在私有VPC中使用EC2实例配置内部网络负载均衡器
[英]Configuring internal network load balancer with EC2 instance in private VPC
问题描述
I created an internal network load balancer (NLB) to connect to EC2 instances on a private subnet. 
我创建了一个内部网络负载平衡器(NLB),以连接到专用子网上的EC2实例。 I want to restrict access to the EC2 instances only from the network load balancer. 我只想限制从网络负载平衡器对EC2实例的访问。 I used these instructions https://docs.aws.amazon.com/elasticloadbalancing/latest/network/target-group-register-targets.html#target-security-groups but it did not work. 我使用了以下说明https://docs.aws.amazon.com/elasticloadbalancing/latest/network/target-group-register-targets.html#target-security-groups,但它不起作用。
Basically, I added the IP address of the network interface of the NLB to the security group with my specific port (eg: 8080 10.4.2.9/32) allowed but that did not work. 基本上,我将NLB网络接口的IP地址添加到了安全组,并且允许使用我的特定端口(例如:8080 10.4.2.9/32),但这是行不通的。 When i switched to all allow (eg: 8080 0.0.0.0/32) it worked, but i do not want other instances to have access to the ec2 instance. 当我切换到所有允许(例如:8080 0.0.0.0/32)时,它起作用了,但是我不希望其他实例能够访问ec2实例。
Any ideas on why this is not working? 有什么想法为什么不起作用? Thanks 谢谢
2 个解决方案
解决方案1
1 2018-09-18 05:25:44
For what you are trying to accomplish, NLB is the wrong load balancer. 对于您要完成的工作,NLB是错误的负载平衡器。
NLB is a layer 4 load balancer. NLB是第4层负载平衡器。 This means that the IP address that you see (at the EC2 instance) is the IP address of the client and not the IP address of the load balancer. 这意味着您看到的IP地址(在EC2实例上)是客户端的IP地址,而不是负载均衡器的IP地址。 With NLB you must allow the client's IP address in your security group. 使用NLB,您必须在安全组中允许客户端的IP地址。
You want a layer 7 load balancer to implement what you want to do (block other systems in your VPC from accessing your EC2 instances directly). 您希望第7层负载均衡器实现您要执行的操作(阻止VPC中的其他系统直接访问EC2实例)。 This means ALB or the classic ELB. 这意味着ALB或经典ELB。
解决方案2
1 2018-09-18 05:44:01
If you're using a Network Load Balancer, update the security groups for your target instances , because Network Load Balancers do not have associated security groups.
If your target type is an IP, add a rule to your security group to allow traffic from your load balancer to the target IP.
如果您的目标类型是IP,则将规则添加到安全组中,以允许从负载均衡器到目标IP的流量。 If your target type is an instance, add a rule to your security group to allow traffic from your load balancer and clients to the target IP.
如果您的目标类型是实例,则将规则添加到安全组,以允许从负载均衡器和客户端到目标IP的流量。 - You can allow traffic in the EC2 instance security group. 您可以在EC2实例安全组中允许流量。 As your instance is in private subnet for that you need to lunch load balancer in the same region but in public subnet. 由于您的实例位于专用子网中,因此您需要在同一区域但在公共子网中午餐负载均衡器。
Know about your use case first. 首先了解您的用例。
Best use cases for Network Load Balancer: 网络负载平衡器的最佳用例:
- When you need to seamlessly support spiky or high-volume inbound TCP requests. 需要无缝支持尖峰或大量入站TCP请求时。
- When you need to support a static or elastic IP address. 当您需要支持静态或弹性IP地址时。
- If you are using container services and/or want to support more than one port on an EC2 instance. 如果您正在使用容器服务和/或要支持EC2实例上的多个端口。 NLB is especially well suited to ECS (The Amazon EC2 Container Service). NLB特别适合ECS(Amazon EC2容器服务)。
security-group-load-balancer 安全组负载均衡器
new-network-load-balancer-effortless-scaling-to-millions-of-requests-per-second 新网络负载均衡器毫不费力地扩展到每秒数百万的请求
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.