本文介绍了AWS VPC - 互联网网关与 NAT的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

什么是互联网网关?什么是 NAT 实例?他们提供什么服务?

What is an Internet Gateway? What is a NAT Instance? What services do they offer?

阅读 AWS VPC 文档后,我发现它们都将私有 IP 地址映射到用于传出请求的 Internet 可路由地址,并将传入响应从 Internet 路由到子网上的请求者.

Reading AWS VPC documentation, I gather they both map private IP addresses to internet route-able addresses for the outgoing requests and route the incoming responses from the internet to the requester on the subnet.

那么它们之间有什么区别呢?我在什么情况下使用 NAT 实例而不是(或除了)互联网网关?它们本质上是运行某些网络应用程序的 EC2 实例,还是像路由器这样的特殊硬件?

So what are the differences between them? What scenarios do I use a NAT Instance instead of (or besides) an Internet Gateway?Are they essentially EC2 instances running some network applications or are they special hardware like a router?

除了简单地指向 AWS 文档链接之外,您能否通过添加一些关于什么是公共和私有子网的背景知识来解释这些链接,以便任何网络知识有限的初学者都能轻松理解这些内容?另外我什么时候应该使用 NAT 网关而不是 NAT 实例?

Instead of simply pointing to AWS documentation links, can you please explain these with adding some background on what is public and private subnets so any beginner with limited knowledge of networking can understand these easily?Also when should I use a NAT Gateway instead of a NAT instance?

附言我是 AWS VPC 的新手,所以我可能会在这里比较苹果和橙子.

P.S. I am new to AWS VPC, so I might be comparing apples to oranges here.

推荐答案

互联网网关

互联网网关是Amazon VPC 和互联网之间的逻辑连接.它不是一个物理设备.每个 VPC 只能关联一个.它限制互联网连接的带宽.(带宽的唯一限制是 Amazon EC2 实例的大小,它适用于所有流量——VPC 内部和 Internet 外部.)

An Internet Gateway is a logical connection between an Amazon VPC and the Internet. It is not a physical device. Only one can be associated with each VPC. It does not limit the bandwidth of Internet connectivity. (The only limitation on bandwidth is the size of the Amazon EC2 instance, and it applies to all traffic -- internal to the VPC and out to the Internet.)

如果 VPC 没有互联网网关,则 VPC 中的资源无法从互联网访问(除非流量通过企业网络和 VPN/直接连接).

If a VPC does not have an Internet Gateway, then the resources in the VPC cannot be accessed from the Internet (unless the traffic flows via a corporate network and VPN/Direct Connect).

如果子网具有将流量定向到 Internet 网关的路由表,则该子网被视为公共子网.

A subnet is deemed to be a Public Subnet if it has a Route Table that directs traffic to the Internet Gateway.

NAT 实例

NAT 实例是配置为将流量转发到 Internet 的 Amazon EC2 实例.它可以从现有的 AMI 启动,也可以通过用户数据进行配置,如下所示:

A NAT Instance is an Amazon EC2 instance configured to forward traffic to the Internet. It can be launched from an existing AMI, or can be configured via User Data like this:

#!/bin/sh
echo 1 > /proc/sys/net/ipv4/ip_forward
echo 0 > /proc/sys/net/ipv4/conf/eth0/send_redirects
/sbin/iptables -t nat -A POSTROUTING -o eth0 -s 0.0.0.0/0 -j MASQUERADE
/sbin/iptables-save > /etc/sysconfig/iptables
mkdir -p /etc/sysctl.d/
cat <<EOF > /etc/sysctl.d/nat.conf
net.ipv4.ip_forward = 1
net.ipv4.conf.eth0.send_redirects = 0
EOF

私有子网中想要访问 Internet 的实例可以通过路由表配置将其 Internet 绑定流量转发到 NAT 实例.然后 NAT 实例将向 Internet 发出请求(因为它位于公共子网中),响应将转发回私有实例.

Instances in a private subnet that want to access the Internet can have their Internet-bound traffic forwarded to the NAT Instance via a Route Table configuration. The NAT Instance will then make the request to the Internet (since it is in a Public Subnet) and the response will be forwarded back to the private instance.

发送到 NAT 实例的流量通常会发送到与 NAT 实例本身无关的 IP 地址(它将发往 Internet 上的服务器).因此,关闭 NAT 实例上的源/目标检查选项很重要,否则流量将被阻止.

Traffic sent to a NAT Instance will typically be sent to an IP address that is not associated with the NAT Instance itself (it will be destined for a server on the Internet). Therefore, it is important to turn off the Source/Destination Check option on the NAT Instance otherwise the traffic will be blocked.

NAT 网关

AWS 推出了可以代替 NAT 实例的 NAT 网关服务.使用 NAT 网关服务的好处是:

AWS introduced a NAT Gateway Service that can take the place of a NAT Instance. The benefits of using a NAT Gateway service are:

  • 这是一项完全托管的服务——只需创建它即可自动运行,包括故障转移
  • 最高可达 10 Gbps(NAT 实例受限于与 EC2 实例类型关联的带宽)

然而:

  • 安全组不能与 NAT 网关相关联
  • 每个可用区都需要一个,因为它们只在一个可用区中运行
  • Security Groups cannot be associated with a NAT Gateway
  • You'll need one in each AZ since they only operate in a single AZ

这篇关于AWS VPC - 互联网网关与 NAT的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!

09-05 16:32
查看更多