通过AWS Lambda函数在另一个账户中命中EC2实例
[英]Hit an EC2 instance in another account from an AWS lambda function
问题描述
We have a Lambda function in an account and we would like to access an EC2 instance (via HTTP) in another VPC which has a public IP attached. 
我们的帐户中具有Lambda函数,并且我们想通过附加公共IP的另一个VPC(通过HTTP)访问EC2实例。 I was wondering what would be the best way to perform this communication. 我想知道执行此通信的最佳方法是什么。 I am new to Lambda and I just got to know of the VPC lambdas. 我是Lambda的新手,我才刚了解VPC lambda。 Which CIDRs do I need to open on the Security Group on the EC2 instance? 我需要在EC2实例的安全组上打开哪些CIDR? Can I have a specific set of public IPs being picked in the source VPC - this way I can whitelist that range in the SG? 我是否可以在源VPC中选择一组特定的公共IP-这样我就可以在SG中将该范围列入白名单了?
Does VPC peering seem like an overhead for this case or the only possible solution? 对于这种情况还是唯一可行的解决方案,VPC对等似乎是一项开销?
1 个解决方案
解决方案1
2 已采纳 2018-07-24 20:51:56
It all Depends on your requirements.However, Peering those VPCs is the best way to have the traffic remaining in your trusted Private Subnets which are located in the Internal Trust Boundaries which satisfies Security best practices (Threat/Security Models and Cloud/Network Architecture). 这完全取决于您的要求,但是,对这些VPC进行窥视是将流量保留在可信任的专用子网中的最佳方法,这些专用子网位于内部信任边界中,可以满足安全最佳实践(威胁/安全模型和云/网络体系结构) 。
If there is an enterprise policy with strict rules that communication shall not be routed via DMZ/Public Internet and is a must to keep things within the Trusted Boundary of Internal Routes, I don't see any other choice but to go with the VPC peering : https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/peer-with-vpc-in-another-account.html 如果有一项严格的企业政策规则,即不得通过DMZ /公共Internet进行通信路由,并且必须将其保持在内部路由的受信任边界之内,那么我看不到其他选择,只能使用VPC对等: https : //docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/peer-with-vpc-in-another-account.html
However, if requirements are less strict and you can use Public Internet to forward your Traffic out via DMZ, it is possible to achieve this with out sacrificing too much of Security (assuming that your EC2 with public IP on other account is providing service over SSL/TLS where your lambda can communicate with it over an Encrypted Communication Channel while validating the EC2's certificate). 但是,如果要求不太严格,并且您可以使用公共Internet通过DMZ转发流量,则可以在不牺牲过多安全性的情况下实现这一点(假设其他帐户上具有公共IP的EC2通过SSL提供服务) / TLS,您的lambda可以在验证EC2证书的同时通过加密的通信通道与其进行通信)。
This could be achieved by having Lambda associated with an Internal Subnet of your VPC to talk to the EC2 of other account with Public IP. 这可以通过使Lambda与您的VPC的内部子网相关联,以与具有公共IP的其他帐户的EC2进行通信来实现。 https://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Scenario2.html https://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Scenario2.html
Yes, You still can have your Lambda remaining inside the Internal Subnet. 是的,您仍然可以将Lambda保留在内部子网中。 But you need a NAT GATEWAY and update the Routing Table for Lambda's Internal Subnet to point to the NAT GATEWAY (which should be assigned with an EIP) ie it will subsequently point to your INTERNET GATEWAY. 但是您需要一个NAT网关,并更新Lambda内部子网的路由表以指向NAT网关(应将其分配给EIP),即随后它将指向您的INTERNET网关。 By this you will make sure that your LAMBDA which, located in your private subnet of VPC can talk with outside ie with the EC2 instance, located in another account's with a Public IP. 这样,您将确保位于VPC专用子网中的LAMBDA可以与外部(即与EC2实例)进行对话,该EC2实例位于具有公共IP的另一个帐户中。 Therefore you can whitelist one IP in the SecurityGroups of your EC2 in Other Account which is the EIP of your NATGATEWAY which Lambda or any other Internal Components in that subnet will use to find their way out to the Internet. 因此,您可以在其他帐户的EC2的安全组中将一个IP列入白名单,这是NATGATEWAY的EIP,该子网中的Lambda或任何其他内部组件将使用该IP查找到Internet的出路。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.