Terraform:为什么 AWS NAT 网关与仅出口 Internet 网关冲突
[英]Terraform: Why AWS NAT Gateway conflicts with Egress Only Internet Gateway
问题描述
我同时拥有 IPv4 和 IPv6,我正在尝试管理私有子网的路由。
一旦 NAT 网关附加到路由表,它就不允许我将 Egress 网关附加到同一个路由表,并给我一个错误:
作为 NAT 网关一部分的接口不能成为 IPv6 目标 CIDR 块或 IPv6 前缀列表的下一跃点
但是,如果我手动附加 AWS 控制台,则没有问题
也许我错过了一些信息? 我知道 NAT 仅适用于 IPv4,Egress 仅适用于 IPv6,有人可以指导我吗? 为什么如果 NAT 与 Egress Only Gateway 不兼容,它允许我通过aws 控制台连接,但不能与 terraform 连接?
这是我的简单 terraform
resource "aws_eip" "neip" {
count = length(var.private_subnet)
vpc = true
}
resource "aws_nat_gateway" "nat" {
count = length(var.private_subnet)
subnet_id = element(var.public_subnet, count.index)
allocation_id = element(aws_eip.neip.*.id, count.index)
}
resource "aws_egress_only_internet_gateway" "egw" {
count = length(var.zones) > 0 ? 1 : 0
vpc_id = var.vpc_id
}
resource "aws_route_table" "route" {
count = length(var.private_subnet)
vpc_id = var.vpc_id
}
resource "aws_route" "ipv4" {
count = length(aws_route_table.route)
depends_on = [ aws_route_table.route ]
route_table_id = aws_route_table.route[count.index].id
nat_gateway_id = element(aws_nat_gateway.nat.*.id, count.index)
destination_cidr_block = "0.0.0.0/0"
}
resource "aws_route" "ipv6" {
count = length(aws_route_table.route)
depends_on = [ aws_route_table.route ]
route_table_id = aws_route_table.route[count.index].id
egress_only_gateway_id = element(aws_egress_only_internet_gateway.egw.*.id, count.index)
destination_ipv6_cidr_block = "::/0"
}
resource "aws_route_table_association" "route" {
count = length(aws_route_table.route)
subnet_id = var.private_subnet[count.index]
route_table_id = aws_route_table.route[count.index].id
}
terraform 脚本没有问题
1 个解决方案
解决方案1
0 已采纳 2021-01-08 02:13:59
我试图重现您的问题,但对我来说它按预期工作。 也许您在此处提供的代码中仍然存在一些“错字”,因此很难看出它为什么不适合您。
无论如何,这是我用来模仿您的设置的代码,尽管我必须自己创建大块,因为它们没有显示在您的代码中(例如,VPC 设置全部丢失,互联网网关,公共子网)。
下面的代码有效,我无法复制您的问题。 路由表按预期工作:
data "aws_availability_zones" "available" {}
resource "aws_vpc" "vpc" {
cidr_block = "10.0.0.0/16"
enable_dns_hostnames = true
assign_generated_ipv6_cidr_block = true
tags = {
Name = "testvpc"
}
}
variable "private_cidrs" {
default = ["10.0.2.0/24", "10.0.3.0/24"]
}
variable "public_cidrs" {
default = ["10.0.0.0/24", "10.0.1.0/24"]
}
resource "aws_subnet" "public_subnet" {
count = length(var.public_cidrs)
cidr_block = var.public_cidrs[count.index]
vpc_id = aws_vpc.vpc.id
availability_zone = data.aws_availability_zones.available.names[count.index]
tags = {
Name = "public${count.index}"
}
}
resource "aws_subnet" "private_subnet" {
count = length(var.private_cidrs)
cidr_block = var.private_cidrs[count.index]
vpc_id = aws_vpc.vpc.id
availability_zone = data.aws_availability_zones.available.names[count.index]
tags = {
Name = "private${count.index}"
}
}
resource "aws_eip" "neip" {
count = length(var.private_cidrs)
vpc = true
}
resource "aws_internet_gateway" "igw" {
vpc_id = aws_vpc.vpc.id
tags = {
Name = "main"
}
}
resource "aws_nat_gateway" "nat" {
count = length(var.private_cidrs)
subnet_id = element(aws_subnet.public_subnet.*.id, count.index)
allocation_id = element(aws_eip.neip.*.id, count.index)
depends_on = [aws_internet_gateway.igw]
}
resource "aws_egress_only_internet_gateway" "egw" {
#count = length(var.private_cidrs)
vpc_id = aws_vpc.vpc.id
}
# routes for public subnets
resource "aws_route_table" "public_route" {
count = length(var.public_cidrs)
vpc_id = aws_vpc.vpc.id
}
resource "aws_route" "public_ipv4" {
count = length(aws_route_table.public_route)
route_table_id = aws_route_table.public_route[count.index].id
gateway_id = aws_internet_gateway.igw.id
destination_cidr_block = "0.0.0.0/0"
}
resource "aws_route" "ipv6_public" {
count = length(aws_route_table.public_route)
route_table_id = aws_route_table.public_route[count.index].id
egress_only_gateway_id = aws_egress_only_internet_gateway.egw.id
destination_ipv6_cidr_block = "::/0"
}
resource "aws_route_table_association" "public_route" {
count = length(aws_route_table.public_route)
subnet_id = aws_subnet.public_subnet[count.index].id
route_table_id = aws_route_table.public_route[count.index].id
}
# routes for private subnets
resource "aws_route_table" "route" {
count = length(var.private_cidrs)
vpc_id = aws_vpc.vpc.id
}
resource "aws_route" "ipv4" {
count = length(aws_route_table.route)
route_table_id = aws_route_table.route[count.index].id
nat_gateway_id = aws_nat_gateway.nat[count.index].id
#nat_gateway_id = aws_nat_gateway.nat.id
destination_cidr_block = "0.0.0.0/0"
}
resource "aws_route" "ipv6" {
count = length(aws_route_table.route)
route_table_id = aws_route_table.route[count.index].id
egress_only_gateway_id = aws_egress_only_internet_gateway.egw.id
destination_ipv6_cidr_block = "::/0"
}
resource "aws_route_table_association" "route" {
count = length(aws_route_table.route)
subnet_id = aws_subnet.private_subnet[count.index].id
route_table_id = aws_route_table.route[count.index].id
}
IPV4 流量不适用于 AWS Egress only Internet 网关
[英]IPV4 traffic not working with AWS egress only internet gateway
在专用子网的AWS的Kubernetes集群中,是否有一种方法可以使用NAT实例而不是NAT网关作为出口?
[英]Is there a way to use a NAT instance instead of NAT gateway as egress in the kubernetes cluster on aws for private subnets?
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.
相关问题
Terraform nat 网关 AWS
卓:为什么 Inte.net 网关执行 NAT?
IPV4 流量不适用于 AWS Egress only Internet 网关
AWS 上的 NAT 网关和 Inte.net 网关到底是什么?
具有互联网网关和 NAT 的 AWS VPC
带有 Internet 网关和 lambda 的 NAT 网关
在专用子网的AWS的Kubernetes集群中,是否有一种方法可以使用NAT实例而不是NAT网关作为出口?
为什么 AWS NAT 网关需要 ElasticIP?
AWS NAT 网关
Terraform:AWS 将 NAT 网关附加到两个子网中的一个
相关标签