可以在对等 vpc 中调用 aws 接口端点吗?
[英]Possible to call the aws interface endpoint in a peered vpc?
问题描述
I am having two vpcs, one is a mgmt vpc with all the necessary vpc interface endpoints connecting to AWS services, and another peered vpc established peering connection with the mgmt vpc.
我有两个 vpc,一个是 mgmt vpc,其中所有必要的 vpc 接口端点都连接到 AWS 服务,另一个对等 vpc 与 mgmt vpc 建立了对等连接。 I have tried to ssh into my instance (call it instance A) in the peered vpc and call aws api through cli with the following command我尝试在对等 vpc 中将 ssh 放入我的实例(称为实例 A),并使用以下命令通过 cli 调用 aws api
aws ec2 describe-instances
but still the connection just timeout everytime.但每次连接仍然超时。
I have checked my vpc endpoint security group and double confirmed I have set it to allow all incoming traffic from the security group attached to instance A. And my instance A's security group has set to allow all traffic egress to the vpce security group.我检查了我的 vpc 端点安全组并再次确认我已将其设置为允许来自附加到实例 A 的安全组的所有传入流量。并且我的实例 A 的安全组已设置为允许所有流量出口到 vpce 安全组。
Anyone knows or encounter this issue before?有人知道或遇到过这个问题吗? Anything that I missed out or did wrong?我错过了什么或做错了什么?
EDIT: My peered vpc has several subnets, with the only IGW located in the ingress/egress tier subnets.编辑:我的对等 vpc 有几个子网,唯一的 IGW 位于入口/出口层子网中。 In the web tier subnets, there are the instances that I am trying to call the vpce there, and the subnets here have NAT gateway.在 web 层子网中,有我试图在那里调用 vpce 的实例,这里的子网有 NAT 网关。
For mgmt vpc the only way to ssh in is through a jumphost instance inside the vpc.对于 mgmt vpc,进入 ssh 的唯一方法是通过 vpc 内的 jumphost 实例。
The routing tables for web tier subnets are as follows: web 层子网的路由表如下:
Destination Target
100.113.189.0/24 pcx-0d3974s489064s3sd
100.113.206.0/24 local
10.196.162.128/25 local
Security group for web tier subnet instances are as follows: web 层子网实例的安全组如下:
Outbound
Port Range Protocol Source
All All sgrp-<vpce_to_ec2>
The routing table for the subnet with vpce in mgmt vpc: mgmt vpc 中带有 vpce 的子网的路由表:
Destination Target
100.113.206.0/24 pcx-0d3974c6890640bd2
100.113.189.0/24 local
10.196.157.128/25 local
pl-6fa54006 vpce-<this_is_for_s3>
For the vpce to ec2 security group:对于 vpce 到 ec2 安全组:
Inbound
Port Range Protocol Source
All All sgrp-<web_tier_instance>
All All 100.113.189.0/24
Note that each vpc has assigned with two cidr blocks.请注意,每个 vpc 都分配了两个 cidr 块。 Also there is s3 endpoint gateway in mgmt vpc as well mgmt vpc 中也有 s3 端点网关
1 个解决方案
解决方案1
1 已采纳 2021-02-25 07:19:07
Based on the comments.根据评论。
I tried to reproduce the issue and the OP's architecture and can verity that the connection to endpoint works if --endpoint-url is used.我试图重现该问题和 OP 的架构,并且可以验证在使用--endpoint-url时与端点的连接是否有效。
aws ec2 describe-instances --endpoint-url vpce-05c21657a045fff54-puytslup.ec2.us-east-1.vpce.amazonaws.com
In the above, the endpoint url ( vpce-05c21657a045fff54-puytslup.ec2.us-east-1.vpce.amazonaws.com ) can be obtained from VPC Interface details.上面的端点 url ( vpce-05c21657a045fff54-puytslup.ec2.us-east-1.vpce.amazonaws.com ) 可以从 VPC Interface details 获取。
It maybe possible that enabling DNS Resolution Support for peering connection also works.启用对等连接的DNS 分辨率支持也可能有效。 In that case --endpoint-url may be not needed.在这种情况下,可能不需要--endpoint-url 。 However, I haven't verified that in my tests, as I only focused on solving the issue with --endpoint-url .但是,我没有在我的测试中验证这一点,因为我只专注于解决--endpoint-url的问题。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.