AWS EC2 - 多个(公共/私有)网络接口
[英]AWS EC2 - multiple (public / private) network interfaces
问题描述
AWS newbie here. 
AWS新手在这里。 I'm trying to create a stack with multiple EC2 nodes, each of which should have two network interfaces.我正在尝试创建一个包含多个 EC2 节点的堆栈,每个节点都应该有两个网络接口。
One interface should be public and connected to the Internet, the other interface should be private.一个接口应该是公共的并连接到 Internet,另一个接口应该是私有的。 The interfaces should belong to different subnets so they can be routed independently (data plane / control plane).接口应属于不同的子网,以便它们可以独立路由(数据平面/控制平面)。
Here is what I've tried in CloudFormation:这是我在 CloudFormation 中尝试过的:
Resources:
[.....]
Host1:
Type: 'AWS::EC2::Instance'
Properties:
ImageId: 'ami-02541b8af977f6cdd' # Amazon Linux x86
InstanceType: 't2.micro'
KeyName: !Ref KeyName
NetworkInterfaces:
- SubnetId: !Ref SubnetPublic
AssociatePublicIpAddress: true
DeleteOnTermination: true
DeviceIndex: '0'
GroupSet:
- !Ref SecurityGroup
- SubnetId: !Ref SubnetPrivate
AssociatePublicIpAddress: false
DeleteOnTermination: true
DeviceIndex: '1'
GroupSet:
- !Ref SecurityGroup
This however results in an error:然而,这会导致错误:
The associatePublicIPAddress parameter cannot be specified when launching with multiple network interfaces.使用多个网络接口启动时,无法指定 associatePublicIPAddress 参数。
Full YAML file available here: https://gist.github.com/kmansoft/39f7be10553195f41b8201e5638073f2此处提供完整的 YAML 文件: https ://gist.github.com/kmansoft/39f7be10553195f41b8201e5638073f2
How can I resolve this?我该如何解决这个问题?
2 个解决方案
解决方案1
0 2022-05-11 00:20:58
I'm not at all a CloudFormation guy but, I think I see a problem here.我根本不是 CloudFormation 人,但我想我在这里看到了问题。 There is just one instance being specified.只指定了一个实例。 correct?正确的? But you're specifying two subnets.但是您指定了两个子网。 An instance can only be in one subnet.一个实例只能在一个子网中。
All instances, regardless of whether they are in a public or private subnet, will have a private IP address.所有实例,无论它们位于公共子网还是私有子网中,都将具有私有 IP 地址。 If they are in a public subnet, they will also have a public IP.如果它们在公共子网中,它们也将具有公共 IP。 However, the public IP will not be visible at the O/S level, ie, not visible by ifconfig or ip.但是,公共 IP 在 O/S 级别将不可见,即ifconfig或 ip 不可见。 The public IP is handled by AWS at the network level, out of sight of you or the O/S.公共 IP 由 AWS 在网络级别处理,您或操作系统看不到。
So, first design a VPC, and the VPC will have both public and private subnets.因此,首先设计一个 VPC,该 VPC 将同时具有公有子网和私有子网。 Any instance launched in a private subnet will automatically only get a private IP address.在私有子网中启动的任何实例都将自动获得一个私有 IP 地址。 An instance launched in a public subnet will automatically be assigned a private IP address and a public IP address.在公共子网中启动的实例将自动分配一个私有 IP 地址和一个公共 IP 地址。 Further, for your public IP addresses, if you wish, you can assign an Elastic IP, which will allow you to have a static public IP address.此外,对于您的公共 IP 地址,如果您愿意,您可以分配一个弹性 IP,这将允许您拥有一个静态公共 IP 地址。 If you don't have an Elastic IP assigned, then every time the instance is stopped/started, it will get a new public IP address, though the private IP address will remain static.如果您没有分配弹性 IP,那么每次停止/启动实例时,它都会获得一个新的公共 IP 地址,但私有 IP 地址将保持静态。
Finally, an instance in the public subnet will, as previously mentioned, have both a public and private IP address.最后,如前所述,公共子网中的实例将同时具有公共和私有 IP 地址。 So, if you're copying files from one instance to another in the same VPC, just use the private IP address.因此,如果您要将文件从一个实例复制到同一 VPC 中的另一个实例,只需使用私有 IP 地址。 To service, for example, web traffic from the Internet, you can use the public IP address.例如,要为来自 Internet 的 Web 流量提供服务,您可以使用公共 IP 地址。 Lastly, you can enhance security by defining that all incoming SSH traffic must come in on the private IP address.最后,您可以通过定义所有传入的 SSH 流量必须进入私有 IP 地址来增强安全性。 That way, you'll either need to be in your local office (which presumably has point-to-point VPN) or you must start VPN to login to an instance via SSH.这样,您要么需要在本地办公室(大概有点对点 VPN),要么必须启动 VPN 以通过 SSH 登录到实例。
How all this translates to CloudFormation, I have no idea.这一切如何转化为 CloudFormation,我不知道。
解决方案2
0 已采纳 2022-05-11 03:45:18
Got things to work.有事情要做。
The trick was to only specify one network interface in the EC2 Instance - then it's possible to set AssociatePublicIpAddress: true - and add the second network interface separately.诀窍是在 EC2 实例中只指定一个网络接口 - 然后可以设置AssociatePublicIpAddress: true - 并单独添加第二个网络接口。
Resources:
[...]
Host1:
Type: 'AWS::EC2::Instance'
Properties:
ImageId: 'ami-02541b8af977f6cdd' # Amazon Linux x86
InstanceType: 't2.micro'
AvailabilityZone: !Select [0, !GetAZs '']
KeyName: !Ref KeyName
NetworkInterfaces:
- SubnetId: !Ref SubnetPublic
AssociatePublicIpAddress: true
DeleteOnTermination: true
DeviceIndex: '0'
GroupSet:
- !Ref SecurityGroup
Tags:
- Key: Name
Value: 'simple - host1'
Host1Eth1:
Type: 'AWS::EC2::NetworkInterface'
Properties:
SubnetId: !Ref SubnetPrivate
GroupSet:
- !Ref SecurityGroup
Tags:
- Key: Name
Value: 'simple - host1 eth1'
Host1Eth1Attachment:
Type: 'AWS::EC2::NetworkInterfaceAttachment'
Properties:
DeleteOnTermination: true
DeviceIndex: 1
NetworkInterfaceId: !Ref Host1Eth1
InstanceId: !Ref Host1
In my config, eth0 is allocated from 30.0.1.0/24, and eth1 is allocated from 30.0.2.0/24.在我的配置中,eth0 从 30.0.1.0/24 分配,eth1 从 30.0.2.0/24 分配。
Here is the routing table right after the Instance is created:这是创建实例后的路由表:
default via 30.0.1.1 dev eth0
default via 30.0.2.1 dev eth1 metric 10001
30.0.1.0/24 dev eth0 proto kernel scope link src 30.0.1.145
30.0.2.0/24 dev eth1 proto kernel scope link src 30.0.2.251
169.254.169.254 dev eth0
This is pretty close to what I need, just needs to be tweaked a little bit with an Instance UserData.这非常接近我的需要,只需要使用 Instance UserData 稍微调整一下。
Full YAML script: https://gist.github.com/kmansoft/c490e7958b8ff8f1d2eb14a6cd115f08完整的 YAML 脚本: https ://gist.github.com/kmansoft/c490e7958b8ff8f1d2eb14a6cd115f08
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.