Amazon web services 为什么ping从WebServer01超时到DBServer?
我已经使用下面的地形代码创建了一个自定义VPC 我已经应用了以下Terraform模块,该模块:Amazon web services 为什么ping从WebServer01超时到DBServer?,amazon-web-services,terraform,amazon-vpc,Amazon Web Services,Terraform,Amazon Vpc,我已经使用下面的地形代码创建了一个自定义VPC 我已经应用了以下Terraform模块,该模块: 添加公共和私有子网 配置IGW 添加NAT网关 为Web和DB服务器添加SGs 在应用这个之后,我无法从公共ec2实例ping/ssh到私有ec2实例 不知道少了什么 # Custom VPC resource "aws_vpc" "MyVPC" { cidr_block = "10.0.0.0/16" instance_tenancy = "default" # For Pro
# Custom VPC
resource "aws_vpc" "MyVPC" {
cidr_block = "10.0.0.0/16"
instance_tenancy = "default" # For Prod use "dedicated"
tags = {
Name = "MyVPC"
}
}
# Creates "Main Route Table", "NACL" & "default Security Group"
# Create Public Subnet, Associate with our VPC, Auto assign Public IP
resource "aws_subnet" "PublicSubNet" {
vpc_id = aws_vpc.MyVPC.id # Our VPC
availability_zone = "eu-west-2a" # AZ within London, 1 Subnet = 1 AZ
cidr_block = "10.0.1.0/24" # Check using this later > "${cidrsubnet(data.aws_vpc.MyVPC.cidr_block, 4, 1)}"
map_public_ip_on_launch = "true" # Auto assign Public IP for Public Subnet
tags = {
Name = "PublicSubNet"
}
}
# Create Private Subnet, Associate with our VPC
resource "aws_subnet" "PrivateSubNet" {
vpc_id = aws_vpc.MyVPC.id # Our VPC
availability_zone = "eu-west-2b" # AZ within London region, 1 Subnet = 1 AZ
cidr_block = "10.0.2.0/24" # Check using this later > "${cidrsubnet(data.aws_vpc.MyVPC.cidr_block, 4, 1)}"
tags = {
Name = "PrivateSubNet"
}
}
# Only 1 IGW per VPC
resource "aws_internet_gateway" "MyIGW" {
vpc_id = aws_vpc.MyVPC.id
tags = {
Name = "MyIGW"
}
}
# New Public route table, so we can keep "default main" route table as Private. Route out to MyIGW
resource "aws_route_table" "MyPublicRouteTable" {
vpc_id = aws_vpc.MyVPC.id # Our VPC
route { # Route out IPV4
cidr_block = "0.0.0.0/0" # IPV4 Route Out for all
# ipv6_cidr_block = "::/0" The parameter destinationCidrBlock cannot be used with the parameter destinationIpv6CidrBlock # IPV6 Route Out for all
gateway_id = aws_internet_gateway.MyIGW.id # Target : Internet Gateway created earlier
}
route { # Route out IPV6
ipv6_cidr_block = "::/0" # IPV6 Route Out for all
gateway_id = aws_internet_gateway.MyIGW.id # Target : Internet Gateway created earlier
}
tags = {
Name = "MyPublicRouteTable"
}
}
# Associate "PublicSubNet" with the public route table created above, removes it from default main route table
resource "aws_route_table_association" "PublicSubNetnPublicRouteTable" {
subnet_id = aws_subnet.PublicSubNet.id
route_table_id = aws_route_table.MyPublicRouteTable.id
}
# Create new security group "WebDMZ" for WebServer
resource "aws_security_group" "WebDMZ" {
name = "WebDMZ"
description = "Allows SSH & HTTP requests"
vpc_id = aws_vpc.MyVPC.id # Our VPC : SGs cannot span VPC
ingress {
description = "Allows SSH requests for VPC: IPV4"
from_port = 22
to_port = 22
