堆栈内存溢出
  简体   繁体   English

ALB 和 EC2 实例之间的 AWS 安全组

[英]AWS security group between ALB and EC2 instances

 原文  2021-06-16 15:49:37       amazon-web-services/ terraform-provider-aws

问题描述

I'm using Terraform to configure an ALB on AWS with a target group consisting of EC2 instances.我正在使用 Terraform 在 AWS 上配置一个 ALB,目标组由 EC2 实例组成。 I try to create the following security groups using Terraform:我尝试使用 Terraform 创建以下安全组:

1) sg-alb (SG associated to the ALB):
   ----------------------------------
   Inbound:
      HTTP with source 0.0.0.0/0
      HTTPS with source 0.0.0.0/0

   Outbound: 
      All traffic with destination 0.0.0.0/0 

  2) sg-http-alb (SG associated to the EC2 instances and should only receive traffic from the ALB):
     ----------------------------------------------------------------------------------------------
   Inbound:
      HTTP with source sg-alb
      HTTPS with source sg-alb

   Outbound: 
      All traffic with destination 0.0.0.0/0

I read here that it's a best practice to limit the outbound traffic to the instance security group destination on the listener port.在这里读到,将出站流量限制到侦听器端口上的instance security group目标是最佳实践。

So I changed the configuration as follows:所以我改变了配置如下:

1) sg-alb (SG associated to the ALB):
   ----------------------------------
   Inbound:
      HTTP with source 0.0.0.0/0
      HTTPS with source 0.0.0.0/0

   Outbound: 
      HTTP with destination sg-http-alb (<---- this line changed)

  2) sg-http-alb (SG associated to the EC2 instances and should only receive traffic from the ALB):
     ----------------------------------------------------------------------------------------------
   Inbound:
      HTTP with source sg-alb
      HTTPS with source sg-alb

   Outbound: 
      All traffic with destination 0.0.0.0/0

When I configure this in Terraform I get Error: Cycle: which seem to indicates there is loop.当我在 Terraform 中配置它时,我得到Error: Cycle:这似乎表明存在循环。 Indeed I'm specifying from security group sg-alb to the instances sg-http-alb and from security group sg-http-alb I'm using security group sg-alb as a source.事实上,我从安全组sg-alb到实例sg-http-alb和从安全组sg-http-alb我使用安全组sg-alb作为源。 Both EC2 and ALB are in the same public subnet (there's reasons for that). EC2 和 ALB 都在同一个公共子网中(这是有原因的)。

However using the console this is allowed.但是,使用控制台这是允许的。 Also when I specify the internal IP address (using /32) of my EC2 instances as the outbound destination, it works but not sure if this is a proper way.此外,当我将 EC2 实例的内部 IP 地址(使用 /32)指定为出站目的地时,它可以工作,但不确定这是否正确。

1 个解决方案

解决方案1
 1 已采纳  2021-06-16 16:32:15

如果您想避免循环引用,您需要将安全组规则拆分为单独的 terraform 资源,而不是在security_group资源中内联定义它们。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 AWS外部ALB和privale IP EC2实例之间的安全组规则? - Security group rule between aws external ALB and privale Ip ec2 instance? ec2之间的AWS Load Balancer安全组 - AWS Load Balancer security group between ec2 将来自另一个 AWS 账户的安全组中的特定 AWS 账户的所有 EC2 实例列入白名单 - Whitelist all EC2 instances from a particular AWS account in another AWS account's security group 如何测试 AWS EC2 安全组 - How to test AWS EC2 Security Group AWS EC2-更改安全组-错误 - AWS EC2 - Change Security group - Error AWS EC2配置中的CIDR安全组 - CIDR security group in aws ec2 configuration EC2实例之间的AWS负载平衡 - AWS loadbalancing between EC2 instances 在AWS ec2实例之间连接到mongodb时如何配置安全组? - How to configure security groups when connecting to mongodb between AWS ec2 instances? 同一个安全组内的两个ec2实例之间不能通过公网ip进行通信? - Can't communicate between two ec2 instances in the same security group via public ip address? AWS ALB 自定义对 EC2 实例的粘性 - AWS ALB custom stickiness to EC2 instance
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM