AWS VPC 识别私有和公共 su.net
[英]AWS VPC identify private and public subnet
问题描述
I have a VPC in AWS account and there are 5 su.nets associated with that VPC.
我在 AWS 账户中有一个 VPC,并且有 5 个 su.net 与该 VPC 关联。 Su.nets are of 2 types - Public and private. Su.nets 有两种类型——公共的和私有的。 How to identify which su.net is public and which is private?如何识别哪个 su.net 是公共的,哪个是私有的? Each su.net has CIDR 10.249.?.?每个 su.net 都有 CIDR 10.249.?.? range.范围。
Basically when I launch an EMR in that su.net with lists of ec2Su.netIds, it says ***The su.net configuration was invalid: Provided su.net list contains both public and private su.net.基本上,当我在那个 su.net 中使用 ec2Su.netIds 列表启动 EMR 时,它说 ***The su.net configuration was invalid: Provided su.net list contains both public and private su.net。 Only one type of su.net is allowed.只允许一种类型的 su.net。
How to recify this error.如何纠正这个错误。
4 个解决方案
解决方案1
49 2018-02-16 16:45:53
The question is how to identify public subnets vs. private subnets, and the answer lies in what it means in AWS for a subnet of a VPC to be 'public' vs. 'private'.问题是如何识别公共子网与私有子网,答案在于 AWS 中 VPC 的子网是“公共”还是“私有”的含义。
Public subnets have a default route to an Internet Gateway ;公共子网有一个到Internet 网关的默认路由; private subnets do not.私有子网没有。
So, to determine if a given subnet is public or private, you need to describe the route table that is associated with that subnet.因此,要确定给定子网是公共子网还是私有子网,您需要描述与该子网关联的路由表。 That will tell you the routes and you can test for a 0.0.0.0/0 route with a gateway ID of igw-xxxxxxxxxxxxxxxxx (as opposed to local ).这将告诉您路由,您可以测试网关 ID 为igw-xxxxxxxxxxxxxxxxx (而不是local )的0.0.0.0/0路由。
You can tell if a subnet is public in the AWS VPC Console by reviewing the subnet's route table, for example:您可以在 AWS VPC 控制台中通过查看子网的路由表来判断子网是否为公共子网,例如:
You can also do this as follows for a given subnet ID, using the awscli:您还可以使用 awscli 对给定的子网 ID 执行以下操作:
aws ec2 describe-route-tables \
--filter Name=association.subnet-id,Values=subnet-0a123fc414ad5b999 \
--query "RouteTables[].Routes[]"
The output will look like this:输出将如下所示:
[
{
"DestinationCidrBlock": "10.0.0.0/16",
"GatewayId": "local",
"Origin": "CreateRouteTable",
"State": "active"
},
{
"DestinationCidrBlock": "0.0.0.0/0",
"GatewayId": "igw-0fca21fadaa22a1b2",
"Origin": "CreateRoute",
"State": "active"
}
]
Here, you can see a destination route of 0.0.0.0/0 with a target that is an Internet Gateway (its GatewayId is igw-xxxxxxxxxxxxxxxxx ).在这里,您可以看到目标路由为0.0.0.0/0 ,目标为 Internet 网关(其 GatewayId 为igw-xxxxxxxxxxxxxxxxx )。 This confirms that you are looking at a public subnet.这确认您正在查看公共子网。
解决方案2
4 2018-02-16 16:48:54
The best solution is to specify only a single subnet, so that you don't incur cross-AZ data charges.最好的解决方案是只指定一个子网,这样您就不会产生跨可用区数据费用。
There's no definite way to identify public and private subnets without looking at their routing tables: a public subnet will route to an Internet Gateway, while a private subnet won't.在不查看路由表的情况下,没有明确的方法来识别公共和私有子网:公共子网将路由到 Internet 网关,而私有子网则不会。 If you're creating your clusters via some program then maybe that's a reasonable check, but I wouldn't go there.如果您通过某个程序创建集群,那么也许这是一个合理的检查,但我不会去那里。
The best alternative is to give the subnet a name when you create it: something like "Private B" for a private subnet in availability zone B (us-east-1b, us-west-1b, whatever).最好的替代方法是在创建子网时为其命名:类似于可用区 B 中私有子网的“私有 B”(us-east-1b、us-west-1b 等)。 If you're launching your cluster via the console that name should be shown in the list of available subnets (I haven't manually launched an EMR cluster in years, so don't know for sure).如果您通过控制台启动集群,该名称应显示在可用子网列表中(我多年没有手动启动 EMR 集群,所以不确定)。
Alternatively, you can give your subnets arbitrary tags.或者,您可以为您的子网提供任意标签。 This is probably most useful if you're accessing them programmatically.如果您以编程方式访问它们,这可能最有用。
解决方案3
1 2021-10-04 16:32:56
I was reading through this user guide VPC with a single su.net and found this line helpful.我正在阅读这个用户指南VPC with a single su.net并发现这一行很有帮助。
"A su.net that's associated with a route table that has a route to an inte.net gateway is known as a public su.net" “与具有到 inte.net 网关的路由的路由表相关联的 su.net 称为公共 su.net”
解决方案4
0 2021-09-03 18:08:13
I found this to be rather challenging.我发现这相当具有挑战性。 I hope others find this useful.我希望其他人觉得这很有用。 This approach uses aws cli and jq.这种方法使用 aws cli 和 jq。 As of mid 2021 I'm using current versions of both.截至 2021 年年中,我将使用两者的当前版本。 To caveat, this is specific to only IPv4, and VPCs with only 1 internet gateway.需要注意的是,这仅适用于 IPv4 和只有 1 个互联网网关的 VPC。
From a bash shell start off by identifying the VPC in which you are considering the subnets.从 bash shell 开始,首先确定您考虑使用子网的 VPC。 In my use case I wanted the VPC hosting an EKS cluster.在我的用例中,我希望 VPC 托管 EKS 集群。
VPC_ID=`aws eks describe-cluster \
--name ${CLUSTER_NAME} \
--query "cluster.resourcesVpcConfig.vpcId" \
--output text`
Find the internet gateway for that VPC查找该 VPC 的 Internet 网关
IGW_ID=`aws ec2 describe-internet-gateways \
--filters Name=attachment.vpc-id,Values=${VPC_ID} \
--query "InternetGateways[].InternetGatewayId" \
| jq -r '.[0]'`
Identify the public subnets确定公有子网
PUBLIC_SUBNETS=`aws ec2 describe-route-tables \
--query 'RouteTables[*].Associations[].SubnetId' \
--filters "Name=vpc-id,Values=${VPC_ID}" \
"Name=route.gateway-id,Values=${IGW_ID}" \
| jq . -c`
Show the public subnets显示公共子网
echo $PUBLIC_SUBNETS
List the private subnets by excluding public subnets通过排除公共子网列出私有子网
aws ec2 describe-subnets \
--filter Name=vpc-id,Values=${VPC_ID} \
--query 'Subnets[].SubnetId' \
| jq -c '[ .[] | select( . as $i | '${PUBLIC_SUBNETS}' | index($i) | not) ]'
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.