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"] # SSH restricted to my laptop public IP <My PUBLIC IP>/32
}
ingress {
description = "Allows HTTP requests for VPC: IPV4"
from_port = 80
to_port = 80
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"] # You can use Load Balancer
}
ingress {
description = "Allows HTTP requests for VPC: IPV6"
from_port = 80
to_port = 80
protocol = "tcp"
ipv6_cidr_blocks = ["::/0"]
}
egress {
description = "Allows SSH requests for VPC: IPV4"
from_port = 22
to_port = 22
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"] # SSH restricted to my laptop public IP <My PUBLIC IP>/32
}
egress {
description = "Allows HTTP requests for VPC: IPV4"
from_port = 80
to_port = 80
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"]
}
egress {
description = "Allows HTTP requests for VPC: IPV6"
from_port = 80
to_port = 80
protocol = "tcp"
ipv6_cidr_blocks = ["::/0"]
}
}
# Create new EC2 instance (WebServer01) in Public Subnet
# Get ami id from Console
resource "aws_instance" "WebServer01" {
ami = "ami-01a6e31ac994bbc09"
instance_type = "t2.micro"
subnet_id = aws_subnet.PublicSubNet.id
key_name = "MyEC2KeyPair" # To connect using key pair
security_groups = [aws_security_group.WebDMZ.id] # Assign WebDMZ security group created above
# vpc_security_group_ids = [aws_security_group.WebDMZ.id]
tags = {
Name = "WebServer01"
}
}
# Create new security group "MyDBSG" for WebServer
resource "aws_security_group" "MyDBSG" {
name = "MyDBSG"
description = "Allows Public WebServer to Communicate with Private DB Server"
vpc_id = aws_vpc.MyVPC.id # Our VPC : SGs cannot span VPC
ingress {
description = "Allows ICMP requests: IPV4" # For ping,communication, error reporting etc
from_port = -1
to_port = -1
protocol = "icmp"
cidr_blocks = ["10.0.1.0/24"] # Public Subnet CIDR block, can be "WebDMZ" security group id too as below
security_groups = [aws_security_group.WebDMZ.id] # Tried this as above was not working, but still doesn't work
}
ingress {
description = "Allows SSH requests: IPV4" # You can SSH from WebServer01 to DBServer, using DBServer private ip address and copying private key to WebServer
from_port = 22 # ssh ec2-user@Private Ip Address -i MyPvKey.pem Private Key pasted in MyPvKey.pem
to_port = 22 # Not a good practise to use store private key on WebServer, instead use Bastion Host (Hardened Image, Secure) to connect to Private DB
protocol = "tcp"
cidr_blocks = ["10.0.1.0/24"]
}
ingress {
description = "Allows HTTP requests: IPV4"
from_port = 80
to_port = 80
protocol = "tcp"
cidr_blocks = ["10.0.1.0/24"]
}
ingress {
description = "Allows HTTPS requests : IPV4"
from_port = 443
to_port = 443
protocol = "tcp"
cidr_blocks = ["10.0.1.0/24"]
}
ingress {
description = "Allows MySQL/Aurora requests"
from_port = 3306
to_port = 3306
protocol = "tcp"
cidr_blocks = ["10.0.1.0/24"]
}
egress {
description = "Allows ICMP requests: IPV4" # For ping,communication, error reporting etc
