堆栈内存溢出
  简体   繁体   English

私有子网中的 AWS EC2 实例无法通过 NAT 网关连接到互联网

[英]AWS EC2 instance in private subnet unable to connect to internet via NAT gateway

 原文  2020-09-14 04:16:48       amazon-web-services/ amazon-ec2/ aws-nat-gateway

问题描述

I have two EC2 instances, one on public subnet(10.1.1.0/24) and one on private subnet (10.1.2.0/24) EC2 instance in public subnet works fine with internet connectivity and configured services.我有两个 EC2 实例,一个在公共子网 (10.1.1.0/24) 上,另一个在私有子网 (10.1.2.0/24) 上,公共子网中的 EC2 实例可以正常使用 Internet 连接和配置的服务。

There is a NAT Gateway configured in the public subnet 10.1.1.0/24 with Elastic IP.在公有子网 10.1.1.0/24 中配置了一个带有弹性 IP 的 NAT 网关。 Default route on private subnet is [0.0.0.0/0 --> NAT Gateway in public subnet].私有子网上的默认路由是 [0.0.0.0/0 --> 公共子网中的 NAT 网关]。 I have a custom network ACL on private subnet, what I observed is when source and destination for inbound/outbound rules is set to 10.1.1.0/24 (public subnet) external connectivity breaks, but ssh works.我在私有子网上有一个自定义网络 ACL,我观察到的是当入站/出站规则的源和目标设置为 10.1.1.0/24(公共子网)外部连接中断,但 ssh 有效。 Only when source/destination are set to 'any' does internet connectivity restore.仅当源/目标设置为“任意”时,互联网连接才会恢复。 I am trying to understand what exact source/destination should be used in network ACLs on private subnet for internet connectivity to work.我试图了解应该在私有子网上的网络 ACL 中使用什么确切的源/目标,以便 Internet 连接正常工作。

1 个解决方案

解决方案1
 0  2020-09-14 04:37:27

To allow instance from private subnet access internet using NAT gateway, your NACLs or SG must allow internet traffic .要允许来自私有子网的实例使用 NAT 网关访问互联网,您的 NACL 或 SG必须允许互联网流量 The NAT does not change the internet traffic into private VPC traffic. NAT 不会将互联网流量更改为私有 VPC 流量。 So if you remove 0.0.0.0/0 the internet connectivity stops.因此,如果您删除0.0.0.0/0 ,互联网连接将停止。

This is explained in AWS docs on Instances cannot access the internet :这在 AWS docs on Instances cannot access the internet 中有解释

Ensure that the network ACLs that are associated with the private subnet and public subnets do not have rules that block inbound or outbound internet traffic .确保与私有子网和公共子网关联的网络 ACL没有阻止入站或出站 Internet 流量的规则

Therefore, you must allow 0.0.0.0/0 (or some IP range if you want only part of internet traffic) in your NACL and SG for the instances in private subnet.因此,对于私有子网中的实例,您必须在 NACL 和 SG 中允许0.0.0.0/0 (或某些 IP 范围,如果您只需要部分互联网流量)。

As a side note, generally NACLs are not modified, and default settings are usually used.作为旁注,通常不修改 NACL,通常使用默认设置。 Instead security groups are the first choice of controlling access to and from the instances.相反,安全组是控制对实例的访问的首选。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 AWS:SSH 通过 NAT 网关从公共 su.net EC2 实例到私有 su.net EC2 实例没有发生 - AWS : SSH to private subnet EC2 instance from public subnet EC2 instance via NAT GATEWAY is not happening AWS - 使用 NAT 网关(由 Lambda 访问)的私有子网中的 EC2 代理到无服务器 Aurora 的 Internet 访问 - AWS - Internet Access for an EC2 Proxy to Serverless Aurora in a Private Subnet with NAT Gateway (Accessed by Lambda) 无法使用 NAT 网关从私有 Ec2 访问 Inte.net - Unable to Reach Internet from Private Ec2 with NAT Gateway 无法将 Internet 与私有子网中的 EC2 实例连接起来 - Cannot connect internet with EC2 instance in private subnet 如何在私有子网中托管的 EC2 上使用 aws-cw-agent(没有 NAT 网关) - How can I use aws-cw-agent on an EC2 hosted in private subnet ( without NAT gateway) 公共子网中的 NAT 网关和 EC2 实例能否共享同一个 AWS ElasticIP? - Can a the same AWS ElasticIP be shared by a NAT gateway and an EC2 instance in a public subnet? 如何在通过 nat 网关连接到 Internet 的私有子网中配置 NACL? - How to configure a NACL in a private subnet connected to internet via nat gateway? 我们可以通过 Internet 的中转网关访问私有子网中的 EC2 实例吗? - Can we reach an EC2 instance in private subnet through a transit gateway from internet? 尝试通过AWS中的nat实例从私有子网实例访问Internet时遇到问题? - Getting issue while trying to access internet from private-subnet instance via nat intance in aws? 使用 NAT 实例提供对私有 Ec2 实例的互联网访问 - Providing internet access to private Ec2 instance using NAT instance
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM