简体繁体 English

将公共流量路由到VPC

[英]Route public traffic to VPC

原文 2017-03-12 03:41:08 9 1 amazon-web-services/ aws-lambda/ nat/ amazon-vpc

I have an Aurora database on a VPC. 我在VPC上有一个Aurora数据库。 Today I needed to connect to that database through Lambda. 今天，我需要通过Lambda连接到该数据库。 Not really an issue except I needed internet access in that Lambda and so I had to setup the following: 除了我需要在该Lambda中访问互联网以外，这不是什么大问题，因此我必须设置以下各项：

I added a new subnet for the public NAT. 我为公共NAT添加了一个新子网。
I added a NAT Gateway and assigned it to a new EIP and the new subnet. 我添加了一个NAT网关，并将其分配给新的EIP和新的子网。
I added a new route table that routed all traffic to the igw and associated that table with the new subnet I created in step 1. 我添加了一个新的路由表，该表将所有流量路由到igw ，并将该表与在步骤1中创建的新子网相关联。
I modified the Main route table and routed all traffic to the NAT. 我修改了Main路由表，并将所有流量路由到NAT。

This gave me internet access in my Lambda, and by running the Lambda on the VPC, I also had access to my Aurora database. 这使我可以在Lambda中访问互联网，并且通过在VPC上运行Lambda，我还可以访问Aurora数据库。

However, I have now lost public access to this database through MySQL Workbench. 但是，我现在已经无法通过MySQL Workbench对该数据库进行公共访问。

What do I need to configure to route the public traffic back to the VPC? 我需要配置什么以将公共流量路由回VPC？

1 个解决方案

The fact that you could previously connect to the Amazon Aurora data base from your laptop suggests that Aurora was running in a Public Subnet . 您以前可以从便携式计算机连接到Amazon Aurora数据库的事实表明Aurora在公共子网中运行。 That is, a subnet that has a Route Table that sends Internet-bound traffic directly to the Internet Gateway. 也就是说，具有路由表的子网直接将Internet绑定的流量发送到Internet网关。

You mention that you modified the Main routing table. 您提到您修改了Main路由表。 It is likely that this routing table is associated with your Public Subnet (where Aurora is located), and that it was previously configured to send traffic to the Internet Gateway. 此路由表很可能与您的公共子网（Aurora所在的地方）相关联，并且以前已配置为将流量发送到Internet网关。 However, it was probably modified to send traffic to the NAT Gateway. 但是， 可能已对其进行了修改，以将流量发送到NAT网关。 Therefore, the subnet was effectively changed into a Private Subnet (with no Route Table entry that points to the Internet Gateway). 因此，该子网实际上已更改为专用子网 （没有指向Internet网关的路由表条目）。

If you really do want your database in the public subnet, then the configuration would be: 如果您确实希望数据库位于公共子网中，则配置为：

One public subnet , which contains the Aurora database and to which the Lambda function connects 一个公共子网 ，其中包含Aurora数据库， Lambda函数连接到该公共子网
A Route Table associated with the subnet that routes Internet-bound traffic ( 0.0.0.0/0 ) to the Internet Gateway 与子网关联的路由表 ，该路由表将Internet绑定流量（ 0.0.0.0/0 ）路由到Internet网关
Possibly an additional subnet to provide High Availability for both Aurora and Lambda 可能是一个附加子网 ，可同时为Aurora和Lambda提供高可用性

No private subnet is required since you want Aurora in a public subnet. 不需要专用子网，因为您希望在公共子网中使用Aurora。

A more secure option would be: 一个更安全的选择是：

A public subnet with a jump box EC2 instance and the Lambda connection 具有跳转框 EC2实例和Lambda连接的公共子网
A private subnet with Aurora Aurora的专用子网

To connect to Aurora from your laptop, you would SSH into the Jump Box and use port forwarding to access the Aurora database. 要从笔记本电脑连接到Aurora，您需要SSH进入Jump Box，并使用端口转发来访问Aurora数据库。 This way, the database is not exposed to the Internet. 这样，数据库就不会暴露给Internet。

The public subnet would have a different route table than the private subnet (thus making them private/public). 公共子网将具有与私有子网不同的路由表（因此使它们成为私有/公共）。