问题描述

我很难弄清楚如何为我的LoadBalancer设置正确的SecurityGroup规则.我制作了一个图表来尝试说明这个问题，请看下面的图片:

I'm having a hard time figuring out how to set the correct SecurityGroup rules for my LoadBalancer. I have made a diagram to try and illustrate this problem, please take a look at the image below:

我有一个面向Internet的LoadBalancer(图中的服务A LoadBalancer")，是从内部"和我们的ECS服务之一(图中的任务B")请求的.对于内部请求，我可以为服务A LoadBalancer"配置一个SecurityGroup规则，该规则允许从CIDR到我们内部IP的端口80上的LoadBalancer传入请求.没问题.但是对于其他ECS服务(任务B)，我将如何添加仅允许来自任务B的请求的规则(图中的服务A SecurityGroup")? (或仅来自ECS群集中的任务).由于它是面向Internet的负载均衡器，因此请求是从计算机EC2的公共IP而不是私有IP发出的(据我所知?).

I have an internet facing LoadBalancer ("Service A LoadBalancer" in the diagram) that is requested from "inhouse" and from one of our ECS services ("Task B" in the diagram). For the inhouse requests, i can configure a SecurityGroup rule for "Service A LoadBalancer" that allows incoming request to the LoadBalancer on port 80 from the CIDR for our inhouse IP's. No problem there. But for the other ECS service, Task B, how would i go about adding a rule (for "Service A SecurityGroup" in the diagram) that only allows requests from Task B? (or only from tasks in the ECS cluster). Since it is an internet facing loadbalancer, requests are made from public ip of the machine EC2, not the private (as far as i can tell?).

我显然可以制定一条规则，允许从80.0.0/0开始在端口80上进行请求，这将起作用，但这远不够严格.并且由于它是一个面向LoadBalancer的Internet，因此添加一个规则以允许来自群集安全组"的请求(在图中)不会削减它.我认为这是因为LB无法确定请求是从哪个SecurityGroup发起的，因为它是面向Internet的，并且如果它是内部LoadBalancer，则可以正常工作.但是我不能使用内部LoadBalancer，因为外部AWS(Inhouse)也要求使用它.

I can obviously make a rule that allow requests on port 80 from 0.0.0.0/0, and that would work, but that's far from being restrictive enough. And since it is an internet facing LoadBalancer, adding a rule that allows requests from the "Cluster SecurityGroup" (in the diagram) will not cut it. I assume it is because the LB cannot infer from which SecurityGroup the request originated, as it is internet-facing - and that this would work if it was an internal LoadBalancer. But i cannot use an internal LoadBalancer, as it is also requested from outside AWS (Inhouse).

将寻求任何帮助.

谢谢弗雷德里克

推荐答案

我们通过运行单独的面向Internet的负载均衡器和内部负载均衡器来解决此问题.同一群集可以有多个ELB或ALB(ELBv2).假设您的ECS群集在IP范围(例如10.X.X.X)上运行，则可以打开10.X.0.0/16以便在内部ELB上进行内部访问.只需确保ECS集群SG也已向ELB开放.假设您在发出请求时使用内部ELB地址的DNS，则任务B可以通过内部ELB地址到达任务A.如果您点击了公共DNS的IP，它将始终是公共请求.

We solve this by running separate Internet facing and Internal Load Balancers. You can have multiple ELBs or ALBs (ELBv2) for the same cluster. Assuming your ECS clusters runs on an IP range such as 10.X.X.X you can open 10.X.0.0/16 for internal access on the internal ELB. Just make sure the ECS cluster SG also is open to the ELB. Task B can reach Task A over the internal ELB address assuming you use the DNS of the internal ELB address when making the request. If you hit the IP of a public DNS it will always be a public request.

但是，您可能需要长期考虑是否真的需要公共ELB.代替IP限制，下一步通常是运行VPN，例如openVPN，以便您可以连接到VPC并访问专用网络上的所有内容.通常，只有在我们真正想要互联网上的东西(例如外部客户)的情况下，我们才运行面向互联网的ELB.

However, you may want to think long term whether you really need a public ELB at all. Instead of IP restrictions, the next step is usually to run a VPN such as openVPN so you can connect into the VPC and access everything on the private network. We generally only ever run Internet Facing ELBs if we truly want something on the internet such as for external customers.

这篇关于如何为内部和外部请求配置面向LB ScurityGroup的AWS Internet的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持！