stackoom
  简体   繁体   中英

AWS Ec2 Access which is private VPC

 原文  2021-03-28 23:07:26       amazon-web-services/ amazon-ec2/ amazon-vpc

Question

This is more of an architectural question rather than coding issue. Please pardon me if I am in wrong place I have an Ec2 instance running in private VPC where we in future are going to deploy PII data and by no mean we can have internet access to it. However We need to install ETL tool in docker(Airflow, docker, nifi, python etc) and ofcourse need to ssh into from my local company vpc.

There is two approach as far as I think is

    1. To create an another EC2 in public subnet and install all our tool there 
       and call the VPC EC2 from this one. 
       So that I can move the PII data to S3 through private Endpoint.
    
    Cons: Does not it still raise the security concern as the EC2(ETL) is still
    in internet where from one can access the PII data in second ec2.

Another Option

2. To create the Ec2 in public and install all tools and then 
    finally change it into private VPC.
    Cons: in case if tool crash or there is any change needed then will have to 
    move it back to public which again does not look proper way of handling it.

I tried to search internet to get any tutorial or training about it. But cannot find it.

Any suggestion will be highly appreciated.

2 answers

solution1
 2 ACCPTED  2021-03-28 23:18:40

You don't need to use internet at all if you don't want. I assume that by no internet access you mean that this is two ways - no access from the internet to the instance, nor the instance can connect internet at all (ie no NAT or any other proxy).

There are a couple of ways of doing this. One way is as follows:

  1. Prepare custom AMI with per-installed all packages and software that you require.
  2. Create private VPC without any public subnets.
  3. Add VPC interface endpoints to the VPC for S3, AWS System Manager, ECR (to store your private docker images) and other AWS services you may require, eg KMS.
  4. Launch your instance from the custom AMI in the private VPC.
  5. Use SSM Session Manager to "ssh" to the instance without any internet access.

solution2
 0  2021-03-28 23:14:05

I think both approaches are inherently sub-optimal

If all you're trying to do is avoid exposing your compute instances to the internet, and your setup is docker based, simply setup your own docker repository, either using ECS or Sonatype Nexus (on another server), upload your docker images there and have that node use that ECS/Nexus as its docker registry.

That way, your enjoying free access to all resources exposed as docker images while maintaining security compliance.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Access a second EC2 instance in AWS VPC SSH'ing into AWS EC2 Instance located in Private Subnet in a VPC AWS - Cannot ping EC2 instance on private subnet in VPC Not able to access EC2 instance in same VPC via private IP AWS EC2 Default VPC access from CLI Tools aws ec2 instances in different vpc subnets access each other AWS VPC - Cannot SSH from Bastion Host in private subnet to EC2 instance in the same VPC in a different subnet How to connect a webpage behind a AWS EC2 instance in a private subnet in a AWS VPC How to connect to EC2 in private VPC? AWS EC2 (AWS Linux) how I access a private instance
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM