[英]Access to AWS Elasticsearch from my VPN is not working when providing IP-based Access Policy
I have an Elasticsearch domain in AWS. 我在AWS中有一个Elasticsearch域。 I have created a IP-based access policy and am trying to provide all my VPN CIDR blocks there so that I can let all the machines in this VPN access Elasticsearch and Kibana and run some curl commands on Elasticsearch domain.
我创建了一个基于IP的访问策略,并试图在此提供我的所有VPN CIDR块,以便我可以让该VPN中的所有计算机访问Elasticsearch和Kibana并在Elasticsearch域上运行一些curl命令。
I tried my IP address from ipconfig -> Doesn't work 我从ipconfig尝试了我的IP地址->不起作用
I tried my IP address from Google (Public IP Adrees) -> Works 我尝试从Google(公共IP Adrees)访问我的IP地址-> Works
I tried my VPN CIDR Blocks => Doesn't work 我尝试了我的VPN CIDR阻止=>不起作用
"Condition": {
"IpAddress": {
"aws:SourceIp": "x.x.x.x/16"
}
}
The IP addresses should be an array IP地址应为数组
"Condition": {
"IpAddress": {"aws:SourceIp": ["youip1/32"]}
}
and also I am wondering if you missed resouices in the policy 而且我想知道您是否错过了政策中的资源
"Resource": "arn:aws:es:us-west-2:${data.aws_caller_identity.user.account_id}:domain/test/*",
Here is the working example that you can try 这是您可以尝试的工作示例
# Creating ElasticSearch Domain with Policy
resource "aws_elasticsearch_domain" "test-domain" {
domain_name = "testes"
elasticsearch_version = "6.7"
cluster_config {
instance_type = "t2.small.elasticsearch"
instance_count = 2
}
ebs_options {
ebs_enabled = true
volume_size = 10
volume_type = "standard"
}
snapshot_options {
automated_snapshot_start_hour = 23
}
access_policies = <<POLICY
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "es:*",
"Principal": "*",
"Effect": "Allow",
"Resource": "arn:aws:es:${var.region}:${data.aws_caller_identity.user.account_id}:domain/testes/*",
"Condition": {
"IpAddress": {"aws:SourceIp": ["VPN_public_IP/32", "1.2.3.4/32"]}
}
}
]
}
POLICY
tags = {
Domain = "testes-tag"
}
}
Also, double-check VPN config, does it route all traffic or specific and verify VPN IP as you verified your local IP from google. 另外,请仔细检查VPN配置,它是否路由所有流量或特定流量,并在您从Google验证本地IP时验证VPN IP。 Connect with VPN and check you IP add that IP in the policy.
连接到VPN并检查您的IP在策略中添加该IP。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.