[英]VPC Endpoint for AWS Secrets Manager
Route table (in private subnet) won't change by adding VPCE as destination for aws secrets manager.路由表(在私有子网中)不会通过添加 VPCE 作为 aws secrets manager 的目的地而改变。 Tried with new SG too (not using default SG).
也尝试使用新的 SG(不使用默认 SG)。 Any idea?
任何想法?
Based on the comments.根据评论。
Secrets Manager (SM) uses VPC interface endpoints . Secrets Manager (SM) 使用VPC 接口端点。 This is new generation of endpoints, as compared to VPC gateway endpoints for S3 and DynamoDB.
与 S3 和 DynamoDB 的VPC 网关终端节点相比,这是新一代终端节点。 The new generation does not modify route tables (RTs).
新一代不会修改路由表 (RT)。 In contrast, the gateway endpoints do modify RTs specified when creating these endpoints.
相反,网关端点确实会修改创建这些端点时指定的 RT。
For seamless work with the interface endpoints, it is important that the VPC has enableDnsHostnames
and enableDnsSupport
enabled , as well as private DNS for the endpoint.为了与接口端点无缝协作,VPC 必须启用
enableDnsHostnames
和enableDnsSupport
以及用于端点的私有 DNS 。 In addition, security group of the endpoint usually needs to be adjusted to allow connections on port 443.此外,通常需要调整端点的安全组以允许在端口 443 上进行连接。
Recently I removed all NAT Gateways which originally allowed my private subnets to connect to the internet (including the Secrets Manager).最近我删除了所有最初允许我的私有子网连接到 Internet 的 NAT 网关(包括 Secrets Manager)。 I assumed that the NAT Gateway was a security vulnerability, expensive infrastructure and not required for private instances to contact the AWS Secrets Manager.
我假设 NAT 网关是一个安全漏洞、昂贵的基础设施,私有实例不需要联系 AWS Secrets Manager。 I was wrong.
我错了。 My ECS task failed, and stated that the Secrets Manager resource could not be accessed.
我的 ECS 任务失败,并指出无法访问 Secrets Manager 资源。
I recommend using the AWS VPC Reachability Analyzer to debug these network issues, it helped me.我建议使用AWS VPC 可达性分析器来调试这些网络问题,它对我很有帮助。
This will enable you to verify if the EC2 instance you launched in the private subnet can contact the VPC Endpoint (eg. Secrets Manager).这将使您能够验证您在私有子网中启动的 EC2 实例是否可以联系 VPC 端点(例如 Secrets Manager)。
Now that you have a means to quickly verify reach-ability, here are some steps that you might need to take in order to ensure your private subnet can contact AWS services like the Secrets Manager.既然您有了快速验证可达性的方法,那么您可能需要采取以下步骤来确保您的私有子网可以联系 AWS 服务,例如 Secrets Manager。 Please consult AWS documentation as I may have outdated information.
请查阅 AWS 文档,因为我可能有过时的信息。
com.amazonaws.${AWS::Region}.secretsmanager
and use the appropriate value for the AWS regioncom.amazonaws.${AWS::Region}.secretsmanager
并为 AWS 区域使用适当的值
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.