AWS - 在同一个公共子网中连接一个带有私有 ip 的 ec2 实例和一个带有公共 ip 的 ec2 实例?
[英]AWS - Connecting an ec2 instance with a private ip and an ec2 instance with a public ip in the same public subnet?
问题描述
I would appreciate any help on the following scenario in AWS:
对于 AWS 中的以下场景,我将不胜感激:
Instance 1: I have a public subnet which has an internet facing web server.实例 1:我有一个公共子网,它有一个面向 Internet 的 web 服务器。 So basically an ec2 instance with a public ipv4 address and port 443 open to all.所以基本上是一个具有公共 ipv4 地址和端口 443 对所有人开放的 ec2 实例。 Instance 2: I want to spin up an ec2 instance with a private ipv4 address in the same subnet and be able to communicate with the ec2 instance of the web sever.实例 2:我想在同一子网中启动一个具有私有 ipv4 地址的 ec2 实例,并能够与 web 服务器的 ec2 实例通信。
Question: Is this communication possible?问题:这种交流可能吗?
What I have tried so far: I noticed that Instance 2 with a private ipv4 cannot communicate with Instance 1. But it can if it is has a public ipv4 address.到目前为止我所尝试的:我注意到具有私有 ipv4 的实例 2 无法与实例 1 通信。但如果它具有公共 ipv4 地址,则可以。 As far as I know this is happening via the internet.据我所知,这是通过互联网发生的。
My original design: Instance 2 was spun up in its own private subnet and had its own security group to communicate with Instance 1 in its public subnet.我的原始设计:实例 2 在其自己的私有子网中启动,并拥有自己的安全组来与公共子网中的实例 1 进行通信。 Which is a better design in this scenario?在这种情况下哪个设计更好? Having them in the same public subnet or separate them out in public and private subnets?将它们放在同一个公共子网中还是将它们分开在公共子网和私有子网中?
Background: Instance 1 hosts a web server and Instance 2 is a worker.背景:实例 1 托管 web 服务器,实例 2 是工作人员。 Workers are added on demand by the server.工人是由服务器按需添加的。
2 个解决方案
解决方案1
0 2022-08-09 21:42:28
Instance 2 should be able to communicate with instance 1 in the same subnet without needing to have a public IP.实例 2 应该能够与同一子网中的实例 1 进行通信,而无需拥有公共 IP。 Instance 1, even though a public EC2, should also have a private IP.实例 1,即使是公共 EC2,也应该有一个私有 IP。
You should be able to communicate from instance 2 using that IP and it will not use the internet to communicate rather the private VPC network.您应该能够使用该 IP 从实例 2 进行通信,并且它不会使用 Internet 而是使用私有 VPC 网络进行通信。 Just make sure you open the port you are using to communicate in the security group of instance 2 .只需确保在实例 2的安全组中打开用于通信的端口即可。
解决方案2
0 2022-08-09 23:02:30
All Amazon EC2 instances are assigned a private IP address and can communicate with other instances in the same VPC.所有 Amazon EC2 实例都分配有一个私有 IP 地址,并且可以与同一 VPC 中的其他实例进行通信。
If you want the two instances to communicate, you will need to configure the security groups to allow communication .如果您希望两个实例进行通信,则需要将安全组配置为允许通信。 I would recommend:我会推荐:
- A security group on the web server (
Web-SG) that permits Inbound access on port 80 from the anywhere (0.0.0.0/0) and allows all Outbound accessweb 服务器( Web-SG) 上的安全组,允许从任何地方 (0.0.0.0/0) 在端口 80 上进行入站访问,并允许所有出站访问 - A security group on the private instance (
Private-SG) that allows all Outbound access允许所有出站访问的私有实例( Private-SG) 上的安全组 - The private instance should communicate with the web server via its private IP address私有实例应通过其私有 IP 地址与 web 服务器通信
Please note that if the private instance does not have a public IP address then you will not be able to connect to that instance (SSH/RDP).请注意,如果私有实例没有公共 IP 地址,那么您将无法连接到该实例 (SSH/RDP)。 You could use AWS Systems Manager Session Manager to login, but that would also require either a public IP address or the use of a NAT Gateway (with the private instance launched in a private subnet).您可以使用AWS Systems Manager Session Manager登录,但这也需要公共 IP 地址或使用 NAT 网关(在私有子网中启动私有实例)。
Correct use of Security Groups can be just as secure as using a private subnets.正确使用安全组与使用私有子网一样安全。 You do not need to use private subnets to maintain security.您不需要使用私有子网来维护安全性。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.