AWS小型安装,安全的公共访问构想..取消了NAT网关 [英] AWS small setup, secured public access idea.. do away with NAT gateway
问题描述
寻求评论,评论,指出问题,链接到可用的经过测试的更好的解决方案……
Seeking review, comments, point out issues, link to available tested, better solution…
此想法是为了提供对EC2实例的安全远程访问并允许后端实例在需要更新,安装软件包等时可以访问Internet。
我刚刚开始自己接手AWS,并且没有使用AWS的经验。我了解到保护远程访问(如SSH)安全的方法是限制SSH源IP,创建跳转/堡垒主机,然后后端/专用子网的Internet访问将是NAT实例/网关或代理。对于少于20台服务器的小型安装,1到2位管理员似乎显得过分杀伤。
This idea is to provide secure remote access into EC2 instances and allow backend instances to reach internet when required for update, install packages, etc. I just started to pickup AWS on my own and had no prior experience with AWS. I learned the method to secure remote access (like SSH) is to restrict the SSH source IP, create jump/bastion hosts, then internet access for backend/private subnet would be NAT instance/gateway or proxy. For a small setup of <20 servers, 1 to 2 admins.. looked overkilled.
我认为使用AWS CLI,安全组和网络ACL来提供只是足够的保护,可进行小型安装不需要时不需要公开SSH,也不必仅限制特定IP,额外实例或为每个AZ支付NAT网关费用。我进行了一些搜索,但似乎无法找到想要的内容,因此我做了一些脚本进行测试。我的脚本编写经验非常低,更多的是GUI方面的人。.所以请多多包涵。
I think of using AWS CLI, security groups and network ACLs to provide "just enough" protection for small setup. No need to open SSH to public when not required, or restricting to only specific IP, extra instances or pay for NAT Gateway per AZ. I searched a little but can’t seem to find what in mind and so I did a little scripts to test. My scripting experience is extremely low, more of a GUI guy.. so please bear with me.
测试设置;
1公共子网,安全组允许http,https&来自所有IP的ssh。 ACL允许http / https&临时端口,并向所有人出站。自动分配公用IP。
Test setup; 1 Public subnet, security group allow http, https & ssh from all IP. ACL allow ingress of http/https & ephemeral ports, and outbound to all. Auto assign public IP.
1专用/后端子网,安全组允许来自公共子网的必需端口和来自所有IP的ssh。 ACL允许来自VPC的CIDR(短暂的)和所有出站的流量。不要分配公共IP。
路由表,以允许两个子网都可以访问Internet。
1 Private/backend subnet, security group allow required ports from Public subnet and ssh from all IP. ACL allow traffic from VPC’s CIDR, ephemeral, and outbound to all. Don’t assign public IP. Routing table to allow both subnets to reach internet.
配置了AWS CLI和访问密钥的笔记本电脑。
预定义脚本可在ACL中添加SSH规则,以允许当前的公共IP访问特定子网。
Laptop configured with AWS CLI and access keys. Predefined scripts to add SSH rule in ACL to allow current public IP to access specific subnet.
aws ec2 create-network-acl-entry --network-acl-id acl-public/backend --ingress --rule-number 801 --protocol tcp --port-range From=22,To=22 --cidr-block "$(curl http://checkip.amazonaws.com)"/32 --rule-action allow
To列出当前实例和IP;
To list current instances and IP;
aws ec2 describe-instances --output text --query 'Reservations[*].Instances[*].[InstanceId,NetworkInterfaces[*].Association.PublicIp,Tags[?Key==`Name`].Value]' --filters "Name=network-interface.subnet-id,Values=subnet-backend"
访问后端实例并允许其访问互联网;我从上面复制并粘贴了InstanceId作为脚本参数。
To access backend instance and allow it internet access; I copy and paste the InstanceId from above as script parameter.
if [ ! -n "$1" ]
then
echo "need InstanceID"
exit
fi
#Get a EIP
aws ec2 allocate-address --domain vpc --output text > $1.txt
#read variables
read eip d ip < $1.txt
#Associate Ip to instance
echo "issuing instance "$eip " with ip "$ip
aws ec2 associate-address --output text --instance-id $1 --allocation-id $eip > $1"EIP".txt
#ssh to instance
echo "ssh to "$ip
ssh ec2-user@$ip -i Vrigina-private-key.pem
#remove EIP
read asid < $1"EIP".txt
aws ec2 disassociate-address --association-id $asid
aws ec2 release-address --allocation-id $eip
echo "removed eip"
cat $1.txt $1"EIP".txt > $1"-"`date +"%Hh-%Mm-%d-%b-%y"`.txt
rm $1.txt $1"EIP".txt
然后使用另一个脚本删除ACL中的SSH允许规则。
公共子网实例,只需添加SSH并删除规则即可。
Then another script to remove the SSH allow rule in the ACL. Public subnet instances, just need to add SSH and remove the rule will do.
还有很多改进的余地;例如自动执行实例选择,自动每日检查(可能使用AWS config / Lambda)并提醒是否仍有未删除的后端实例公共IP和ACL SSH规则。脚本缺少错误检查功能,没有MFA(不知道如何操作)等。
There are rooms for improvement; like automate the selection of instances, automatic daily check (maybe use AWS config/Lambda) and alert if there is still backend instance public IP and ACL SSH rule not removed. Script lack error checking, no MFA (no idea how), etc..
我没有使用网络服务器和数据库设置进行测试,不确定是否会中断服务。
I did not test with a webserver and DB setup, not sure will there be service interruption.
有问题吗?太费力了?在后端实例可以访问Internet的持续时间内,SG和ACL确实会阻止传入流量。可以将专用网络ACL配置为拒绝来自公共子网实例的SSH。
Issue? Too much effort? During the duration when the backend instance gained access to the internet, SG and ACL do block incoming traffic. Private network ACL can be configured to Deny SSH from public subnet instance. So it look OK..
致谢。
推荐答案
太多进行微不足道的设置。您需要的是这样的东西:
具有公共和私有功能的VPC子网(NAT)
Too much effort for a trivial setup. What you need is something like: VPC with Public and Private Subnets (NAT)
为什么您认为NAT对您的设置来说是一个过大的杀伤力?非常适合您的设置。如果成本是一个问题,请使用 t2.nano ,每月费用为$ 5。除非您确切地知道自己在做什么,否则不要乱用ACL。 NAT和堡垒( t2.nano )和安全组可以解决您的问题。不要过度复杂化和重新发明AWS已经提供的功能。
Why do you think a NAT is a overkill for your setup? It is perfect for your setup. If cost is an issue, go with a t2.nano which costs $5/month. Do not mess with ACLs unless you know what exactly you are doing. A NAT and a bastion (both t2.nano) along with security groups can solve your problem. Don't overcomplicate and reinvent something that AWS already provides.
这篇关于AWS小型安装,安全的公共访问构想..取消了NAT网关的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
