堆栈内存溢出
  简体   繁体   English

在 AWS VPC 中配置相互依赖的安全组

[英]Configure interdependent security groups in AWS VPC

 原文  2021-02-26 07:10:28       amazon-web-services/ aws-security-group

问题描述

In the AWS VPC, I added a security group for the database access that allows any request from a specific CIDR IP on port 3306. This CIDR IP includes private subnets as well as public subnets.在 AWS VPC 中,我为数据库访问添加了一个安全组,该组允许来自端口 3306 上特定 CIDR IP 的任何请求。此 CIDR IP 包括私有子网和公共子网。 A public subnet is allowed so that database can explicitly be connected to developers machines using bastion host (EC2 instance configured on VPC's public subnet and assigned an IP from Amazon's pool of public IPs).允许使用公共子网,以便数据库可以使用堡垒主机显式连接到开发人员计算机(EC2 实例在 VPC 的公共子网上配置,并从 Amazon 的公共 IP 池中分配了 IP)。

Ideally, services on a private subnet should able to connect to a database.理想情况下,私有子网上的服务应该能够连接到数据库。

  1. Rather than defining the network mask from where the connection is allowed in one security group, is there any elegant way to do it (probably by creating two security groups as defined in this AWS document )?除了在一个安全组中定义允许连接的网络掩码之外,还有什么优雅的方法可以做到这一点(可能通过创建此AWS 文档中定义的两个安全组)?
  2. Database should connect only on 3306 port but services should be allowed to use any port for the database access.数据库应仅连接到 3306 端口,但应允许服务使用任何端口访问数据库。 How to configure a security group to achieve this?如何配置安全组来实现这一点? For example, one security group that allows requests on only 3306 port (this security group can be attached to the database).例如,一个只允许在 3306 端口上请求的安全组(该安全组可以附加到数据库)。 And, another security that allows connection to all ports (this security group can be attached to microservices instances).并且,另一个允许连接到所有端口的安全性(这个安全组可以附加到微服务实例)。 Somehow this microservice security group should be mapped to a database security group in such a way that no matter on what port request is coming from it should in turn call database security group on 3306 port.这个微服务安全组应该以某种方式映射到数据库安全组,这样无论来自哪个端口的请求都应该依次调用 3306 端口上的数据库安全组。 Can this be done?这可以做到吗?

Tried something along this line:沿着这条线尝试了一些东西:

DBConnectableSecurityGroup:
    Type: AWS::EC2::SecurityGroup
    Properties:
      VpcId: ...
      GroupDescription: Allows for connection to the DB cluster.

ServerlessDBSecurityGroup:
    Type: AWS::EC2::SecurityGroup
    Properties:
      VpcId: ...
     GroupDescription: Defines rules for connecting to the DB cluster. 

OutboundRule:
    Type: AWS::EC2::SecurityGroupEgress
    Properties:
      IpProtocol: tcp
      FromPort: 0
      ToPort: 65535
      DestinationSecurityGroupId: !GetAtt ServerlessDBSecurityGroup.GroupId
      GroupId: !GetAtt DBConnectableSecurityGroup.GroupId

InboundRule:
    Type: AWS::EC2::SecurityGroupIngress
    Properties:
      IpProtocol: tcp
      FromPort: 3306
      ToPort: 3306
      SourceSecurityGroupId: !GetAtt DBConnectableSecurityGroup.GroupId
      GroupId: !GetAtt ServerlessDBSecurityGroup.GroupId

App-SG -- Inbound Rule App-SG -- 入站规则

App-SG -- 入站规则

DB-SG -- Inbound Rule (source is pointing to App-SG) DB-SG -- 入站规则(源指向 App-SG)

DB-SG -- 入站规则

App-SG and DB-SG -- Outbound Rule App-SG 和 DB-SG -- 出站规则

App-SG -- 出站规则

Now I associate App-SG with an application.现在我将App-SG与一个应用程序相关联。 This application can successfully connect to the database on port 3306 (same as configured in Inbound Rule of DB-SG ).此应用程序可以成功连接到端口3306上的数据库(与DB-SG的入站规则中配置的相同)。

I associate App-SG with another application.我将App-SG与另一个应用程序相关联。 This application uses a different port to connect to the database, port 3310 .此应用程序使用不同的端口连接到数据库,端口3310 As App-SG allows all ports, I expect this to connect to the database but this does not work and the connection is refused.由于App-SG允许所有端口,我希望它可以连接到数据库,但这不起作用并且连接被拒绝。

1 个解决方案

解决方案1
 0 已采纳  2021-03-03 00:49:01

The preferred configuration is:首选配置是:

  • A security group on the application resource ( App-SG ) with appropriate inbound permissions to use the application, and the default All Outbound permissions应用程序资源 ( App-SG ) 上的安全组,具有使用应用程序的适当入站权限,以及默认的所有出站权限
  • A security group on the database ( DB-SG ) that permits inbound connections on the database port from App-SG and All Outbound数据库 ( DB-SG ) 上的安全组,它允许来自App-SG和所有出站的数据库端口上的入站连接

That is, DB-SG specifically references App-SG in its inbound rules.也就是说, DB-SG App-SG This way, any resource that is associated with App-SG will be allowed to communicate with the database.这样,任何与App-SG关联的资源都将被允许与数据库进行通信。 This method avoids having to specify IP address and CIDR ranges and any new resources that use App-SG will automatically gain access to the database.此方法避免了必须指定 IP 地址和 CIDR 范围,并且任何使用App-SG新资源都将自动获得对数据库的访问权限。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 AWS EC2和VPC安全组 - AWS EC2 and VPC security groups AWS VPC 安全组中的规则数量是如何计算的? - How does the number of rules in AWS VPC security groups is calculated? AWS中每个VPC的最大安全组值的原因是什么? - What's the reason for the value of the maximum security groups per VPC in AWS? 如何在AWS的安全组内部配置安全组? - How do you configure security groups inside of security groups in AWS? AWS:VPC、子网、NACL、安全组、IGW、路由表等 - AWS: VPC, Subnets, NACLs, Security Groups, IGWs, Route Tables, Etc AWS RDS VPC安全性 - AWS RDS VPC Security 如何描述VPC的安全组? - How to describe Security Groups for a VPC? 嵌套Amazon VPC安全组 - Nested Amazon VPC security groups 根据AWS示例配置VPC - Configure a VPC based on AWS example 使用python + boto删除未使用的AWS安全组,抛出vpc错误 - using python + boto to delete AWS security groups that are unused, throwing vpc error
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM