堆栈内存溢出
  简体   繁体   English

AWS VPC - 添加到附加到 Internet 网关的公共路由表的私有子网

[英]AWS VPC - Private subnet added to the public route table attached to internet gateway

 原文  2019-12-25 01:19:50       amazon-web-services/ amazon-vpc

问题描述

Hope you are all doing good.希望你们都做得很好。

AWS allows us to attach a private subnet (created in a Customer VPC) with a route table having route to the internet via internet gateway. AWS 允许我们将私有子网(在客户 VPC 中创建)与路由表连接,该路由表通过互联网网关路由到互联网。 Does it make any difference to the instance launched in the private sub-net?对私有子网中启动的实例有什么影响吗? or it is as good as having the private subnet not linked to the route table having route to the internet或者它与没有链接到路由表的私有子网一样好,路由到互联网

Regards AJ问候 AJ

3 个解决方案

解决方案1
 0 已采纳  2019-12-25 03:32:38

A subnet is not private if it has routes to/from the internet.如果子网具有往返 Internet 的路由,则该子网不是私有的。 The instances launched in a private subnet cannot access the internet and cannot be reached from the internet.在私有子网中启动的实例无法访问 Internet,也无法从 Internet 访问。

For eg if you have a database instance and you don't want anyone but the instances to access the instance, you can launch the instance in the private subnets.例如,如果您有一个数据库实例并且您不希望除了实例之外的任何人访问该实例,您可以在私有子网中启动该实例。

Also if you want the instances in the private subnet to access internet, you need to setup a Nat Gateway (or a Nat Instance)此外,如果您希望私有子网中的实例访问 Internet,则需要设置 Nat 网关(或 Nat 实例)

Hope this helps希望这可以帮助

解决方案2
 0  2019-12-25 04:08:50

First, we need to know what's the difference between a public subnet and a private subnet.首先,我们需要知道公有子网和私有子网有什么区别。


Public Subnet means this subnet has an Internet Gateway attached to it.公共子网意味着这个子网有一个Internet Gateway连接到它。 Private Subnet means this subnet has a NAT Gateway attached to it.私有子网意味着这个子网有一个NAT Gateway连接到它。

And the Internet Gateway can have both inbound and outbound but the NAT only can have outbound to the Internet. Internet 网关可以有入站和出站,但 NAT 只能有出站到 Internet。



And A NAT will be built in a public subnet but attach to a private subnet.并且 NAT 将构建在公共子网中,但附加到私有子网。


You can have lots of public/private subnets at the same time and attached NAT or IGW for them, but the IGW only can have one in each VPC.您可以同时拥有多个公有/私有子网,并为它们附加 NAT 或 IGW,但 IGW 在每个 VPC 中只能有一个。

In some use cases, we will not attach any kinds of NAT and IGW for a subnet.在某些用例中,我们不会为子网附加任何类型的 NAT 和 IGW。 that's because it might be a database subnet and won't expect it to communicate with the Internet.那是因为它可能是一个数据库子网,不会期望它与 Internet 通信。 Normally, we will use a subnet with NAT attached for our application such as EC2 or ECS, Internal Load Balancers.通常,我们会为我们的应用程序(例如 EC2 或 ECS、内部负载均衡器)使用附加了 NAT 的子网。 On the other hand, we will use a subnet with IGW attached for Internet-facing Load balancers, Nginx, Apache.另一方面,我们将使用一个带有 IGW 的子网,用于面向 Internet 的负载均衡器、Nginx、Apache。

AWS VPC Design: https://aws.amazon.com/tw/answers/networking/aws-single-vpc-design/ AWS VPC 设计: https : //aws.amazon.com/tw/answers/networking/aws-single-vpc-design/

解决方案3
 0  2021-11-04 18:15:49

I think the hidden magic here is that the instance in the private subnet needs a public IP to communicate with outside, we never ever think this an issue in our lives.我认为这里隐藏的魔法是私有子网中的实例需要一个公共 IP 来与外部通信,我们从来没有认为这是我们生活中的问题。 When our computer connect to the router, it get access to internet without any issue, why it works so smoothly?当我们的计算机连接到路由器时,它可以毫无问题地访问互联网,为什么它运行得如此顺利? All because the router handles everything for us, including allocating a private IP for us, making recursively DNS query for us, and the most important, translating the private IP using the router's public IP so that our computer can communicate with the outside bidirectionally.因为路由器为我们处理一切,包括为我们分配私有IP,为我们进行递归DNS查询,最重要的是,使用路由器的公共IP转换私有IP,以便我们的计算机可以与外部进行双向通信。

Let's go back to this AWS VPC scenario, you attached a route table with a default route to the Internet Gateway to your private subnet, which makes it looks like a public subnet.让我们回到这个 AWS VPC 场景,您将一个带有默认路由的路由表附加到您的私有子网,这使它看起来像一个公共子网。 However, the instances still have no public IPs, and, not like our router, the Internet Gateway of AWS VPC doesn't do NAT works!但是,实例仍然没有公共 IP,并且与我们的路由器不同,AWS VPC 的 Internet 网关不执行 NAT 工作! So how can an instance with no public IP and no NAT access the internet?那么没有公网IP和NAT的实例如何访问互联网呢? It's impossible.不可能。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 AWS VPC专用/公共子网 - AWS VPC Private/Public Subnet AWS vpc从公共子网访问Internet - AWS vpc access the Internet from public subnet AWS VPC 识别私有和公共 su.net - AWS VPC identify private and public subnet AWS VPC 子网路由表最佳实践 - AWS VPC subnet route table best practices 带有 NAT 网关和 VPC PrivateLink 的 AWS 私有子网:将使用哪一个? - AWS private subnet with NAT gateway and VPC PrivateLink: which one will be used? Cloudformation:没有Internet路由的VPC路由表 - Cloudformation: VPC Routing table with No Route for Internet Gateway 是否可以将EMR群集启动到没有公共IP的私有VPC子网中,而该公共IP无法通过公共子网中的NAT实例访问Internet? - Can an EMR cluster be launched into a private VPC subnet with no public IPs that accesses the internet through a NAT instance in a public subnet? AWS Elastic IP 网络 vpc 未附加到任何 inte.net 网关 - AWS Elastic IP Network vpc is not attached to any internet gateway AWS公共子网VPC通信 - AWS public subnet VPC communication 是什么让子网成为 AWS VPC 中的私有子网? - What makes a subnet into a private subnet in AWS VPC?
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM