AWS:VPC、子网、NACL、安全组、IGW、路由表等
[英]AWS: VPC, Subnets, NACLs, Security Groups, IGWs, Route Tables, Etc
问题描述
I've watched hours upon hours of tutorials and have read until my eyes were about to bleed, but I just cannot seem to grasp how Amazon VPCs are working.
我已经看了好几个小时的教程,读到眼睛都要流血了,但我似乎无法理解 Amazon VPC 是如何工作的。 I've created and deleted entire VPC environments with EC2 instances various times following tutorials, but as soon as I go to create one w/out the tutorial, I'm lost.我已经按照教程多次创建和删除了带有 EC2 实例的整个 VPC 环境,但是一旦我 go 创建一个没有教程的环境,我就迷路了。
I'm trying to come up with an analogy to help me to better understand.我试图提出一个类比来帮助我更好地理解。 What I have so far is something like this:我到目前为止是这样的:
A VPC is like a Club .
Within the General Area you would have a Dance Floor/Bar which would equate to an EC2 Instance and a Receiving Bay where management can receive deliveries and whatnot from the outside world, the NAT .
Then in the Management Area you'd have an Office , another EC2 Instance , and your Inventory which is like your RDS .
I think that's a somewhat accurate analogy so far, but once I start to try and work in the SGs, NACLs, RTs, etc, I realize that I'm just not grasping it all.到目前为止,我认为这是一个有点准确的类比,但是一旦我开始尝试在 SG、NACL、RT 等方面工作,我意识到我并没有完全掌握。
Can anyone help me with finishing this analogy or supply a better analogy?谁能帮我完成这个类比或提供一个更好的类比? I'm at my wits' end.我无计可施。
1 个解决方案
解决方案1
0 2020-12-08 04:42:33
Rather than using analogies, let's use the network you already have at home .让我们使用您在家中已有的网络,而不是使用类比。
Within your home, you probably have a Router and various devices connected to the router.在您的家中,您可能有一个路由器和连接到路由器的各种设备。 They might be directly connected via ethernet cables (eg a PC), or they might be connected via wifi (eg tablets, phones, Alexa).它们可能通过以太网电缆直接连接(例如 PC),也可能通过 wifi 连接(例如平板电脑、手机、Alexa)。 Your home network is like a VPC.您的家庭网络就像一个 VPC。 Your various devices connect to the network and all of the devices can talk to each other.您的各种设备连接到网络,所有设备都可以相互通信。
You also have some sort of box that connects your router to the Internet .您还有某种盒子可以将您的路由器连接到Internet 。 This might be a cable modem, or a fibre router or (in the old days) a telephone connection.这可能是电缆调制解调器、光纤路由器或(在过去)电话连接。 These boxes connect your network (VPC) to the Internet and are similar in function to an Internet Gateway .这些框将您的网络 (VPC) 连接到 Internet,并且在 function 中类似于Internet 网关。 Without these boxes, your network would not be able to communicate with the Internet.如果没有这些盒子,您的网络将无法与 Internet 通信。 Similarly, without an Internet Gateway, a VPC cannot communicate with the Internet.同样,没有 Internet 网关,VPC 也无法与 Internet 通信。
Some home routers allow you to broadcast a Guest network in addition to your normal network.除了普通网络之外,一些家庭路由器还允许您广播访客网络。 This is a network where you can give guests a password, but they can't access your whole network -- this is good for security, since they can't snoop around your network to try and steal your data.这是一个您可以为访客提供密码的网络,但他们无法访问您的整个网络——这对安全性有好处,因为他们无法窥探您的网络以试图窃取您的数据。 This is similar in concept to having a separate subnet -- there are two networks, but routing rules (NACLs) block the traffic between them to improve security.这在概念上类似于拥有一个单独的子网——有两个网络,但路由规则 (NACL) 会阻止它们之间的流量以提高安全性。
A home router typically blocks incoming access to your devices.家用路由器通常会阻止对您设备的传入访问。 This means that people on the Internet cannot access your computer, printer, devices, etc. This is good, since there are many bots on the Internet always trying to hack into devices on your network.这意味着 Internet 上的人无法访问您的计算机、打印机、设备等。这很好,因为 Internet 上的许多机器人总是试图侵入您网络上的设备。 However, the home router allows outbound requests from your devices to the Internet (eg a website) and it is smart enough to allow the responses to come back into the network .但是,家庭路由器允许从您的设备到 Internet(例如网站)的出站请求,并且它足够智能,可以让响应返回到网络中。 This is equivalent to a Security Group , which has rules that determine what Inbound and Outbound requests are permitted.这相当于一个安全组,它具有确定允许哪些入站和出站请求的规则。 Security Groups are stateful , which means they automatically allow return traffic even if it is not specifically listed.安全组是有状态的,这意味着即使没有特别列出,它们也会自动允许返回流量。 The difference is that the router is acting as the Security Group, whereas in an Amazon VPC it is possible to assign a Security Group to each individual resource (like having a router on each resource).不同之处在于路由器充当安全组,而在 Amazon VPC 中,可以为每个单独的资源分配一个安全组(例如在每个资源上都有一个路由器)。
That doesn't cover all the capabilities of an Amazon VPC, but it should give you an idea of how the network actually behaves.这并未涵盖 Amazon VPC 的所有功能,但它应该让您了解网络的实际行为方式。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.