我应该在公共子网还是私有子网上挂载 AWS EFS?
[英]Should I mount AWS EFS on public or private subnet?
问题描述
That simple question, couldn't find an answer in the docs.
这个简单的问题,在文档中找不到答案。
Anyone knows the best practice for this problem?任何人都知道这个问题的最佳实践吗?
I'm assuming its private but wanted to understand why if that is the case.我假设它是私有的,但想了解为什么会这样。
2 个解决方案
解决方案1
4 已采纳 2020-10-06 14:59:05
You should only place things in a public subnet that you want to be accessible from outside the VPC.您应该只将想要从 VPC 外部访问的内容放在公有子网中。 Best practice is to only have your public load balancers, and your NAT gateways in your public subnet.最佳实践是在您的公共子网中只拥有您的公共负载均衡器和 NAT 网关。 This ensures an extra level of network security by making sure your important resources are only accessible from inside the VPC.这通过确保您的重要资源只能从 VPC 内部访问来确保额外级别的网络安全。
So in this case, you would want to place your EFS mounts inside your private subnets.因此,在这种情况下,您可能希望将 EFS 挂载放置在您的私有子网中。
解决方案2
1 2020-10-06 15:01:54
In AWS, we usually use private subnet for most service integrations.在 AWS 中,我们通常使用私有子网进行大多数服务集成。 Some of the services do not work when attached to public subnet.某些服务在连接到公共子网时不起作用。 eg Lambda when attached to the VPC, doesn't work properly if the public subnet is used.例如,当连接到 VPC 时,Lambda 无法正常工作,如果使用公共子网。 Same goes for Glue Jobs and Crawlers. Glue Jobs 和 Crawlers 也是如此。
[Edit: Thanks to MarkB for contribution] It is because the ENIs for things like Lambda functions are not assigned a public IP address, only a private IP. [编辑:感谢 MarkB 的贡献]这是因为 Lambda 函数之类的 ENI 没有分配公共 IP 地址,只有私有 IP。 So they need a route to a NAT Gateway in order to access things outside the VPC, and only private subnets can have a route to a NAT Gateway.所以他们需要一个到 NAT 网关的路由才能访问 VPC 之外的东西,只有私有子网才能有一个到 NAT 网关的路由。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.