问题描述
我有两个试图通过自定义TCP端口相互通信的AWS EC2实例.每个实例都有其自己的安全组,但彼此之间无法通话.
I have two AWS EC2 instances that are trying to talk to each other over a custom TCP port. Each instance has its own security group, but neither can talk to each other.
这是我的设置:
EC2实例1
- 名称:instance-1
- 公共IP地址:aaa.bbb.ccc.ddd
- 安全组ID:sg-xxxxxxxxxx1
- SG入站规则:无
- SG出站规则:
- 类型:所有流量,协议:全部,端口范围:全部,目的地:0.0.0.0/0
- Name: instance-1
- Public IP address: aaa.bbb.ccc.ddd
- Security group ID: sg-xxxxxxxxxx1
- SG inbound rules: none
- SG outbound rules:
- Type: All traffic, Protocol: All, Port Range: All, Destination: 0.0.0.0/0
EC2实例2
- 名称:instance-2
- 公共IP地址:www.xxx.yyy.zzz
- 安全组ID:sg-xxxxxxxxxx2
- SG入站规则:
- 类型:自定义TCP规则,协议:TCP,端口范围:12345,源:sg-xxxxxxxxxx1
- Name: instance-2
- Public IP address: www.xxx.yyy.zzz
- Security group ID: sg-xxxxxxxxxx2
- SG inbound rules:
- Type: Custom TCP Rule, Protocol: TCP, Port Range: 12345, Source: sg-xxxxxxxxxx1
SG出站规则:
- 类型:所有流量,协议:全部,端口范围:全部,目的地:0.0.0.0/0
问题
每当instance-1尝试向
www.xxx.yyy.zzz:12345发起TCP请求时,连接就会超时.Whenever instance-1 tries to initiate a TCP request to
www.xxx.yyy.zzz:12345, the connection times out.如果我将以下入站规则添加到实例2的SG,则可以正常工作:
If I add the following inbound rule to instance-2's SG, it works just fine:
- 类型:所有流量,协议:全部,端口范围:12345,源:0.0.0.0/0
摘要
我需要instance-1与instance-2进行对话,而不允许任何地方的流量访问端口12345.有没有办法做到这一点?
I need instance-1 to talk to instance-2 without allowing traffic from anywhere to access port 12345. Is there a way to do this?
推荐答案
您不能使用安全组作为传入源来访问公共IP.
You cannot access a public IP using a security group as the incoming source.
使用私有IP地址或使用公共IP作为来源.
Use the private IP address or use the public IP as the source.
参考
这篇关于EC2安全组无法相互通信的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!