from_port = -1
to_port = -1
protocol = "icmp"
cidr_blocks = ["10.0.1.0/24"] # Public Subnet CIDR block, can be "WebDMZ" security group id too
}
egress {
description = "Allows SSH requests: IPV4" # You can SSH from WebServer01 to DBServer, using DBServer private ip address and copying private key to WebServer
from_port = 22 # ssh ec2-user@Private Ip Address -i MyPvtKey.pem Private Key pasted in MyPvKey.pem chmod 400 MyPvtKey.pem
to_port = 22 # Not a good practise to use store private key on WebServer, instead use Bastion Host (Hardened Image, Secure) to connect to Private DB
protocol = "tcp"
cidr_blocks = ["10.0.1.0/24"]
}
egress {
description = "Allows HTTP requests: IPV4"
from_port = 80
to_port = 80
protocol = "tcp"
cidr_blocks = ["10.0.1.0/24"]
}
egress {
description = "Allows HTTPS requests : IPV4"
from_port = 443
to_port = 443
protocol = "tcp"
cidr_blocks = ["10.0.1.0/24"]
}
egress {
description = "Allows MySQL/Aurora requests"
from_port = 3306
to_port = 3306
protocol = "tcp"
cidr_blocks = ["10.0.1.0/24"]
}
}
# Create new EC2 instance (DBServer) in Private Subnet, Associate "MyDBSG" Security Group
resource "aws_instance" "DBServer" {
ami = "ami-01a6e31ac994bbc09"
instance_type = "t2.micro"
subnet_id = aws_subnet.PrivateSubNet.id
key_name = "MyEC2KeyPair" # To connect using key pair
security_groups = [aws_security_group.MyDBSG.id] # THIS WAS GIVING ERROR WHEN ASSOCIATING
# vpc_security_group_ids = [aws_security_group.MyDBSG.id]
tags = {
Name = "DBServer"
}
}
# Elastic IP required for NAT Gateway
resource "aws_eip" "nateip" {
vpc = true
tags = {
Name = "NATEIP"
}
}
# DBServer in private subnet cannot access internet, so add "NAT Gateway" in Public Subnet
# Add Target as NAT Gateway in default main route table. So there is route out to Internet.
# Now you can do yum update on DBServer
resource "aws_nat_gateway" "NATGW" { # Create NAT Gateway in each AZ so in case of failure it can use other
allocation_id = aws_eip.nateip.id # Elastic IP allocation
subnet_id = aws_subnet.PublicSubNet.id # Public Subnet
tags = {
Name = "NATGW"
}
}
# Main Route Table add NATGW as Target
resource "aws_default_route_table" "DefaultRouteTable" {
default_route_table_id = aws_vpc.MyVPC.default_route_table_id
route {
cidr_block = "0.0.0.0/0" # IPV4 Route Out for all
nat_gateway_id = aws_nat_gateway.NATGW.id # Target : NAT Gateway created above
}
tags = {
Name = "DefaultRouteTable"
}
}
#定制专有网络
资源“aws_vpc”“MyVPC”{
cidr_block=“10.0.0.0/16”
实例_tenancy=“default”#对于产品,使用“专用”
标签={
Name=“MyVPC”
}
}
#创建“主路由表”、“NACL”和“默认安全组”
#创建公共子网,与我们的VPC关联,自动分配公共IP
资源“aws_子网”“公共子网”{
vpc_id=aws_vpc.MyVPC.id#我们的vpc
可用性_zone=“eu-west-2a”#伦敦境内的AZ,1个子网=1 AZ
cidr_block=“10.0.1.0/24”#稍后使用“${cidrsubnet(data.aws_vpc.MyVPC.cidr_block,4,1)}检查”
将公共ip映射到\u launch=“true”#为公共子网自动分配公共ip
标签={
Name=“PublicSubNet”
}
}
#创建专用子网,与我们的VPC关联
资源“aws_子网”“私有子网”{
