堆栈内存溢出
  简体   繁体   English

使用 NAT 实例提供对私有 Ec2 实例的互联网访问

[英]Providing internet access to private Ec2 instance using NAT instance

 原文  2020-08-31 05:29:34       amazon-web-services/ amazon-ec2

问题描述

I was able to connect my private Ec2 instance to the internet through NAT instance.我能够通过 NAT 实例将我的私有 Ec2 实例连接到互联网。 wget google.com was successful. wget google.com 成功。 But when I attached a NACL to my private subnet.I wasn't able to connect to the internet.Can anyone please tell me what is wrong with my NACL.但是当我将 NACL 附加到我的私有子网时。我无法连接到互联网。谁能告诉我我的 NACL 有什么问题。 10.0.1.0/24 and 10.0.2.0/24 are CIDRs of public subnet(which has the NAT instance) 10.0.1.0/24 和 10.0.2.0/24 是公网的 CIDR(有 NAT 实例)

private NACL inbound rule私有 NACL 入站规则在此处输入图片说明

private NACL outbound rule私有 NACL 出站规则在此处输入图片说明

Also, when I add rule to accept all traffic from internet.It works.另外,当我添加规则以接受来自互联网的所有流量时。它有效。 Is it correct practice to add this rule ?添加此规则是正确的做法吗?

1 个解决方案

解决方案1
 2 已采纳  2020-08-31 07:25:35

Based on the comments.根据评论。

The issue was due to blocking inbound internet traffic (0.0.0.0/0).该问题是由于阻止入站互联网流量 (0.0.0.0/0)。 From the Instances cannot access the internet in AWS docs, to enable internet access of the instance using NAT, the following must be ensured:从 AWS 文档中的Instances cannot access internet 开始,要使用 NAT 启用实例的 Internet 访问,必须确保以下几点:

Ensure that the network ACLs that are associated with the private subnet and public subnets do not have rules that block inbound or outbound internet traffic .确保与私有子网和公共子网关联的网络 ACL没有阻止入站或出站 Internet 流量的规则 For the ping command to work, the rules must also allow inbound and outbound ICMP traffic.要使 ping 命令起作用,规则还必须允许入站和出站 ICMP 流量。

Question from comments:来自评论的问题:

But just one question how will whitelisting work in this case.但只有一个问题,在这种情况下,白名单将如何工作。 If I only want to download certain libraries using the internet and not allow any api requests ?如果我只想使用互联网下载某些库并且不允许任何 api 请求?

If you know IP ranges of the public servers that these libraries are going to be downloaded from, then you could limit the internet traffic to only these ranges.如果您知道将要下载这些库的公共服务器的 IP 范围,那么您可以将互联网流量限制在这些范围内。 But if the range is not fixed or unknown you have to allow all (0.0.0.0/0) internet traffic in the rules.但是,如果范围不固定或未知,则必须在规则中允许所有 (0.0.0.0/0) 互联网流量。

Generally, security groups are used as primary way of controlling network traffic.通常,安全组用作控制网络流量的主要方式。 NACLs are good due to their their denying ability. NACL 很好,因为它们具有拒绝能力。 Security groups can't explicitly deny traffic, thus NACLs are helpful in cases where you want to explicitly deny some IPs.安全组不能明确拒绝流量,因此在您想要明确拒绝某些 IP 的情况下,NACL 很有帮助。 But in your case, you are allow only traffic.但在你的情况下,你只允许流量。 Thus I think the use of default NACLs would be sufficient and could be considered.因此,我认为使用默认 NACL就足够了,可以考虑。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 EC2私有实例的Internet访问 - Internet access for EC2 private instance 私有子网中的 AWS EC2 实例无法通过 NAT 网关连接到互联网 - AWS EC2 instance in private subnet unable to connect to internet via NAT gateway 使用来自EC2实例的AWS CLI,无需访问Internet - Using AWS CLI from EC2 instance without internet access 从互联网访问 EC2 实例? - Access EC2 instance from internet? EC2 实例无法访问 Internet - EC2 instance cannot access Internet 如何使用私有 ip 从 EC2 访问 RDS 实例 - How to access RDS instance from EC2 using private ip 如何访问私有子网中的 EC2 实例? - How to access to EC2 Instance in private subnet? 通过AWS中的NAT实例从专用子网访问Internet - Internet access from Private Subnets through NAT instance in AWS Shell 脚本 - 通过我的 NAT 实例 ssh 到私有 AWS EC2 实例 - Shell Script - ssh to a private AWS EC2 instance through my NAT instance 无法将 Internet 与私有子网中的 EC2 实例连接起来 - Cannot connect internet with EC2 instance in private subnet
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM