堆栈内存溢出
  简体   繁体   English

提供基于IP的访问策略时,无法从我的VPN访问AWS Elasticsearch

[英]Access to AWS Elasticsearch from my VPN is not working when providing IP-based Access Policy

 原文  2019-08-20 21:17:14       amazon-web-services/ elasticsearch/ terraform

问题描述

I have an Elasticsearch domain in AWS. 我在AWS中有一个Elasticsearch域。 I have created a IP-based access policy and am trying to provide all my VPN CIDR blocks there so that I can let all the machines in this VPN access Elasticsearch and Kibana and run some curl commands on Elasticsearch domain. 我创建了一个基于IP的访问策略,并试图在此提供我的所有VPN CIDR块,以便我可以让该VPN中的所有计算机访问Elasticsearch和Kibana并在Elasticsearch域上运行一些curl命令。

I tried my IP address from ipconfig -> Doesn't work 我从ipconfig尝试了我的IP地址->不起作用
I tried my IP address from Google (Public IP Adrees) -> Works 我尝试从Google(公共IP Adrees)访问我的IP地址-> Works
I tried my VPN CIDR Blocks => Doesn't work 我尝试了我的VPN CIDR阻止=>不起作用 

"Condition": {
    "IpAddress": {
        "aws:SourceIp": "x.x.x.x/16"
    }
}

1 个解决方案

解决方案1
 0 已采纳  2019-08-21 01:00:15

The IP addresses should be an array IP地址应为数组 

      "Condition": {
        "IpAddress": {"aws:SourceIp": ["youip1/32"]}
      }

and also I am wondering if you missed resouices in the policy 而且我想知道您是否错过了政策中的资源 

  "Resource": "arn:aws:es:us-west-2:${data.aws_caller_identity.user.account_id}:domain/test/*",

Here is the working example that you can try 这是您可以尝试的工作示例 

# Creating ElasticSearch Domain with Policy
resource "aws_elasticsearch_domain" "test-domain" {
  domain_name           = "testes"
  elasticsearch_version = "6.7"

  cluster_config {
    instance_type  = "t2.small.elasticsearch"
    instance_count = 2

  }

  ebs_options {
    ebs_enabled = true
    volume_size = 10
    volume_type = "standard"
  }

  snapshot_options {
    automated_snapshot_start_hour = 23
  }

  access_policies = <<POLICY
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": "es:*",
      "Principal": "*",
      "Effect": "Allow",
      "Resource": "arn:aws:es:${var.region}:${data.aws_caller_identity.user.account_id}:domain/testes/*",
      "Condition": {
        "IpAddress": {"aws:SourceIp": ["VPN_public_IP/32", "1.2.3.4/32"]}
      }
    }
  ]
}
POLICY

  tags = {
    Domain = "testes-tag"
  }
}

Also, double-check VPN config, does it route all traffic or specific and verify VPN IP as you verified your local IP from google. 另外,请仔细检查VPN配置,它是否路由所有流量或特定流量,并在您从Google验证本地IP时验证VPN IP。 Connect with VPN and check you IP add that IP in the policy. 连接到VPN并检查您的IP在策略中添加该IP。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 AWS Elasticsearch&VPC - 从我的固定IP配置网络访问 - AWS Elasticsearch & VPC - configuring network access from my fixed IP 允许从IP地址或IAM用户进行访问的AWS访问策略 - AWS access policy to allow access from an IP address or an IAM user AWS Elasticsearch Service IAM 基于角色的访问策略 - AWS Elasticsearch Service IAM Role based Access Policy AWS VPN 访问 Internet - 什么是公共 IP? - AWS VPN Access to the Internet - What is the public IP? AWS 客户端 VPN 访问公共 URL/IP - AWS Client VPN Access Public URL/IP 向AWS Elasticsearch Service添加多个域访问策略(静态IP和Lambda ARN) - Add multiple domain access policy to AWS Elasticsearch Service (Static IP and Lambda ARN) AWS SNS策略IP地址访问 - AWS SNS Policy IP Address Access 从 aws vpn 连接控制访问子网 - Controlling Access subnets from aws vpn connection AWS提供对其他帐户的假定角色的访问权限,以访问我帐户中的S3 - AWS Providing access to assumed role from another account to access S3 in my account 如何从 VPN 访问 AWS ElastiCache (Redis) - How to access AWS ElastiCache (Redis) from VPN
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM