堆栈内存溢出
  简体   繁体   English

VPC和子网是我还是用户?

[英]VPC and Subnets for me or user?

 原文  2018-03-23 22:35:26       amazon-web-services/ amazon-rds/ subnet/ vpc

问题描述

I am trying to hook up my mobile app to AWS RDS. 我正在尝试将移动应用程序连接到AWS RDS。 I want my users to be able to access the Database from anywhere and I want to view my database in SQL Workbench. 我希望我的用户能够从任何地方访问数据库,并且希望在SQL Workbench中查看我的数据库。 Are the VPC and Subnet for allowing me access to the database or my users? VPC和子网是否允许我访问数据库或用户?

2 个解决方案

解决方案1
 0  2018-06-24 01:59:10

Further to the answer by strongjz, I would highly recommend you put your database in a private subnet and prevent any direct connections from the internet. 除了strongjz的回答以外,我强烈建议您将数据库放置在专用子网中,并防止来自Internet的任何直接连接。

To connect to it from SQL Workbench you can set up a Bastion server. 要从SQL Workbench连接到它,您可以设置一个堡垒服务器。 This is a server that acts as a middleman between the outside internet and your private subnets. 这是一台服务器,充当外部Internet与您的私有子网之间的中间人。 There is quite a good tutorial here on how to set one up. 这里有一个很好的教程关于如何设置它。 They are connecting to Redshift, however the process is exactly the same for connecting to RDS. 他们正在连接到Redshift,但是连接到RDS的过程完全相同。

To help with the design of the subnet IP ranges, VPC Designer is a good tool for designing the different subnets. 为了帮助设计子网IP范围, VPC Designer是设计不同子网的好工具。

Full disclosure, I am the creator of VPC Designer . 完全公开,我是VPC Designer的创建者。

解决方案2
 -1 已采纳  2018-03-24 21:31:48

For security reasons and proper Mobile app architecture I would not give the mobile client direct access to the database. 出于安全原因和适当的移动应用程序体系结构,我不会授予移动客户端直接访问数据库的权限。 Just one compromised machine and your data is gone, corrupted or stolen. 仅一台受损的计算机,您的数据就不见了,被破坏或被盗。

  1. Setup an API that the mobile client reach out for data requests. 设置移动客户端可以访问以请求数据的API。
  2. Give only the API access to the Database. 仅授予对数据库的API访问权限。
  3. Have the mobile client use something like Incognito to access resources. 让移动客户端使用隐身之类的东西来访问资源。

Here is a reference architecture from AWS for a mobile web app. 这是AWS针对移动Web应用程序提供的参考架构。

Also a paper on how to create a backend for a mobile application 也是有关如何为移动应用程序创建后端的论文

For securely connecting to the database I would use a Software VPN and allow only your IP to connect it and then allow only connections from the Private IP of that VPN to the database. 为了安全地连接到数据库,我将使用软件VPN,仅允许您的IP连接它,然后仅允许从该VPN的私有IP到数据库的连接。 VPC design considerations here . 这里的 VPC设计注意事项。 I personally use OpenVPN , it is free for 2 concurrent users minus ec2 time. 我个人使用OpenVPN ,这是2个并发用户减去ec2时间免费的。

As far as VPC subnet design goes, the Database instance should always be placed in private subnets, the api in public subnets exposed with https. 就VPC子网设计而言,应始终将数据库实例放置在专用子网中,将api放在使用https公开的公用子网中。 AWS cert manager is free to use with ELB/ALB's. AWS cert manager可免费与ELB / ALB一起使用。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 现有vpc和子网的VPC对等 - VPC peering of existing vpc and subnets 将子网修改为 VPC 终端节点 - Modify subnets to a VPC endpoint 一个 VPC 中需要多少个子网 - How many subnets required in a VPC 在 Terraform 中创建 VPC 和相应的子网 - VPC and corresponding subnets creation in Terraform 自定义 VPC 子网的 RDS 问题 - RDS issues with custom VPC Subnets VPC“fromLookup”导致所有私有子网和没有公共子网 - VPC "fromLookup" results in all Private Subnets and no Public Subnets 将AZ映射到所选子网,并将子网映射到所选VPC - Mapping the AZ to the selected subnet, and the subnets to the selected VPC 具有公共子网和私有子网,s3端点的VPC - VPC with Public and Private Subnets, s3 endpoints 如何从AWS VPC获取可用子网? - How to get available subnets from AWS VPC? 由于子网无效,无法在 AWS 中创建 VPC - failure to create VPC in AWS due to invalid subnets
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM