代码之家 › 专栏 › 技术社区 › diegoaguilar

允许私有子网中的资源在它们之间访问并出口到internet

amazon-vpc amazon-web-services

diegoaguilar · 技术社区 · 3 年前

我有一个VPC

1专有网络
1个连接到VPC的专用子网
1 NAT网关
安全组,其进出规则附在我的VPC上
带有出口和入口规则的ACL连接到VPC和子网

我试图连接的资源包括:

1个弹性缓存集群 aws_elasticache_subnet_group 连接到子网
1个代码构建实例,为相同的VPC和子网ID获取了VPC配置
Fargate实例已通过连接的公共子网访问internet,但应通过专用子网与弹性缓存节点通信

当我尝试运行CodeBuild时,它无法连接到S3以下载构建源代码。在编译项目上编辑VPC配置之前,没有发生这种情况。换句话说,如果我从代码构建中删除vpc和子网配置,它将立即工作,但我需要连接设置。

特别是,我得到的错误是:

dial tcp 52.216.129.171:443: i/o timeout for primary source and source version arn:aws:s3:::blog-us-setup/blog-us-pipe/source_out/8ADWIXv"

我还设置了其他配置,如:

路由表
路线
路由表关联
网络ACL

到目前为止运气不好。无法将第一个重要资源连接到互联网,甚至无法确定它是否会连接到同一个私有VPC中的弹性缓存集群

这是我在terraform中的网络配置定义:

resource "aws_subnet" "audible_blog_resources" {
  vpc_id     = "vpc-xxxxx"
  cidr_block = "10.0.2.0/24"
}

resource "aws_eip" "nat_eip" {
  vpc = true
}

resource "aws_route_table" "private" {
  vpc_id = "vpc-xxxxx"
}

resource "aws_nat_gateway" "nat" {
  allocation_id = aws_eip.nat_eip.id
  subnet_id     = aws_subnet.audible_blog_resources.id
}

resource "aws_route" "private_nat_gateway" {
  route_table_id         = aws_route_table.private.id
  destination_cidr_block = "0.0.0.0/0"
  nat_gateway_id         = aws_nat_gateway.nat.id
}

resource "aws_route_table_association" "private" {
  subnet_id      = aws_subnet.audible_blog_resources.id
  route_table_id = aws_route_table.private.id
}


resource "aws_security_group" "allow_redis_ingress" {
  name        = "allow_redis_ingress"
  description = "Allow Redis inbound traffic"
  vpc_id      = "vpc-xxxxx"

  ingress {
    description      = "Redis"
    from_port        = 6379
    to_port          = 6379
    protocol         = "tcp"
    cidr_blocks      = ["10.0.2.0/24"]
  }

  egress {
    from_port        = 0
    to_port          = 0
    protocol         = "-1"
    cidr_blocks      = ["0.0.0.0/0"]
    ipv6_cidr_blocks = ["::/0"]
  }
}

resource "aws_network_acl" "main" {
  vpc_id = "vpc-xxxxx"
  subnet_ids = [ aws_subnet.audible_blog_resources.id ]
  egress {
    rule_no    = "200" 
    protocol   = "tcp"
    action     = "allow"
    cidr_block = "0.0.0.0/0"
    from_port  = 0
    to_port    = 65535
  }

  ingress {
    rule_no    = "100" 
    protocol   = "tcp"
    action     = "allow"
    cidr_block = "10.0.2.0/24"
    from_port  = 6379
    to_port    = 6379
  }
}

output "networking_details" {
  value = {
    subnet = {
      arn = aws_subnet.audible_blog_resources.arn
      id = aws_subnet.audible_blog_resources.id
    }
    security_group = {
      arn = aws_security_group.allow_redis_ingress.arn
      id = aws_security_group.allow_redis_ingress.id 
    }
  }
}

编辑1

添加了一个公共子网,其路由表和NAT移动到同一公共子网:

resource "aws_subnet" "audible_blog_resources" {
  vpc_id     = "vpc-xxxxx"
  cidr_block = "10.0.2.0/24"
}

resource "aws_subnet" "public" {
  vpc_id     = "vpc-xxxxx"
  cidr_block = "10.0.5.0/24"
}

resource "aws_eip" "nat_eip" {
  vpc = true
}

resource "aws_route_table" "private" {
  vpc_id = "vpc-xxxxx"
}

resource "aws_route_table" "public" {
  vpc_id = "vpc-xxxxx"
}

resource "aws_nat_gateway" "nat" {
  allocation_id = aws_eip.nat_eip.id
  subnet_id     = aws_subnet.public.id
}

resource "aws_route" "public_to_internet" {
  route_table_id          = aws_route_table.public.id
  destination_cidr_block  = "0.0.0.0/0"
  gateway_id              = "igw-igw-id"
}

resource "aws_route_table_association" "public" {
  subnet_id      = aws_subnet.public.id
  route_table_id = aws_route_table.public.id
}

