[英]Configure interdependent security groups in AWS VPC
In the AWS VPC, I added a security group for the database access that allows any request from a specific CIDR IP on port 3306. This CIDR IP includes private subnets as well as public subnets.在 AWS VPC 中,我为数据库访问添加了一个安全组,该组允许来自端口 3306 上特定 CIDR IP 的任何请求。此 CIDR IP 包括私有子网和公共子网。 A public subnet is allowed so that database can explicitly be connected to developers machines using bastion host (EC2 instance configured on VPC's public subnet and assigned an IP from Amazon's pool of public IPs).
允许使用公共子网,以便数据库可以使用堡垒主机显式连接到开发人员计算机(EC2 实例在 VPC 的公共子网上配置,并从 Amazon 的公共 IP 池中分配了 IP)。
Ideally, services on a private subnet should able to connect to a database.理想情况下,私有子网上的服务应该能够连接到数据库。
Tried something along this line:沿着这条线尝试了一些东西:
DBConnectableSecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
VpcId: ...
GroupDescription: Allows for connection to the DB cluster.
ServerlessDBSecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
VpcId: ...
GroupDescription: Defines rules for connecting to the DB cluster.
OutboundRule:
Type: AWS::EC2::SecurityGroupEgress
Properties:
IpProtocol: tcp
FromPort: 0
ToPort: 65535
DestinationSecurityGroupId: !GetAtt ServerlessDBSecurityGroup.GroupId
GroupId: !GetAtt DBConnectableSecurityGroup.GroupId
InboundRule:
Type: AWS::EC2::SecurityGroupIngress
Properties:
IpProtocol: tcp
FromPort: 3306
ToPort: 3306
SourceSecurityGroupId: !GetAtt DBConnectableSecurityGroup.GroupId
GroupId: !GetAtt ServerlessDBSecurityGroup.GroupId
App-SG -- Inbound Rule App-SG -- 入站规则
DB-SG -- Inbound Rule (source is pointing to App-SG) DB-SG -- 入站规则(源指向 App-SG)
App-SG and DB-SG -- Outbound Rule App-SG 和 DB-SG -- 出站规则
Now I associate App-SG
with an application.现在我将
App-SG
与一个应用程序相关联。 This application can successfully connect to the database on port 3306
(same as configured in Inbound Rule of DB-SG
).此应用程序可以成功连接到端口
3306
上的数据库(与DB-SG
的入站规则中配置的相同)。
I associate App-SG
with another application.我将
App-SG
与另一个应用程序相关联。 This application uses a different port to connect to the database, port 3310
.此应用程序使用不同的端口连接到数据库,端口
3310
。 As App-SG
allows all ports, I expect this to connect to the database but this does not work and the connection is refused.由于
App-SG
允许所有端口,我希望它可以连接到数据库,但这不起作用并且连接被拒绝。
The preferred configuration is:首选配置是:
App-SG
) with appropriate inbound permissions to use the application, and the default All Outbound permissionsApp-SG
) 上的安全组,具有使用应用程序的适当入站权限,以及默认的所有出站权限DB-SG
) that permits inbound connections on the database port from App-SG
and All OutboundDB-SG
) 上的安全组,它允许来自App-SG
和所有出站的数据库端口上的入站连接That is, DB-SG
specifically references App-SG
in its inbound rules.也就是说,
DB-SG
App-SG
。 This way, any resource that is associated with App-SG
will be allowed to communicate with the database.这样,任何与
App-SG
关联的资源都将被允许与数据库进行通信。 This method avoids having to specify IP address and CIDR ranges and any new resources that use App-SG
will automatically gain access to the database.此方法避免了必须指定 IP 地址和 CIDR 范围,并且任何使用
App-SG
新资源都将自动获得对数据库的访问权限。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.