Fatal编程技术网
  • amazon-web-services/
  • Amazon web services Terraform项目将使用NATGW创建VPC/IGW、VPN和专用子网-Connectivity Analyzer表示没有从NATGW到IGW的路由

Amazon web services Terraform项目将使用NATGW创建VPC/IGW、VPN和专用子网-Connectivity Analyzer表示没有从NATGW到IGW的路由

amazon-web-services terraform

Amazon web services Terraform项目将使用NATGW创建VPC/IGW、VPN和专用子网-Connectivity Analyzer表示没有从NATGW到IGW的路由,amazon-web-services,terraform,amazon-vpc,terraform-provider-aws,Amazon Web Services,Terraform,Amazon Vpc,Terraform Provider Aws,我花了很长时间试图弄明白这一点,我真的很难理解为什么这些组件不能相互通信。VPC有一个IGW,这是NATGW的EIP所必需的,但是,该子网上的任何内容都无法进入公共互联网。在VPN链路上一切正常,但连接性分析器指出NATGW和IGW之间没有连接,因为没有路由-如果没有0.0.0.0/0路由(已分配给该子网的NATGW),我如何将NATGW流量路由到IGW 我知道我只是错过了一些愚蠢的事情。看看回购协议,了解整个过程是如何进行的,但这里是VPC模块: data "aws_availab

我花了很长时间试图弄明白这一点,我真的很难理解为什么这些组件不能相互通信。VPC有一个IGW,这是NATGW的EIP所必需的,但是,该子网上的任何内容都无法进入公共互联网。在VPN链路上一切正常,但连接性分析器指出NATGW和IGW之间没有连接,因为没有路由-如果没有0.0.0.0/0路由(已分配给该子网的NATGW),我如何将NATGW流量路由到IGW

我知道我只是错过了一些愚蠢的事情。看看回购协议,了解整个过程是如何进行的,但这里是VPC模块:

data "aws_availability_zones" "available" {
  state = "available"
}

resource "aws_vpc" "main" {
  cidr_block            = var.cidr_block
  enable_dns_hostnames  = true
  enable_dns_support    = true

  tags = {
    Name = var.vpc_name
  }
}

resource "aws_subnet" "dev" {
  count = var.subnet_count
  # This line is necessary to ensure that we pick availabiltiy zones that can launch any size ec2 instance
  availability_zone = data.aws_availability_zones.available.names[0]

  vpc_id            = aws_vpc.main.id
  cidr_block        = cidrsubnet(var.cidr_block, 6, count.index * 2 + 1)


  tags = {
    Name = "dev-subnet-${count.index}"
  }
}

resource "aws_network_acl" "dev" {
  vpc_id     = aws_vpc.main.id
  subnet_ids = aws_subnet.dev[*].id

  ingress {
    protocol   = -1
    rule_no    = 1000
    action     = "allow"
    #cidr_block = var.prem_network_address_space
    cidr_block = "0.0.0.0/0"
    from_port  = 0
    to_port    = 0
  }

  egress {
    protocol   = -1
    rule_no    = 100
    action     = "allow"
    cidr_block = "0.0.0.0/0"
    from_port  = 0
    to_port    = 0
  }

  tags = {
    Name = "dev-acl"
  }
}

# Gateways

resource "aws_internet_gateway" "gw" {
  vpc_id = aws_vpc.main.id

  tags = {
    Name = "${var.vpc_name}-internet-gateway"
  }
}

resource "aws_eip" "nat-gw" {
  vpc = true

  tags = {
    Name = "nat-elastic-ip"
  }

  depends_on = [aws_internet_gateway.gw]
}

resource "aws_nat_gateway" "gw" {
  allocation_id = aws_eip.nat-gw.id
  subnet_id     = aws_subnet.dev[0].id

  tags = {
    Name = "${var.vpc_name}-nat-gateway-dev"
  }

  depends_on = [aws_internet_gateway.gw]
}

# VPC Route Table

resource "aws_default_route_table" "default" {
  default_route_table_id = aws_vpc.main.main_route_table_id

    route {
      cidr_block    = "0.0.0.0/0"
      gateway_id    = aws_internet_gateway.gw.id
    }

  tags = {
    Name = "${var.vpc_name}-public"
  }
  depends_on = [aws_internet_gateway.gw]
}

# dev Subnet Route Table

resource "aws_route_table" "dev" {
  vpc_id = aws_vpc.main.id

  tags = {
    Name = "dev-route-table"
  }
}

resource "aws_route_table_association" "dev_routes" {
  subnet_id      = aws_subnet.dev[0].id
  route_table_id = aws_route_table.dev.id

  depends_on = [aws_nat_gateway.gw]
}

resource "aws_route" "dev_nat" {
  route_table_id            = aws_route_table.dev.id
  destination_cidr_block    = "0.0.0.0/0"
  nat_gateway_id = aws_nat_gateway.gw.id

  depends_on = [aws_nat_gateway.gw]
您将NAT放置在
aws\u subnet.dev[0]
中,然后创建附加到子网的
aws\u route\u table.dev
。更重要的是,
aws\u route\u表.dev
有一个指向nat的路由
aws\u route.dev\u nat

因此,基本上您正在执行一些循环路由
aws\u子网中的所有通信量。dev[0]
直接指向同一子网中的NAT,而NAT又反过来指向同一NAT

正如您在评论中指出的,NAT应该位于公共子网,而将流量定向到NAT的子网应该是私有子网。

看起来我犯的错误是,我没有启动NAT网关的“公共”子网。如果谁否决了我,就让我知道,那当然好了,哈哈。