resource "aws_route" "private_nat_gateway" {
  route_table_id         = aws_route_table.private.id
  destination_cidr_block = "0.0.0.0/0"
  nat_gateway_id         = aws_nat_gateway.nat.id
}

resource "aws_route_table_association" "private" {
  subnet_id      = aws_subnet.audible_blog_resources.id
  route_table_id = aws_route_table.private.id
}


resource "aws_security_group" "allow_redis_ingress" {
  name        = "allow_redis_ingress"
  description = "Allow Redis inbound traffic"
  vpc_id      = "vpc-xxxxx"

  ingress {
    description      = "Redis"
    from_port        = 6379
    to_port          = 6379
    protocol         = "tcp"
    cidr_blocks      = ["10.0.2.0/24"]
  }

  egress {
    from_port        = 0
    to_port          = 0
    protocol         = "-1"
    cidr_blocks      = ["0.0.0.0/0"]
    ipv6_cidr_blocks = ["::/0"]
  }
}

resource "aws_network_acl" "main" {
  vpc_id = "vpc-xxxxx"
  subnet_ids = [ aws_subnet.audible_blog_resources.id ]
  egress {
    rule_no    = "200" 
    protocol   = "tcp"
    action     = "allow"
    cidr_block = "0.0.0.0/0"
    from_port  = 0
    to_port    = 65535
  }

  ingress {
    rule_no    = "100" 
    protocol   = "tcp"
    action     = "allow"
    cidr_block = "10.0.2.0/24"
    from_port  = 6379
    to_port    = 6379
  }
}

output "networking_details" {
  value = {
    subnet = {
      arn = aws_subnet.audible_blog_resources.arn
      id = aws_subnet.audible_blog_resources.id
    }
    security_group = {
      arn = aws_security_group.allow_redis_ingress.arn
      id = aws_security_group.allow_redis_ingress.id 
    }
  }
}

0 回复 | 直到 3 年前

Marcin 3 年前

你的VPC 设计不正确 :

缺少公共子网和internet网关,
没有公共子网到internet的路由表,
NAT放错地方了——它必须在公共子网中,而不是在私有子网中。

修改了下面的版本,但SGs和NACL可能仍需要进一步审查(我将其从代码中删除)。

resource "aws_vpc" "vpc" {

  cidr_block = "10.0.0.0/16"

}
resource "aws_subnet" "public" {
  vpc_id     = aws_vpc.vpc.id
  cidr_block = "10.0.1.0/24"
}

resource "aws_subnet" "audible_blog_resources" {
  vpc_id     = aws_vpc.vpc.id
  cidr_block = "10.0.2.0/24"
}

resource "aws_internet_gateway" "gw" {
  vpc_id = aws_vpc.vpc.id
}

resource "aws_eip" "nat_eip" {
  vpc = true
}

resource "aws_route_table" "private" {
  vpc_id = aws_vpc.vpc.id
}

resource "aws_route_table" "public" {
  vpc_id = aws_vpc.vpc.id
}

resource "aws_nat_gateway" "nat" {
  allocation_id = aws_eip.nat_eip.id
  subnet_id     = aws_subnet.public.id
}

resource "aws_route" "public_to_internet" {
  route_table_id         = aws_route_table.public.id
  destination_cidr_block = "0.0.0.0/0"
  gateway_id         = aws_internet_gateway.gw.id
}

resource "aws_route_table_association" "public" {
  subnet_id      = aws_subnet.public.id
  route_table_id = aws_route_table.public.id
}

resource "aws_route" "private_nat_gateway" {
  route_table_id         = aws_route_table.private.id
  destination_cidr_block = "0.0.0.0/0"
  nat_gateway_id         = aws_nat_gateway.nat.id
}

resource "aws_route_table_association" "private" {
  subnet_id      = aws_subnet.audible_blog_resources.id
  route_table_id = aws_route_table.private.id
}


resource "aws_security_group" "allow_redis_ingress" {
  name        = "allow_redis_ingress"
  description = "Allow Redis inbound traffic"
  vpc_id      = aws_vpc.vpc.id

  ingress {
    description      = "Redis"
    from_port        = 6379
    to_port          = 6379
    protocol         = "tcp"
    cidr_blocks      = ["10.0.2.0/24"]
  }

  egress {
    from_port        = 0
    to_port          = 0
    protocol         = "-1"
    cidr_blocks      = ["0.0.0.0/0"]
    ipv6_cidr_blocks = ["::/0"]
  }
}


output "networking_details" {
  value = {
    subnet = {
      arn = aws_subnet.audible_blog_resources.arn
      id = aws_subnet.audible_blog_resources.id
    }
    security_group = {
      arn = aws_security_group.allow_redis_ingress.arn
      id = aws_security_group.allow_redis_ingress.id 
    }
  }
}