堆栈内存溢出
  简体   繁体   English

AWS VPC 对等互连和路由表

[英]AWS VPC Peering and route tables

 原文  2017-04-17 13:12:21       amazon-web-services/ amazon-vpc

问题描述

Do route tables need to be enabled in both the sending and receiving VPCs/subnets for traffic to flow?是否需要在发送和接收 VPC/子网中启用路由表才能使流量流动?

I have configured 2 VPCs that I have peered but would like traffic only to flow in one direction from VPC A to VPC B. Is this possible?我已经配置了 2 个已对等互连的 VPC,但希望流量仅以一个方向从 VPC A 流向 VPC B。这可能吗?

I played around with the VPCs and route tables but had to configure route tables in both VPC A and B so that they could route traffic to each other through the VPC peering connection.我使用了 VPC 和路由表,但必须在 VPC A 和 B 中配置路由表,以便它们可以通过 VPC 对等连接将流量路由到彼此。 Is bi-directional traffic the only solution or is it possible to have traffic flow in one direction only?双向交通是唯一的解决方案还是可能只有一个方向的交通流? ie only allow requests to originate from VPC A but allow VPC B to return responses back.即只允许来自 VPC A 的请求但允许 VPC B 返回响应。

My initial assumption was that one way traffic was supported so I had configured route tables in VPC A so that traffic could be routed to VPC B through VPC peering connection.我最初的假设是支持单向流量,因此我在 VPC A 中配置了路由表,以便流量可以通过 VPC 对等连接路由到 VPC B。 However as there was no corresponding route in VPC B it seemed like the ping response could not find its route back to VPC A.但是,由于 VPC B 中没有相应的路由,因此 ping 响应似乎无法找到返回 VPC A 的路由。

Also is there documentation on this?还有这方面的文档吗? I had a read through the AWS docs (including route table basics) but couldn't seem to find anything that addressed my question.我通读了 AWS 文档(包括路由表基础知识),但似乎找不到解决我问题的任何内容。

5 个解决方案

解决方案1
 16 已采纳  2017-04-18 02:18:59

Docs:文档:

To send traffic from your instance to an instance in a peer VPC using private IPv4 addresses, you must add a route to the route table that's associated with the subnet in which the instance resides.要使用私有 IPv4 地址将流量从您的实例发送到对等 VPC 中的实例,您必须将路由添加到与实例所在子网关联的路由表。

... ...

The owner of the other VPC in the peering connection must also add a route to their subnet's route table to direct traffic back to your VPC.对等连接中其他 VPC 的所有者还必须将路由添加到其子网的路由表,以将流量引导回您的 VPC。

http://docs.aws.amazon.com/AmazonVPC/latest/PeeringGuide/vpc-peering-routing.html http://docs.aws.amazon.com/AmazonVPC/latest/PeeringGuide/vpc-peering-routing.html

Route tables don't simply tell instances on my networks how to initiate connections to yours.路由表不只是告诉我网络上的实例如何启动到你的连接。 They also tell my instances how to reply to you when you try to establish a connection to me.他们还告诉我的实例,当您尝试与我建立联系时如何回复您。 The same applies on the other side.这同样适用于另一侧。 Routes are required in both directions, at least for TCP and ICMP.两个方向都需要路由,至少对于 TCP 和 ICMP。 UDP might work without route symmetry but that's still wrong, since incoming UDP messages can trigger ICMP responses, so symmetric routes are still correct, even if there are cases where it is not strictly mandatory. UDP 可能在没有路由对称的情况下工作,但这仍然是错误的,因为传入的 UDP 消息可以触发 ICMP 响应,因此对称路由仍然是正确的,即使在某些情况下它不是严格强制性的。

解决方案2
 4  2019-05-10 19:51:07

If you're concerned with traffic going in one direction, simply block that side via the Security Group around the instance(s) you don't want receiving traffic.如果您担心一个方向的流量,只需通过您不希望接收流量的实例周围的安全组阻止那一侧。

  • But, yes , routes need to be added to both VPC's route tables.但是,是的,需要将路由添加到两个 VPC 的路由表中。

cheers!干杯!

Joseph P.约瑟夫·P。

解决方案3
 3  2018-02-09 18:09:34

The reply from Ryan Harris is very important. Ryan Harris 的回复非常重要。 TCP/IP is bi-directional - packets have to flow in both directions. TCP/IP 是双向的——数据包必须双向流动。 Therefore RouteTables and NACLs have to be configured to allow that from both VPCs (or subnets).因此必须配置路由表和 NACL 以允许来自两个 VPC(或子网)的路由表。

I think a great deal of the confusion on that point arises from all the consumer-grade routers use NAT and automatically generate reciprocal rules when "allowing" a particular port/application.我认为在这一点上的大量混淆来自所有消费级路由器使用 NAT 并在“允许”特定端口/应用程序时自动生成互惠规则。

解决方案4
 0  2017-04-17 13:22:41

You can use a NACL to deny traffic outflow from one to the other.您可以使用 NACL 拒绝流量从一个流出到另一个。 For example, VPC A has a NACL to allow flow out to VPC B, and VPC B has a NACL to allow inflow from VPC A.例如,VPC A 有一个 NACL 允许流出到 VPC B,而 VPC B 有一个 NACL 允许从 VPC A 流入。

解决方案5
 0  2021-04-01 00:49:42

No, we have to setup the route tables on both sides to make the VPC peering works.不,我们必须在双方设置路由表才能使 VPC 对等工作。 But instead of VPC peering, we can use another way to let a node to be unaccessible, like Joseph said, using a security group.但是,除了 VPC 对等互连之外,我们还可以使用另一种方式让节点无法访问,就像 Joseph 所说的那样,使用安全组。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 AWS VPC对等 - AWS VPC Peering 对等 AWS VPC 私有到 NAT - Peering AWS VPC private to NAT AWS Multi Region VPC中的Cassandra(VPC对等) - Cassandra in AWS Multi Region VPC (VPC peering) Route53私有托管区域是否将在两个账户中通过AWS VPC对等工作 - Will Route53 private hosted zone work over AWS VPC Peering in two account Route53私有托管区域是否可以通过AWS VPC Peering工作 - Will Route53 private hosted zone work over AWS VPC Peering AWS:接受VPC对等连接请求 - AWS : Accepting a VPC Peering Connection Request AWS PrivateLink 和 VPC 对等互连有什么区别? - What is difference between AWS PrivateLink and VPC Peering? 通过 aws-cdk 的 VPC 对等互连 - VPC Peering via aws-cdk VPC 对等之间的重叠 CIDR 范围 - AWS - overlapping CIDR range between VPC Peering - AWS 通过VPC对等访问AWS Elasticsearch VPC端点 - Accessing AWS Elasticsearch VPC endpoint through VPC peering
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM