问题描述
我想使用 EIP 访问我的私有子网中的一些实例.有办法吗?我知道这没有多大意义.但让我详细解释一下.
I want to access a few instances in my private subnet using EIPs. Is there a way? I know it doesn't make much sense. But let me explain in detail.
我有一个带有 2 个子网的 VPC.
I have a VPC with 2 subnets.
1) 192.168.0.0/24(公共子网)附加了 EIP
1) 192.168.0.0/24 (public subnet) has EIPs attached to it
2) 192.168.1.0/24(私有子网)
2) 192.168.1.0/24 (private subnet)
它们之间有一个 NAT 实例,允许私有实例出站访问互联网.如此处所述,一切正常:http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Scenario2.html
There is a NAT instance between these to allow the private instances have outbound access to the internet. Everything works fine as mentioned here : http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Scenario2.html
但现在,暂时我需要使用 EIP 直接从 Internet 寻址私有子网上的实例.这是否可以通过单独为该特定实例设置新的路由表来实现?还是别的什么?以下是限制:
But now, for a temporary time I need to address the instances on the private subnet directly from the internet using a EIP.Is this possible by setting up new route tables for that particular instance alone? or anything else?Here are the limitations :
1) 私有子网上的任何实例都不能有任何停机时间
1) There can't be any downtime on any instances on the private subnet
2) 因此不用说,我无法创建新的子网并将这些实例移到那里.
2) Hence it goes without saying, I can't create a new subnet and move these instances there.
它应该像 -> 附加一样简单.用 .消除.我现在唯一的另一种方法是在 iptables 上从公共子网(具有 EIP)上的实例到私有子网上的任何实例的某种端口转发......但这看起来很混乱.
It should be as simple as -> Attach. Use . Remove.The only other way I have right now is some kind of port fowarding on iptables from instances on the public subnet (which have EIP) to any instance on private subnet... But this looks messy .
还有其他方法吗?
推荐答案
当然,私有子网中的东西在私有子网中,因为它不应该从 Internet 访问.:)
Of course, the stuff in the private subnet is in the private subnet because it shouldn't be accessible from the Internet. :)
但是......我相信你有你的理由,所以这里是:
But... I'm sure you have you reasons, so here goes:
首先,不,你不能通过简单的附加 → 来做到这一点.使用 →remove 方式,因为每个子网都有一个默认路由,并且指向 igw
对象(公共子网)或 NAT 实例(私有子网).如果您将弹性 IP 绑定到私有子网中的机器,入站流量将到达该实例,但出站回复流量将通过 NAT 实例路由回,这将丢弃或破坏它,因为您不能通过 NAT 非对称路由,这就是这里会发生的情况.
First, no, you can't do this in a straightforward attach → use → remove way, because each subnet has exactly one default route, and that either points to the igw
object (public subnet) or the NAT instance (private subnet). If you bind an elastic IP to a machine in the private subnet, the inbound traffic would arrive at the instance, but the outbound reply traffic would be routed back through the NAT instance, which would either discard or mangle it, since you can't route asymmetrically through NAT, and that's what would happen here.
如果您的服务是 TCP 服务(http、远程桌面、yadda yadda),那么这里有一个短期黑客技术,可以很好地工作并避免 iptables 的麻烦并仅公开您需要的特定服务:
If your services are TCP services (http, remote desktop, yadda yadda) then here's a piece of short term hackery that would work very nicely and avoid the hassles of iptables and expose only the specific service you need:
在公共子网中使用 ubuntu 12.04 LTS 启动一个新的微型实例,使用 EIP 和适当的安全组,以允许入站 Internet 流量到达所需的端口.允许自己通过 ssh 访问新实例.允许从该机器访问内部机器.然后:
Fire up a new micro instance with ubuntu 12.04 LTS in the public subnet, with an EIP and appropriate security group to allow the inbound Internet traffic to the desired ports. Allow yourself ssh access to the new instance. Allow access from that machine to the inside machine. Then:
$ sudo apt-get update
$ sudo apt-get upgrade
$ sudo apt-get install redir
假设您要将传入端口 80 的流量发送到私有实例上的端口 80:
Assuming you want to send incoming port 80 traffic to port 80 on a private instance:
$ sudo redir --lport=80 --cport=80 --caddr=[private instance ip] --syslog &
完成.您将拥有每次连接和断开连接的日志,以及系统日志中传输的端口号和字节.缺点是如果您的私有主机正在查看连接机器的 IP,它将始终看到私有网络实例的内部 IP.
Done. You'll have a log of every connect and disconnect with port numbers and bytes transferred in your syslogs. The disadvantage is that if your private host is looking at the IP of the connecting machine it will always see the internal IP of the private network instance.
如果您绑定到低于 1024 的端口,您只需使用 sudo 运行它,因为只有 root 可以绑定到较低的端口号.要阻止它,请找到 pid 并杀死它,或者 sudo killall redir
.
You only have to run it with sudo if you're binding to a port below 1024 since only root can bind to the lower port numbers. To stop it, find the pid and kill it, or sudo killall redir
.
漂亮的小 redir
实用程序在用户空间发挥了它的魔力,使它比 iptables 更简单(恕我直言).它在指定的 --lport
端口上设置一个监听套接字.对于每个入站连接,它分叉自身,建立到 --cport
上的 --caddr
的出站连接,并将两个数据流联系在一起.它不知道流内部发生了什么,所以它应该适用于任何 TCP.这也意味着您应该能够传递相当多的流量,尽管使用的是 Micro.
The spiffy little redir
utility does its magic in user space, making it simpler (imho) than iptables. It sets up a listen socket on the designated --lport
port. For each inbound connection, it forks itself, establishes an outbound connection to the --caddr
on --cport
and ties the two data streams together. It has no awareness of what's going on inside the stream, so it should work for just about anything TCP. This also means you should be able to pass quite a lot of traffic through, in spite of using a Micro.
完成后,扔掉微实例,您的网络就会恢复正常.
When you're done, throw away the micro instance and your network is back to normal.
这篇关于AWS - 使用 EIP 访问私有子网中的实例的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!