave me internet access in my Lambda, and by running the Lambda on the VPC, I also had access to my Aurora database. 这使我可以在Lambda中访问互联网,并且通过在VPC上运行Lambda,我还可以访问Aurora数据库。
However, I have now lost public access to this database through MySQL Workbench. 但是,我现在已经无法通过MySQL Workbench对该数据库进行公共访问。
What do I need to configure to route the public traffic back to the VPC? 我需要配置什么以将公共流量路由回VPC?
The fact that you could previously connect to the Amazon Aurora data base from your laptop suggests that Aurora was running in a Public Subnet . 您以前可以从便携式计算机连接到Amazon Aurora数据库的事实表明Aurora在公共子网中运行。 That is, a subnet that has a Route Table that sends Internet-bound traffic directly to the Internet Gateway. 也就是说,具有路由表的子网直接将Internet绑定的流量发送到Internet网关。
You mention that you modified the Main
routing table. 您提到您修改了Main
路由表。 It is likely that this routing table is associated with your Public Subnet (where Aurora is located), and that it was previously configured to send traffic to the Internet Gateway. 此路由表很可能与您的公共子网(Aurora所在的地方)相关联,并且以前已配置为将流量发送到Internet网关。 However, it was probably modified to send traffic to the NAT Gateway. 但是, 可能已对其进行了修改,以将流量发送到NAT网关。 Therefore, the subnet was effectively changed into a Private Subnet (with no Route Table entry that points to the Internet Gateway). 因此,该子网实际上已更改为专用子网 (没有指向Internet网关的路由表条目)。
If you really do want your database in the public subnet, then the configuration would be: 如果您确实希望数据库位于公共子网中,则配置为:
0.0.0.0/0
) to the Internet Gateway 与子网关联的路由表 ,该路由表将Internet绑定流量( 0.0.0.0/0
)路由到Internet网关 No private subnet is required since you want Aurora in a public subnet. 不需要专用子网,因为您希望在公共子网中使用Aurora。
A more secure option would be: 一个更安全的选择是:
To connect to Aurora from your laptop, you would SSH into the Jump Box and use port forwarding to access the Aurora database. 要从笔记本电脑连接到Aurora,您需要SSH进入Jump Box,并使用端口转发来访问Aurora数据库。 This way, the database is not exposed to the Internet. 这样,数据库就不会暴露给Internet。
The public subnet would have a different route table than the private subnet (thus making them private/public). 公共子网将具有与私有子网不同的路由表(因此使它们成为私有/公共)。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.