vpc_id=aws_vpc.MyVPC.id#我们的vpc
可用性_zone=“eu-west-2b”#伦敦地区内的AZ,1个子网=1 AZ
cidr_block=“10.0.2.0/24”#稍后使用“${cidrsubnet(data.aws_vpc.MyVPC.cidr_block,4,1)}检查”
标签={
Name=“私有子网”
}
}
#每个VPC仅1 IGW
资源“aws\U internet\U网关”“MyIGW”{
vpc_id=aws_vpc.MyVPC.id
标签={
Name=“MyIGW”
}
}
#新的公共路由表,因此我们可以将“默认主”路由表保留为私有。前往MyIGW的路线
资源“aws\U路由表”“MyPublicRouteTable”{
vpc_id=aws_vpc.MyVPC.id#我们的vpc
路由{#路由出IPV4
cidr_block=“0.0.0.0/0”#所有用户的IPV4路由输出
#ipv6_cidr_block=“::/0”参数destinationCidrBlock不能与参数destinationIpv6CidrBlock#ipv6 Route Out for all一起使用
gateway_id=aws_internet_gateway.MyIGW.id#目标:先前创建的internet网关
}
路由{#路由出IPV6
ipv6_cidr_block=“::/0”#所有用户的ipv6路由输出
gateway_id=aws_internet_gateway.MyIGW.id#目标:先前创建的internet网关
}
标签={
Name=“MyPublicRouteTable”
}
}
#将“PublicSubNet”与上面创建的公共路由表关联,将其从默认主路由表中删除
资源“aws路由表”关联“PublicSubNetnPublicRouteTable”{
子网\u id=aws\u subnet.PublicSubNet.id
route_table_id=aws_route_table.MyPublicRouteTable.id
}
#为Web服务器创建新的安全组“WebDMZ”
资源“aws\U安全组”“WebDMZ”{
name=“WebDMZ”
description=“允许SSH和HTTP请求”
vpc_id=aws_vpc.MyVPC.id#我们的vpc:SGs无法跨越vpc
入口{
description=“允许VPC:IPV4的SSH请求”
从_端口=22
至_端口=22
协议=“tcp”
cidr_blocks=[“0.0.0.0/0”]#SSH仅限于我的笔记本电脑公共IP/32
}
入口{
description=“允许VPC:IPV4的HTTP请求”
从_端口=80
至_端口=80
协议=“tcp”
cidr_块=[“0.0.0.0/0”]#您可以使用负载平衡器
}
入口{
description=“允许VPC:IPV6的HTTP请求”
从_端口=80
至_端口=80
协议=“tcp”
ipv6_cidr_块=[“::/0”]
}
出口{
description=“允许VPC:IPV4的SSH请求”
从_端口=22
至_端口=22
协议=“tcp”
cidr_blocks=[“0.0.0.0/0”]#SSH仅限于我的笔记本电脑公共IP/32
}
出口{
description=“允许VPC:IPV4的HTTP请求”
从_端口=80
至_端口=80
协议=“tcp”
cidr_块=[“0.0.0.0/0”]
}
出口{
description=“允许VPC:IPV6的HTTP请求”
从_端口=80
至_端口=80
协议=“tcp”
ipv6_cidr_块=[“::/0”]
}
}
#在公共子网中创建新的EC2实例(WebServer01)
#从控制台获取ami id
资源“aws_实例”“WebServer01”{
ami=“ami-01a6e31ac994bbc09”
实例_type=“t2.micro”
子网\u id=aws\u subnet.PublicSubNet.id
key_name=“MyEC2KeyPair”#使用密钥对进行连接
security_groups=[aws_security_group.WebDMZ.id]#分配上面创建的WebDMZ安全组
#vpc_security_group_id=[aws_security_group.WebDMZ.id]
标签={
Name=“WebServer01”
}
}
#为Web服务器创建新的安全组“MyDBSG”
资源“aws\U安全组”“MyDBSG”{
name=“MyDBSG”
description=“允许公共Web服务器与私有DB服务器通信”
vpc_id=aws_vpc.MyVPC.id#我们的vpc:SGs无法跨越vpc
入口{
description=“允许ICMP请求:IPV4”#用于ping、通信、错误报告等
from_port=-1
到_端口=-1
协议=“icmp”
cidr_块=[“10.0.1.0/24”]#公共子网cidr块,也可以是“WebDMZ”安全组id,如下所示
security_groups=[aws_security_group.WebDMZ.id]#尝试了上述方法,但仍然无效
}
入口{
description=“允许SSH请求:IPV4”#您可以使用DBServer专用ip地址并将私钥复制到WebServer,从WebServer 01通过SSH连接到DBServer
from_port=22#ssh ec2-user@PrivateIp地址-粘贴在MyPvKey.pem中的i MyPvKey.pem私钥
to_port=22#在Web服务器上使用存储私钥不是一个好的做法,而是使用Bastion主机(加固映像,安全)连接到私钥数据库
协议=“tcp”
cidr_块=[“10.0.1.0/24”]
}
入口{
描述=
egress {
description = "Allows SSH requests for VPC: IPV4"
from_port = 22
to_port = 22
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"] # SSH restricted to my laptop public IP <My PUBLIC IP>/32
}
egress {
description = "Allows HTTP requests for VPC: IPV4"
from_port = 80
to_port = 80
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"]
