堆栈内存溢出
  简体   繁体   English

我允许 EC2 安全组中的哪些 IP 地址允许客户端 VPN 流量通过?

[英]What IP addresses do I allow in an EC2 Security group to allow Client VPN traffic through?

 原文  2020-07-28 19:19:54       amazon-web-services/ amazon-ec2/ vpn/ amazon-vpc/ aws-vpn

问题描述

I have an AWS Client VPN setup so that people who can connect to the VPN can access our EC2 servers on the same VPC.我有一个 AWS 客户端 VPN 设置,以便可以连接到 VPN 的人可以访问我们在同一 VPC 上的 EC2 服务器。 Some users are reporting they cannot connect to the services while on the VPN, while others can.一些用户报告说他们在使用 VPN 时无法连接到服务,而其他用户则可以。

I can do a ping {{address_of_ec2_instance}} in the terminal and get a response, but another user connected to the same vpn will get a timeout with the exact same command, and the same IP resolved.我可以在终端执行ping {{address_of_ec2_instance}}并获得响应,但连接到同一 vpn 的另一个用户将使用完全相同的命令获得超时,并解决相同的 IP。 When they go to https://www.whatismyip.com/ , they report being connected to the same ISP and Location.当他们 go 到https://www.whatismyip.com/时,他们报告连接到相同的 ISP 和位置。

The only thing I can speculate is that maybe I haven't allowed the proper port range on the EC2 Security Settings, and some users are within the port range but others are not.我唯一可以推测的是,也许我没有在 EC2 安全设置上允许正确的端口范围,一些用户在端口范围内,但其他用户不在。 How do I determine what port range to forward, given a Client VPN Endpoint?给定客户端 VPN 终端节点,我如何确定要转发的端口范围?

1 个解决方案

解决方案1
 3  2020-07-28 19:34:42

When you launch a client VPN you will provide a Client IPv4 CIDR range.当您启动客户端 VPN 时,您将提供一个Client IPv4 CIDR范围。 When connecting to this you will be given an IP address from this range (which is treated as the private IP address when connecting).连接到此地址时,您将获得此范围内的 IP 地址(连接时将其视为私有 IP 地址)。

For any private IP connections the source IP will come from this range (and as you're using a Client VPN you should connect using the private IP over public to keep.network transit through the tunnel).对于任何私有 IP 连接,源 IP 将来自此范围(并且当您使用客户端 VPN 时,您应该使用私有 IP 通过公共连接到 keep.network 通过隧道传输)。

If you connect via the public IP address you will need to consider whether you want all traffic or just private traffic to go through the client VPN.如果您通过公共 IP 地址连接,则需要考虑是要所有流量还是仅通过客户端 VPN 到 go 的私有流量。 By enabling split-tunnel you will be using the public IP address of your on premise, otherwise you will be using a public IP address from Amazons pool of servers.通过启用拆分隧道,您将使用内部部署的公共 IP 地址,否则您将使用亚马逊服务器池中的公共 IP 地址。

As a side note if you're ever trying to debug connection failures you can make use ofVPC Flow Logs .作为旁注,如果您曾经尝试调试连接失败,您可以使用VPC 流日志

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 我需要做什么才能让我的安全组接收来自 lambda 中 SQS 的入站流量? - What do I need to allow for my Security group to receive inbound traffic from SQS in lambda? 使用安全组限制 AWS EC2 出站流量 - Restrict AWS EC2 outbound traffic with a security group 如何在不重新创建 EC2 实例的情况下通过 Cloudformation 更新安全组 - How I can update security group through Cloudformation without recreating EC2 Instance 如何通过 AWS“应用程序负载均衡器”将 SSL 流量路由到 EC2 实例 - How do I route SSL traffic through an AWS "Application Load Balancer" to an EC2 instance AWS CDK (.NET) 如何修改 RDS 集群安全组以允许从其他安全组(例如 EC2、Lambda)访问 - AWS CDK (.NET) How to modify RDS Cluster Security Group to allow access from other Security Groups (e.g. EC2, Lambda) 为什么 AWS 安全组不允许 sg-ID 的入站 http 流量 - Why does AWS Security group not allow inbound http traffic by sg-ID 如何在 AWS EC2 实例上将 IP 地址的大列表列入白名单? - How to whitelist a large list of IP addresses on AWS EC2 instances? 如何在 AWS 中轻松允许这么多 CIDR IP 地址? - How to allow so many CIDR IP addresses easily in AWS? 允许Azure function app访问AWS EC2实例端口 - Allow Azure function app access to AWS EC2 instance port 我需要在安全组中为 AWS 中的私有实例应用哪些规则,以允许 Informatica 链接在实例之外工作 - Which rules do I need to apply in Security Group for private instance in AWS to allow Informatica links to work outsitr the instance
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM