问题描述

我们正在设置一个Amazon VPC，在其中我们将（现在）配置一个EC2实例和一个RDS实例。这是为了扩展我们的数据中心，并且只能使用私有子网。

We're setting up an Amazon VPC in which we will provision (for now) a single EC2 instance and one RDS instance. This is to 'extend our data center', and should only be using private subnet(s).

实际上，我们已经进行了此设置，并且运行良好（插入笑脸图标）。出于所有目的和目的，我们在此处镜像了Amazon概述的VPC场景4：

So actually, we have this setup, and it is working well (insert smiley face icon). For all intents and purposes, we're mirroring the VPC scenario 4 outlined by Amazon here: http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Scenario4.html

tl; dr：A单个VCP，VPN连接到我们的公司网络。 VPN使用虚拟专用网关（VPC端）和客户网关（我们的端）来允许我们根据需要访问EC2，其中EC2包含根据需要连接到RDS实例的Web服务器。我们网络上的任何人都可以通过URL访问EC2上运行的Web服务器。所有这一切都按预期工作。

问题出在EC2实例需要访问Internet上的资源时-这个想法是让我们没有任何公共子网，但将来自EC2实例的所有流量都通过我们的VPN路由到公司Internet访问的标准路径之外。但是，我们在设置时遇到了麻烦。

The problem comes when the EC2 instance needs to access a resource on the Internet - The idea is for us to NOT have any public subnets, but to route all traffic from the EC2 instance through our VPN and out the 'standard' path of our corporate Internet access. However we're having trouble setting this up.

可以做到这一点的事实在以下Amazon常见问题解答中得到了强调：

The fact that it can be done is hightlighted in Amazon's FAQ here:https://aws.amazon.com/vpc/faqs/

没有公共IP地址的实例可以通过以下两种方式之一访问Internet：

Instances without public IP addresses can access the Internet in one of two ways:

1. 没有公共IP地址的实例可以通过NAT网关或NAT实例路由其流量，以访问Internet。这些实例使用NAT网关或NAT实例的公共IP地址遍历Internet。 NAT网关或NAT实例允许进行出站通信，但不允许Internet上的计算机启动与私有寻址实例的连接。

1. Instances without public IP addresses can route their traffic through a NAT gateway or a NAT instance to access the Internet. These instances use the public IP address of the NAT gateway or NAT instance to traverse the Internet. The NAT gateway or NAT instance allows outbound communication but doesn’t allow machines on the Internet to initiate a connection to the privately addressed instances.

对于具有以下功能的VPC：硬件VPN连接或直接连接连接，实例可以将其Internet流量通过虚拟专用网关路由到您现有的数据中心。从那里，它可以通过您现有的出口点和网络安全/监视设备访问Internet。

For VPCs with a hardware VPN connection or Direct Connect connection, instances can route their Internet traffic down the virtual private gateway to your existing datacenter. From there, it can access the Internet via your existing egress points and network security/monitoring devices.

我们试图避免选择＃1，因为这涉及成本（以及复杂性和安全性问题）。 ＃2对我们来说是完美的解决方案，但是了解设置它的过程已经使我们望而却步了。

We are trying to avoid option #1 as there is a cost involved (along with complexity and security issues). #2 is the perfect resolution for us, but understanding the process to set it up has been eluding us for a while.

任何人都可以引导我们完成我们需要做的事情（或将我们指向正确的资源），以确保EC2实例*可以通过将流量路由到Internet来访问Internet。通过我们公司的数据中心和我们现有的Internet访问点访问VPN？

Can anyone walk us through what we need to do (or point us to the correct resources) to ensure the EC2 instance* can access the Internet by routing the traffic down the VPN, through our corporate datacenter, and our our existing Internet access point?

*

推荐答案

如果您使用的是方案2，则AWS端要做的就是确保流向互联网的流量， 0.0.0.0/0 被路由到您的虚拟专用网关。

If you are using scenario #2, then all there is to do on the AWS end is to ensure that traffic destined for the internet, 0.0.0.0/0 is routed to your Virtual Private Gateway.

一旦流量驶向那里，它将进入您的客户网关，并进入您的公司数据中心。如果可能的话，最终由本地IT人员来决定是否可以访问互联网流量。但是到那时，它不再是AWS问题。

Once traffic heads there, it will go to your Customer Gateway, and into your corporate datacenter. It's up to your local IT guys on that end to get Internet-destined traffic heading out, if it's even possible. But at that point, it's no longer an AWS issue.

这篇关于在没有公共IP地址的情况下从AWS VPC实例访问Internet的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持！