Terraform AWS 安全组设置允许所有 VMS 之间的所有端口
[英]Terraform AWS Security Group settings to allow all ports between all VMS
问题描述
I'm kinda stumped.
我有点难过。 I have a custom service (named bacalhau) running on each of three machines in a security group on 54545. I also have SSH running on all machines.我有一个自定义服务(名为 bacalhau)在 54545 的安全组中的每三台机器上运行。我还在所有机器上运行 SSH。 Here's what my terraform looks like:这是我的 terraform 的样子:
resource "aws_security_group" "allow_ssh_and_bacalhau" {
vpc_id = aws_vpc.bacalhau_vpc.id
name = "allow_ssh_and_bacalhau"
description = "security group that allows ssh and bacalhau and all egress traffic"
}
resource "aws_security_group_rule" "egress_all" {
type = "egress"
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
security_group_id = aws_security_group.allow_ssh_and_bacalhau.id
}
resource "aws_security_group_rule" "ingress_ssh" {
type = "ingress"
from_port = 22
to_port = 22
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
security_group_id = aws_security_group.allow_ssh_and_bacalhau.id
}
resource "aws_security_group_rule" "ingress_bacalhau" {
type = "ingress"
from_port = 54545
to_port = 54545
protocol = "-1"
self = true
security_group_id = aws_security_group.allow_ssh_and_bacalhau.id
}
SSH works fine - including inter-traffic between machines, but the bacalhau (54545) service doesn't show up. SSH 工作正常 - 包括机器之间的内部流量,但没有显示 bacalhau (54545) 服务。
Eg例如
ubuntu@ip-10-0-1-219:~$ nmap ec2-18-202-245-138.eu-west-1.compute.amazonaws.com
Starting Nmap 7.80 ( https://nmap.org ) at 2022-03-19 18:07 UTC
Nmap scan report for ec2-18-202-245-138.eu-west-1.compute.amazonaws.com (10.0.1.237)
Host is up (0.0022s latency).
rDNS record for 10.0.1.237: ip-10-0-1-237.eu-west-1.compute.internal
Not shown: 999 closed ports
PORT STATE SERVICE
22/tcp open ssh
Nmap done: 1 IP address (1 host up) scanned in 0.08 seconds
ubuntu@ip-10-0-1-219:~$
EDIT The nmap is running from a VM inside the security group.编辑nmap 从安全组内的虚拟机运行。
Am I doing something wrong?难道我做错了什么? Is this a security group, vpc, or ec2 mistake?这是安全组、vpc 还是 ec2 的错误? I can access the service from the node itself through localhost loop back.我可以通过本地主机环回从节点本身访问服务。
EDIT 2 Confirmed this is a security group issue - I turned on accepting inbound from everywhere [0.0.0.0/0] and it worked fine.编辑 2确认这是一个安全组问题 - 我打开了接受来自任何地方 [0.0.0.0/0] 的入站并且它工作正常。
1 个解决方案
解决方案1
0 2022-03-19 19:02:23
For ingress_bacalhau security group rule you have set argument of self = true .对于ingress_bacalhau安全组规则,您已设置参数self = true 。 This will allow traffic only from another instance which also has the allow_ssh_and_bacalhau security group attached.这将只允许来自另一个实例的流量,该实例也附加了allow_ssh_and_bacalhau安全组。
In contrast, for SSH with ingress_ssh rule you allow traffic from the whole inte.net ( cidr_blocks = ["0.0.0.0/0"] )相反,对于具有ingress_ssh规则的 SSH,您允许来自整个 inte.net 的流量( cidr_blocks = ["0.0.0.0/0"] )
You do not specify clearly from which instance was the nmap scan executed.您没有明确指定从哪个实例执行了nmap扫描。 If this instance does not have the allow_ssh_and_bacalhau security group attached, then the traffic wont be allowed from it.如果此实例没有附加allow_ssh_and_bacalhau安全组,则不允许来自它的流量。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.