Amazon web services 登录到bastion主机后,无法ping和ssh登录到ec2实例
我使用模块“terraform aws模块/vpc/aws”和“terraform aws模块/ec2实例/aws”配置的vpc和ec2实例。请参阅下面的代码。我能够通过bastion主机公共ip通过ssh登录到bastion主机。在bastion主机内部,我无法ping和ssh登录到其私有ip的其他ec2实例。我在ec2实例中添加了安全组sg_ssh。但是,我仍然无法从bastion主机登录到ec2实例。sg_ssh正确吗Amazon web services 登录到bastion主机后,无法ping和ssh登录到ec2实例,amazon-web-services,amazon-ec2,terraform,aws-ec2-instance-connect,Amazon Web Services,Amazon Ec2,Terraform,Aws Ec2 Instance Connect,我使用模块“terraform aws模块/vpc/aws”和“terraform aws模块/ec2实例/aws”配置的vpc和ec2实例。请参阅下面的代码。我能够通过bastion主机公共ip通过ssh登录到bastion主机。在bastion主机内部,我无法ping和ssh登录到其私有ip的其他ec2实例。我在ec2实例中添加了安全组sg_ssh。但是,我仍然无法从bastion主机登录到ec2实例。sg_ssh正确吗 main.tf # Terraform configuration
main.tf
# Terraform configuration
provider "aws" {
region = "us-west-2"
}
resource "aws_security_group" "sg_ssh" {
vpc_id = module.vpc.vpc_id
name = "sg_ssh"
ingress {
from_port = "22"
to_port = "22"
protocol = "tcp"
cidr_blocks = ["30.0.0.0/16"]
}
tags = {
Name = "sg_ssh"
}
}
module "vpc" {
source = "terraform-aws-modules/vpc/aws"
version = "2.21.0"
name = var.vpc_name
cidr = var.vpc_cidr
azs = var.vpc_azs
private_subnets = var.vpc_private_subnets
public_subnets = var.vpc_public_subnets
enable_nat_gateway = var.vpc_enable_nat_gateway
tags = var.vpc_tags
}
module "ec2_instances" {
source = "terraform-aws-modules/ec2-instance/aws"
version = "2.12.0"
name = "my-ec2-cluster"
instance_count = 2
ami = "ami-0c5204531f799e0c6"
instance_type = "t2.micro"
vpc_security_group_ids = [module.vpc.default_security_group_id, aws_security_group.sg_ssh.id]
subnet_id = module.vpc.public_subnets[0]
tags = {
Terraform = "true"
Environment = "dev"
}
}
# Bastion
resource "aws_security_group" "allow-ssh" {
vpc_id = module.vpc.vpc_id
name = "allow-ssh"
description = "security group that allows ssh and all egress traffic"
egress {
from_port = "0"
to_port = "0"
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
}
ingress {
from_port = "22"
to_port = "22"
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"]
}
tags = {
Name = "allow-ssh"
}
}
resource "aws_instance" "bastion_instance" {
ami = "ami-0c5204531f799e0c6"
instance_type = "t2.micro"
subnet_id = module.vpc.public_subnets[0]
vpc_security_group_ids = [aws_security_group.allow-ssh.id]
key_name = var.key_name
tags = {
Name = "bastion_instance"
}
}
您尚未将ssh入口添加到ec2 在ec2模块中:
vpc_security_group_ids = [module.vpc.default_security_group_id]
您只在默认vpc安全组中注册它们,该组可能未配置为允许ssh
您需要创建一个安全组,允许从bastion进行ssh,并将其连接到您的EC2。谢谢您的回答。我添加了安全组sg_ssh,并将其附加到ec2实例。但是,我仍然无法从bastion主机登录到ec2实例。知道吗?我想你的vpc在30.0.0.0/16范围内?知道。我使用“30.0.0.0/16”、私有_子网=[“30.0.1.0/24”、“30.0.2.0/24”]、公共_子网=[“30.0.101.0/24”、“30.0.102.0/24”]。当你说你不能登录时,你是说你不能连接还是你可以连接但不能验证?在bastion主机内,ssh-30.0.101.231权限被拒绝(公钥、gssapi密钥、gssapi和mic)。当我ping 30.0.101.231时没有响应您是否将私有ssh密钥复制到您的堡垒上?你如何通过ssh连接到其他istances?