堆栈内存溢出
  简体   繁体   English

ETL 实例应该在私有的还是公共的 su.net 中?

[英]Is an ETL instance supposed to be in private or public subnet?

 原文  2022-12-11 18:20:33       amazon-web-services/ networking/ cloud/ etl

问题描述

I am currently working on a ETL tool at work (python & bash scripts managed with Airflow basically) and I am asking myself wether I should put my EC2 instance which will run the ETL in a public or private su.net.我目前正在使用 ETL 工具(python 和 bash 脚本基本上由 Airflow 管理),我问自己是否应该将我的 EC2 实例放在公共或私有 su.net 中运行 ETL。 My instance should have acces to the inte.net to retrieve data (basically ssh through on-premises instances we have) and should also be able to be accesses through SSH.我的实例应该可以访问 inte.net 以检索数据(基本上是 ssh 通过我们拥有的本地实例)并且也应该能够通过 SSH 进行访问。

However, I don't know if allowing outbound connection to the inte.net and restrict inbound connection to SSH is enough about security or if I should put the instance in a private su.net and tweaking things to be able to connect to it.但是,我不知道是否允许出站连接到 inte.net 并限制入站连接到 SSH 是否足够安全,或者我是否应该将实例放在私有 su.net 中并调整一些东西以便能够连接到它。

2 个解决方案

解决方案1
 2 已采纳  2022-12-11 19:31:18

Your ETL instance should be in a private su.net behind a NAT instance.您的 ETL 实例应该位于 NAT 实例后面的私有 su.net 中。 NAT gateway will give your EC2 private.network inte.net connectivity but still ensure that your EC2 instances are not accessible from the inte.net. NAT 网关将为您的 EC2 private.network inte.net 提供连接,但仍确保您的 EC2 实例无法从 inte.net 访问。 So in order to allow access to inte.net it has to route traffic through public.network which has a Inte.net gateway attached.因此,为了允许访问 inte.net,它必须通过连接了 Inte.net 网关的 public.network 路由流量。 You should put your EC2 instance in a private su.net to prevent hackers from gaining access and stealing your data.您应该将您的 EC2 实例放在一个私有的 su.net 中,以防止黑客获得访问权限和窃取您的数据。

You can learn how to setup NAT gateway here https://aws.amazon.com/premiumsupport/knowledge-center/nat-gateway-vpc-private-su.net/您可以在此处了解如何设置 NAT 网关https://aws.amazon.com/premiumsupport/knowledge-center/nat-gateway-vpc-private-su.net/

解决方案2
 2  2022-12-11 19:33:09

As the main purpose of your instance is not to deliver a public service, it'd be more secure in a private su.net and go through a NAT gateway to fetch data from the Inte.net.由于您的实例的主要目的不是提供公共服务,因此在私有 su.net 和 go 中通过 NAT 网关从 Inte.net 获取数据会更安全。

That being said a NAT gateway is expensive, so a common pattern is to use a public su.net/ through an Inte.net gateway with a deny rule for any incoming traffic.话虽如此,NAT 网关很昂贵,因此一种常见的模式是通过 Inte.net 网关使用公共 su.net/,并对任何传入流量使用拒绝规则。 If you don't want your instance exposed to ddos, don't even open ssh and use AWS systems manager to ssh your instance.如果您不希望您的实例暴露于 ddos,甚至不要打开 ssh 并使用 AWS 系统管理器来 ssh 您的实例。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 将 RDS Aurora 实例从私有迁移到公共 su.net - Move RDS Aurora Instance from private to public subnet 从公共 su.net 连接到私有 su.net - Connecting from public subnet to private subnet AWS:SSH 通过 NAT 网关从公共 su.net EC2 实例到私有 su.net EC2 实例没有发生 - AWS : SSH to private subnet EC2 instance from public subnet EC2 instance via NAT GATEWAY is not happening AWS - vpc:从公有子网访问私有子网 - AWS - vpc: private subnet access from public subnet 我们可以将私有 su.net lambda 连接到公共 su.net 中的资源吗? - Can we connect private subnet lambda to resources in public subnet? AWS VPC 识别私有和公共 su.net - AWS VPC identify private and public subnet 我想使用 terraform 在 GCP 中创建公共和私有 Su.net - I want to create Public and Private Subnet in GCP using terraform cdk/cloudformation 如何理解哪个 su.net 是私有的还是公共的? - How cdk/cloudformation understand which subnet is PRIVATE OR PUBLIC? 私有 su.net 中的 lambda 如何访问公共 su.net 中的 EC2? - How can a lambda inside a private subnet access EC2 in a public subnet? 在 AWS 中,为什么我们将 RDS 实例保留在 Private su.net 中? - In AWS, why do we keep RDS instance in Private subnet?
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM