简体繁体 English

为什么数据库安全组中的CIDR / IP可能与实例弹性IP不同？

[英]Why might the CIDR/IP in DB security group be different from instance elastic IP?

原文 2012-05-03 15:03:41 1 1 amazon-ec2/ amazon-web-services/ amazon-rds

I have an EC2 instance, which is able to connect to my RDS instance, yet its elastic IP does not appear in the DB security group of whitelisted IP's. 我有一个EC2实例，它可以连接到我的RDS实例，但其弹性IP不会出现在列入白名单的IP的数据库安全组中。

How might this be? 这怎么可能？

I ask because I have created a new instance, which I also want to whitelist and just entering its elastic IP does not seem like the way to do things since none of the other servers have their elastic IP listed. 我问，因为我已经创建了一个新实例，我也希望将其列入白名单，只是输入其弹性IP似乎不是处理事情的方式，因为其他服务器都没有列出其弹性IP。

Thanks in advance, 提前致谢，

1 个解决方案

There might be two causes here: 这里可能有两个原因：

Traffic Sources 流量来源

Security Group Rules do not necessarily specify IP addresses as traffic sources alone, rather regularly will refer to other security groups as well: 安全组规则不一定仅将IP地址指定为流量源，而是定期引用其他安全组：

The source can be an individual IP address (203.0.113.1), a range of addresses (eg, 203.0.113.0/24), or an EC2 security group . 源可以是单独的IP地址（203.0.113.1），一系列地址（例如，203.0.113.0 / 24） 或EC2安全组 。 The security group can be another group in your AWS account, a group in another AWS account, or the security group itself. 安全组可以是您的AWS账户中的另一个组，另一个AWS账户中的组或安全组本身。

By specifying a security group as the source, you allow incoming traffic from all instances that belong to the source security group . 通过将安全组指定为源， 您可以允许来自属于源安全组的所有实例的传入流量 。 [...] You might specify another security group in your account if you're creating a three-tier web service (see Creating a Three-Tier Web Service). [...]如果要创建三层Web服务，则可以在帐户中指定另一个安全组（请参阅创建三层Web服务）。

[emphasis mine] [强调我的]

Consequently, the DB security group of your Amazon RDS instance might refer to the EC2 security group used for your Amazon EC2 instance, implying respective access rights already. 因此，您的Amazon RDS实例的数据库安全组可能会引用用于您的Amazon EC2实例的EC2安全组，这意味着已经存在相应的访问权限。 See my answer to AWS - Configuring access to EC2 instance from Beanstalk App for more details regarding this concept/approach. 请参阅我对AWS的回答- 从Beanstalk App配置对EC2实例的访问，以获取有关此概念/方法的更多详细信息。

Public vs. Private IP Addresses 公共IP地址与私有IP地址

You might see the effect of a little known, but nonetheless important and quite helpful feature of the AWS DNS infrastructure, see section Public and Private Addresses on page Using Instance IP Addresses : 您可能会看到AWS DNS基础架构的一个鲜为人知但又重要且非常有用的功能的影响，请参阅使用实例IP地址的页面上的公共和私有地址部分：

Amazon EC2 also provides an internal DNS name and a public DNS name that map to the private and public IP addresses respectively. Amazon EC2还提供内部DNS名称和公共DNS名称，分别映射到专用和公用IP地址。 The internal DNS name can only be resolved within Amazon EC2. 内部DNS名称只能在Amazon EC2中解析。 The public DNS name resolves to the public IP address outside the Amazon EC2 network and the private IP address within the Amazon EC2 network . 公共DNS名称解析为Amazon EC2网络外部的公共IP地址和Amazon EC2网络内的专用IP地址 。 [emphasis mine] [强调我的]

That is, it's resolving the public DNS (eg ec2-xxx-xxx-xxx-xxx.compute-1.amazonaws.com) to the private IP address when you are using it inside the Amazon EC2 network, and to the public or elastic IP address when using it outside the Amazon EC2 network. 也就是说，当您在Amazon EC2网络内部使用公共DNS（例如ec2-xxx-xxx-xxx-xxx.compute-1.amazonaws.com）时，将其解析为私有IP地址，以及公共DNS或弹性在Amazon EC2网络外部使用时的IP地址。

Accordingly, the various AWS products are usually wired up between each other by means of their private IP Addresses rather than external ones for a variety of reasons, most importantly network speed and cost (see my answer to AWS EC2 Elastic IPs bandwidth usage and charges for details). 因此，由于各种原因，各种AWS产品通常通过其私有IP地址而非外部IP地址相互连接，最重要的是网络速度和成本（请参阅我对AWS EC2弹性IP带宽使用和费用的回答）细节）。

Consequently, the DB security group of your Amazon RDS instance might refer to the private IP address of your Amazon EC2 instance, implying respective access rights accordingly. 因此，Amazon RDS实例的数据库安全组可能会引用您的Amazon EC2实例的私有IP地址，从而相应地暗示相应的访问权限。