AWS 如何为 VPC 使用公共 IPV4 地址范围并将它们作为私有 IP 地址分配给它的资源,如 EC2s
[英]How can AWS use public IPV4 address range for a VPC and assign them as private IP addresses to its resources like EC2s
问题描述
We all know that there are reserved IP range CIDR from the entire pool of IPV4 address range that is 2^32 (0.0.0.0 and 255.255.255.255) and that range includes 10.0.0.0/8 (10.0.0.0 - 10.255.255.255) 172.16.0.0/12 (172.16.0.0 - 172.31.255.255) 192.168.0.0/16 (192.168.0.0 - 192.168.255.255)
我们都知道在 2^32(0.0.0.0 和 255.255.255.255)的整个 IPV4 地址范围池中保留了 IP 范围 CIDR,该范围包括 10.0.0.0/8(10.0.0.0 - 10.255.255.255) 172.16.0.0/12 (172.16.0.0 - 172.31.255.255) 192.168.0.0/16 (192.168.0.0 - 192.168.255.255)
So if any organization were to set up its LAN (intr.net), it can only use one of the above three.所以如果任何组织要建立它的局域网(intr.net),它只能使用以上三种之一。
But when it comes to AWS or any cloud provider, it seems they allow to create VPC using public IPV4 CIDR range which means any instance created in a private/public su.net in that VPC can default to a private IP address that can still actually be a public routable address outside of the above reserved private pool.但是当谈到 AWS 或任何云提供商时,他们似乎允许使用公共 IPV4 CIDR 范围创建 VPC,这意味着在该 VPC 中的私有/公共 su.net 中创建的任何实例都可以默认为私有 IP 地址,该地址实际上仍然可以是上述保留专用池之外的公共可路由地址。
As stated under https://docs.aws.amazon.com/vpc/latest/userguide/vpc-ip-addressing.html "We refer to private IP addresses as the IP addresses that are within the IPv4 CIDR range of the VPC. Most VPC IP address ranges fall within the private (non-publicly routable) IP address ranges specified in RFC 1918; however, you can use publicly routable CIDR blocks for your VPC. Regardless of the IP address range of your VPC, we do not support direct access to the Inte.net from your VPC's CIDR block, including a publicly-routable CIDR block" So my question is how does AWS do this.如https://docs.aws.amazon.com/vpc/latest/userguide/vpc-ip-addressing.html所述,“我们将私有 IP 地址称为 VPC 的 IPv4 CIDR 范围内的 IP 地址。大多数 VPC IP 地址范围属于 RFC 1918 中指定的私有(非公共可路由)IP 地址范围;但是,您可以为您的 VPC 使用可公开路由的 CIDR 块。无论您的 VPC 的 IP 地址范围如何,我们都不支持从 VPC 的 CIDR 块直接访问 Inte.net,包括可公开路由的 CIDR 块”所以我的问题是 AWS 是如何做到这一点的。 I know DHCP/routing etc have their own mechanism, but how is it allowed to even choose a global public IPV4 address (WAN address pool) as private address inside its VPC.我知道 DHCP/路由等有自己的机制,但如何允许它甚至选择全球公共 IPV4 地址(WAN 地址池)作为其 VPC 内的私有地址。 How does IETF/IANA allow that. IETF/IANA 如何允许这样做。 Also if i were to set up my private home.network why can't i then choose for my LAN those public IPV4 address range as oppossed to 10.0.0.0/8, 172.16.0.0/12 and 192.168.0.0/16.此外,如果我要设置我的私人家庭网络,为什么我不能为我的局域网选择那些公共 IPV4 地址范围,而不是 10.0.0.0/8、172.16.0.0/12 和 192.168.0.0/16。
I do understand that choosing public ips have their own risks since then if they conflict with actual ones on the inte.net i won't be able to browse those public sites from my private.network.我明白选择公共 ips 有其自身的风险,如果它们与 inte.net 上的实际 ips 冲突,我将无法从我的 private.network 浏览那些公共站点。 But then how does AWS manage this.但是 AWS 如何管理这个。 Is it that it gives it the acronym as private IP and so if the same corresponding public ip is hit it will still resolve it as public and render you the site (i mean directly hitting the site public IP) or will it not see that its my own private ip and resolve it through its own private DNS是不是它给它的首字母缩写词是私有的 IP,所以如果相同的对应公共 ip 被击中,它仍然会把它解析为公开的并呈现给你这个网站(我的意思是直接点击该网站的公共 IP)或者它不会看到它我自己的私人 ip 并通过自己的私人 DNS 解决它
2 个解决方案
解决方案1
0 已采纳 2020-06-12 14:27:47
In case you choose a global public IPV4 (outside of reserved pool) as your EC2 private address, the routing tables for the su.net where the EC2 resides will decide how to resolve it and in that case the order of precedence would be how the route tables are set up.如果您选择全球公共 IPV4(在保留池之外)作为您的 EC2 私有地址,EC2 所在的 su.net 的路由表将决定如何解析它,在这种情况下,优先顺序将是路由表已设置。 So usually its like:- Destination (your VPC CIDR) Target local所以通常它是这样的:- Destination (your VPC CIDR) Target local
So the moment you hit that private IP from your.network, the route table will see its a local VPC IP and resolve it to that EC2 private DNS, so you won't be able to resolve that to the actual global IP.因此,当您从您的网络访问私有 IP 时,路由表将看到其本地 VPC IP 并将其解析为 EC2 私有 DNS,因此您将无法将其解析为实际的全局 IP。
解决方案2
0 2021-07-11 01:58:18
I know the question is getting dated but...我知道这个问题已经过时了,但是......
As the doc's say - AWS won't advertise these route (unlike BYOIP where they do advertise those routes) - so AWS can't route to them.正如文档所说 - AWS 不会公布这些路由(与 BYOIP 不同,他们确实会公布这些路由) - 因此 AWS 无法路由到它们。
The VPC FAQ explains you have to route to them over a site-to-site VPN or Direct Connect. VPC 常见问题解答说明您必须通过站点到站点 VPN 或 Direct Connect 路由到它们。
So you'll have to advertise these CIDRs from your Data center, and do the routing to these over the VPN to the VPC.因此,您必须从您的数据中心公布这些 CIDR,并通过 VPN 将这些 CIDR 路由到 VPC。
I don't know if a NAT gateway would work or not for outgoing.我不知道 NAT 网关是否适用于传出。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.