}
egress {
description = "Allows HTTP requests for VPC: IPV6"
from_port = 80
to_port = 80
protocol = "tcp"
ipv6_cidr_blocks = ["::/0"]
}
egress {
description = "Allows ICMP requests: IPV4" # For ping,communication, error reporting etc
from_port = -1
to_port = -1
protocol = "icmp"
cidr_blocks = ["10.0.2.0/24"]
}
ingress {
description = "Allows ICMP requests: IPV4" # For ping,communication, error reporting etc
from_port = -1
to_port = -1
protocol = "icmp"
cidr_blocks = ["10.0.1.0/24"] # Public Subnet CIDR block, can be "WebDMZ" security group id too as below
security_groups = [aws_security_group.WebDMZ.id] # Tried this as above was not working, but still doesn't work
}
ingress {
description = "Allows SSH requests: IPV4" # You can SSH from WebServer01 to DBServer, using DBServer private ip address and copying private key to WebServer
from_port = 22 # ssh ec2-user@Private Ip Address -i MyPvKey.pem Private Key pasted in MyPvKey.pem
to_port = 22 # Not a good practise to use store private key on WebServer, instead use Bastion Host (Hardened Image, Secure) to connect to Private DB
protocol = "tcp"
cidr_blocks = ["10.0.1.0/24"]
}
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 47: Applying options for *
debug1: Connecting to 10.0.2.123 [10.0.2.123] port 22.
debug1: connect to address 10.0.2.123 port 22: Operation timed out
ssh: connect to host 10.0.2.123 port 22: Operation timed out
fields @timestamp,@message
| sort @timestamp desc
| filter @message like 'eni-0123456789abcdef0'
| filter @message like 'REJECT'
| limit 20
resource "aws_security_group" "WebDMZ" {
name = "WebDMZ"
description = "Allows SSH & HTTP requests"
vpc_id = aws_vpc.MyVPC.id
ingress {
description = "Allows HTTP requests for VPC: IPV4"
from_port = 80
to_port = 80
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"] # You can use Load Balancer
}
egress {
description = "Allows SSH requests for VPC: IPV4"
from_port = 22
to_port = 22
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"]
}
}
resource "aws_security_group" "WebDMZ" {
name = "WebDMZ"
description = "Allows SSH & HTTP requests"
vpc_id = aws_vpc.MyVPC.id
}
resource "aws_security_group_rule" "WebDMZ_HTTP_in" {
security_group_id = aws_security_group.WebDMZ.id
type = "ingress"
description = "Allows HTTP requests for VPC: IPV4"
from_port = 80
to_port = 80
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"]
}
resource "aws_security_group_rule" "WebDMZ_SSH_out" {
security_group_id = aws_security_group.WebDMZ.id
type = "egress"
description = "Allows SSH requests for VPC: IPV4"
from_port = 22
to_port = 22
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"]
}
egress { # Allow allow traffic outbound, THIS WAS THE REASON YOU WAS NOT ABLE TO PING FROM WebServer to DBServer
description = "Allows All Traffic Outbound from Web Server"
from_port = 0
to_port = 0
protocol = -1
cidr_blocks = ["0.0.0.0/0"]
}