Amazon web services Terraform项目将使用NATGW创建VPC/IGW、VPN和专用子网-Connectivity Analyzer表示没有从NATGW到IGW的路由
我花了很长时间试图弄明白这一点,我真的很难理解为什么这些组件不能相互通信。VPC有一个IGW,这是NATGW的EIP所必需的,但是,该子网上的任何内容都无法进入公共互联网。在VPN链路上一切正常,但连接性分析器指出NATGW和IGW之间没有连接,因为没有路由-如果没有0.0.0.0/0路由(已分配给该子网的NATGW),我如何将NATGW流量路由到IGW 我知道我只是错过了一些愚蠢的事情。看看回购协议,了解整个过程是如何进行的,但这里是VPC模块:Amazon web services Terraform项目将使用NATGW创建VPC/IGW、VPN和专用子网-Connectivity Analyzer表示没有从NATGW到IGW的路由,amazon-web-services,terraform,amazon-vpc,terraform-provider-aws,Amazon Web Services,Terraform,Amazon Vpc,Terraform Provider Aws,我花了很长时间试图弄明白这一点,我真的很难理解为什么这些组件不能相互通信。VPC有一个IGW,这是NATGW的EIP所必需的,但是,该子网上的任何内容都无法进入公共互联网。在VPN链路上一切正常,但连接性分析器指出NATGW和IGW之间没有连接,因为没有路由-如果没有0.0.0.0/0路由(已分配给该子网的NATGW),我如何将NATGW流量路由到IGW 我知道我只是错过了一些愚蠢的事情。看看回购协议,了解整个过程是如何进行的,但这里是VPC模块: data "aws_availab
data "aws_availability_zones" "available" {
state = "available"
}
resource "aws_vpc" "main" {
cidr_block = var.cidr_block
enable_dns_hostnames = true
enable_dns_support = true
tags = {
Name = var.vpc_name
}
}
resource "aws_subnet" "dev" {
count = var.subnet_count
# This line is necessary to ensure that we pick availabiltiy zones that can launch any size ec2 instance
availability_zone = data.aws_availability_zones.available.names[0]
vpc_id = aws_vpc.main.id
cidr_block = cidrsubnet(var.cidr_block, 6, count.index * 2 + 1)
tags = {
Name = "dev-subnet-${count.index}"
}
}
resource "aws_network_acl" "dev" {
vpc_id = aws_vpc.main.id
subnet_ids = aws_subnet.dev[*].id
ingress {
protocol = -1
rule_no = 1000
action = "allow"
#cidr_block = var.prem_network_address_space
cidr_block = "0.0.0.0/0"
from_port = 0
to_port = 0
}
egress {
protocol = -1
rule_no = 100
action = "allow"
cidr_block = "0.0.0.0/0"
from_port = 0
to_port = 0
}
tags = {
Name = "dev-acl"
}
}
# Gateways
resource "aws_internet_gateway" "gw" {
vpc_id = aws_vpc.main.id
tags = {
Name = "${var.vpc_name}-internet-gateway"
}
}
resource "aws_eip" "nat-gw" {
vpc = true
tags = {
Name = "nat-elastic-ip"
}
depends_on = [aws_internet_gateway.gw]
}
resource "aws_nat_gateway" "gw" {
allocation_id = aws_eip.nat-gw.id
subnet_id = aws_subnet.dev[0].id
tags = {
Name = "${var.vpc_name}-nat-gateway-dev"
}
depends_on = [aws_internet_gateway.gw]
}
# VPC Route Table
resource "aws_default_route_table" "default" {
default_route_table_id = aws_vpc.main.main_route_table_id
route {
cidr_block = "0.0.0.0/0"
gateway_id = aws_internet_gateway.gw.id
}
tags = {
Name = "${var.vpc_name}-public"
}
depends_on = [aws_internet_gateway.gw]
}
# dev Subnet Route Table
resource "aws_route_table" "dev" {
vpc_id = aws_vpc.main.id
tags = {
Name = "dev-route-table"
}
}
resource "aws_route_table_association" "dev_routes" {
subnet_id = aws_subnet.dev[0].id
route_table_id = aws_route_table.dev.id
depends_on = [aws_nat_gateway.gw]
}
resource "aws_route" "dev_nat" {
route_table_id = aws_route_table.dev.id
destination_cidr_block = "0.0.0.0/0"
nat_gateway_id = aws_nat_gateway.gw.id
depends_on = [aws_nat_gateway.gw]
您将NAT放置在
aws\u subnet.dev[0]
中,然后创建附加到子网的aws\u route\u table.dev
。更重要的是,aws\u route\u表.dev
有一个指向nat的路由aws\u route.dev\u nat
因此,基本上您正在执行一些循环路由。aws\u子网中的所有通信量。dev[0]
直接指向同一子网中的NAT,而NAT又反过来指向同一NAT
正如您在评论中指出的,NAT应该位于公共子网,而将流量定向到NAT的子网应该是私有子网。看起来我犯的错误是,我没有启动NAT网关的“公共”子网。如果谁否决了我,就让我知道,那当然好了,哈哈。