[英]AWS EC2 instance in private subnet unable to connect to internet via NAT gateway
I have two EC2 instances, one on public subnet(10.1.1.0/24) and one on private subnet (10.1.2.0/24) EC2 instance in public subnet works fine with internet connectivity and configured services.我有两个 EC2 实例,一个在公共子网 (10.1.1.0/24) 上,另一个在私有子网 (10.1.2.0/24) 上,公共子网中的 EC2 实例可以正常使用 Internet 连接和配置的服务。
There is a NAT Gateway configured in the public subnet 10.1.1.0/24 with Elastic IP.在公有子网 10.1.1.0/24 中配置了一个带有弹性 IP 的 NAT 网关。 Default route on private subnet is [0.0.0.0/0 --> NAT Gateway in public subnet].
私有子网上的默认路由是 [0.0.0.0/0 --> 公共子网中的 NAT 网关]。 I have a custom network ACL on private subnet, what I observed is when source and destination for inbound/outbound rules is set to 10.1.1.0/24 (public subnet) external connectivity breaks, but ssh works.
我在私有子网上有一个自定义网络 ACL,我观察到的是当入站/出站规则的源和目标设置为 10.1.1.0/24(公共子网)外部连接中断,但 ssh 有效。 Only when source/destination are set to 'any' does internet connectivity restore.
仅当源/目标设置为“任意”时,互联网连接才会恢复。 I am trying to understand what exact source/destination should be used in network ACLs on private subnet for internet connectivity to work.
我试图了解应该在私有子网上的网络 ACL 中使用什么确切的源/目标,以便 Internet 连接正常工作。
To allow instance from private subnet access internet using NAT gateway, your NACLs or SG must allow internet traffic .要允许来自私有子网的实例使用 NAT 网关访问互联网,您的 NACL 或 SG必须允许互联网流量。 The NAT does not change the internet traffic into private VPC traffic.
NAT 不会将互联网流量更改为私有 VPC 流量。 So if you remove
0.0.0.0/0
the internet connectivity stops.因此,如果您删除
0.0.0.0/0
,互联网连接将停止。
This is explained in AWS docs on Instances cannot access the internet :这在 AWS docs on Instances cannot access the internet 中有解释:
Ensure that the network ACLs that are associated with the private subnet and public subnets do not have rules that block inbound or outbound internet traffic .
确保与私有子网和公共子网关联的网络 ACL没有阻止入站或出站 Internet 流量的规则。
Therefore, you must allow 0.0.0.0/0
(or some IP range if you want only part of internet traffic) in your NACL and SG for the instances in private subnet.因此,对于私有子网中的实例,您必须在 NACL 和 SG 中允许
0.0.0.0/0
(或某些 IP 范围,如果您只需要部分互联网流量)。
As a side note, generally NACLs are not modified, and default settings are usually used.作为旁注,通常不修改 NACL,通常使用默认设置。 Instead security groups are the first choice of controlling access to and from the instances.
相反,安全组是控制对实例的访问的首选。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.