AWS NAT网关与用于传出Internet连接的公共IP
[英]AWS NAT gateway vs public IP for outgoing internet connections
问题描述
I'm learning AWS and how to configure networking for EC2 instances and have a few questions. 
我正在学习AWS以及如何为EC2实例配置网络,并且有一些问题。 I'm using CentOS 7 in t2.micro instances. 我在t2.micro实例中使用CentOS 7。
The private IP is tied to the NIC in the instance as shown by
ifconfig -a.私有IP绑定到实例中的NIC,如ifconfig -a所示。 The purpose seems to be a single point of contact for the server.目的似乎是服务器的单点联系。 Adding another network interface does NOT add another NIC as shown by ifconfig -a.添加另一个网络接口不会添加另一个NIC,如ifconfig -a所示。 Since the primary network interface cannot be a static IP, a secondary network interface is necessary for most configurations.由于主网络接口不能是静态IP,因此大多数配置都需要辅助网络接口。 For example, to connect the application to the database server, use the static IP assigned to the second network interface. 例如,要将应用程序连接到数据库服务器,请使用分配给第二个网络接口的静态IP。 Am I understanding this correctly? 我理解正确吗? The public IP is shown in the AWS console and provides a means to connect to the instance via SSH, assuming you configure the SG.
公共IP显示在AWS控制台中,并提供了通过SSH连接到实例的方法,假设您配置了SG。 The public IP also provides a means to access the internet for system updates. 公共IP还提供访问互联网以进行系统更新的方法。 This seems to contradict the AWS documentation for NAT . 这似乎与NAT的AWS文档相矛盾。 If the public IP already provides internet access, why is a NAT (instance or gateway) needed? 如果公共IP已经提供了Internet访问,为什么需要NAT(实例或网关)? This is in reference to system updates which the documentation references. 这是参考文档引用的系统更新。
You can use a NAT device to enable instances in a private subnet to connect to the Internet (for example, for software updates ) or other AWS services, but prevent the Internet from initiating connections with the instances.
- Is a public IP and private IP are always assigned to each instance? 是否始终为每个实例分配公共IP和专用IP? I haven't walked through the process of creating an [new] AMI to verify if there's an option to not have a public IP. 我没有完成创建[新] AMI的过程,以验证是否存在没有公共IP的选项。 If the instance doesn't have a public IP, will the AWS console
Connectbutton still allow you to connect to it to administer the server?如果实例没有公共IP,AWS控制台Connect按钮是否仍然允许您连接到它以管理服务器? Under what scenario will an instance NOT have a public IP?在什么情况下,实例不具有公共IP? How do you connect to that instance to administer it? 如何连接到该实例来管理它?
I have read the NAT Gateway documentation and understand much of it. 我已阅读NAT网关文档并了解其中的大部分内容。 I'm having trouble understanding the pieces that state a NAT gateway or internet gateway is necessary to enable internet access, when it seems this is enabled by default. 我无法理解在启用Internet访问时需要NAT网关或Internet网关的部分,默认情况下启用此功能。 What am I missing? 我错过了什么?
1 个解决方案
解决方案1
9 已采纳 2017-03-17 14:29:11
I think your confusion stems from your third question. 我认为你的困惑源于你的第三个问题。 A public IP is not always assigned to an instance. 公共IP并不总是分配给实例。 Public IP is an option that you can enable or disable in public VPC subnets, and in private VPC subnets public IP isn't an option at all. 公共IP是可以在公共VPC子网中启用或禁用的选项,而在私有VPC子网中,公共IP根本不是选项。 For EC2 instances without a public IP a NAT gateway (or NAT instance) is required in order to access anything outside of the VPC. 对于没有公共IP的EC2实例,需要NAT网关(或NAT实例)才能访问VPC之外的任何内容。
You may want to place something like a database server in a private subnet so that nothing outside your VPC can ever access it. 您可能希望在私有子网中放置类似数据库服务器的内容,以便VPC外部的任何内容都无法访问它。 However you might want the database server to be able to access the Internet to download patches or something, or you may want it to access the AWS API in order to copy backups to S3 or something, in which case you would need a NAT Gateway to provide the server access to resources outside your VPC. 但是,您可能希望数据库服务器能够访问Internet以下载修补程序或其他内容,或者您可能希望它访问AWS API以将备份复制到S3或其他内容,在这种情况下,您需要NAT网关才能为服务器提供对VPC外部资源的访问权限。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.