AWS Ec2 Access 是私有 VPC
[英]AWS Ec2 Access which is private VPC
问题描述
This is more of an architectural question rather than coding issue.
这更像是一个架构问题,而不是编码问题。 Please pardon me if I am in wrong place I have an Ec2 instance running in private VPC where we in future are going to deploy PII data and by no mean we can have internet access to it.如果我在错误的地方,请原谅我,我有一个 Ec2 实例在私有 VPC 中运行,我们将来将在其中部署 PII 数据,但绝不意味着我们可以通过互联网访问它。 However We need to install ETL tool in docker(Airflow, docker, nifi, python etc) and ofcourse need to ssh into from my local company vpc.但是我们需要在 docker 中安装 ETL 工具(Airflow、docker、nifi、python 等),当然还需要从我当地的公司 vpc 中安装 ssh。
There is two approach as far as I think is我认为有两种方法
1. To create an another EC2 in public subnet and install all our tool there
and call the VPC EC2 from this one.
So that I can move the PII data to S3 through private Endpoint.
Cons: Does not it still raise the security concern as the EC2(ETL) is still
in internet where from one can access the PII data in second ec2.
Another Option另外的选择
2. To create the Ec2 in public and install all tools and then
finally change it into private VPC.
Cons: in case if tool crash or there is any change needed then will have to
move it back to public which again does not look proper way of handling it.
I tried to search internet to get any tutorial or training about it.我试图搜索互联网以获取有关它的任何教程或培训。 But cannot find it.但是找不到。
Any suggestion will be highly appreciated.任何建议将不胜感激。
2 个解决方案
解决方案1
2 已采纳 2021-03-28 23:18:40
You don't need to use internet at all if you don't want.如果你不想,你根本不需要使用互联网。 I assume that by no internet access you mean that this is two ways - no access from the internet to the instance, nor the instance can connect internet at all (ie no NAT or any other proxy).我假设没有互联网访问意味着这是两种方式 - 无法从互联网访问实例,实例也无法连接互联网(即没有 NAT 或任何其他代理)。
There are a couple of ways of doing this.有几种方法可以做到这一点。 One way is as follows:一种方法如下:
- Prepare custom AMI with per-installed all packages and software that you require.准备自定义 AMI ,其中包含您需要的每个安装的所有软件包和软件。
- Create private VPC without any public subnets.创建不带任何公有子网的私有 VPC 。
- Add VPC interface endpoints to the VPC for S3, AWS System Manager, ECR (to store your private docker images) and other AWS services you may require, eg KMS.将VPC 接口终端节点添加到 S3、AWS System Manager、ECR(以存储您的私有 docker 图像)和您可能需要的其他 AWS 服务(例如 KMS)的 VPC。
- Launch your instance from the custom AMI in the private VPC.从私有 VPC 中的自定义 AMI启动您的实例。
- Use SSM Session Manager to "ssh" to the instance without any internet access.使用SSM Session 管理器“SSH”到实例,无需任何 Internet 访问。
解决方案2
0 2021-03-28 23:14:05
I think both approaches are inherently sub-optimal我认为这两种方法本质上都是次优的
If all you're trying to do is avoid exposing your compute instances to the internet, and your setup is docker based, simply setup your own docker repository, either using ECS or Sonatype Nexus (on another server), upload your docker images there and have that node use that ECS/Nexus as its docker registry.如果您要做的只是避免将计算实例暴露在互联网上,并且您的设置是基于 docker 的,只需设置您自己的 docker 存储库,使用 ECS 或 Sonatype Nexus(在另一台服务器上),上传您的 Z05B6Z053C41A21430B让该节点使用该 ECS/Nexus 作为其 docker 注册表。
That way, your enjoying free access to all resources exposed as docker images while maintaining security compliance.这样,您可以免费访问所有以 docker 映像公开的资源,同时保持安全合规性。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.