AWS EC2安全组似乎未申请公共IP [英] AWS EC2 security groups don't seem to apply for Public IPs

查看：218 发布时间：2020/8/23 0:09:59 mysql security amazon-web-services amazon-ec2

本文介绍了AWS EC2安全组似乎未申请公共IP的处理方法，对大家解决问题具有一定的参考价值，需要的朋友们下面随着小编来一起学习吧！

问题描述

我有以下设置:

一个EC2实例，该实例同时托管一个应用程序服务器和一个数据库(mysql)，属于一个安全组:我们将其称为"AppServerSG"，并为其分配了一个弹性的公共IP(AWS也为其分配了一个私有IP).

An EC2 instance hosting both an application server and a database (mysql), belonging to a security group: let's call it "AppServerSG", and assigned an elastic Public IP (AWS also assigns it a private IP).

各种EC2工作程序实例，在启动时需要连接到应用程序服务器的数据库.这些工作程序实例属于另一个安全组:我们将其称为"WorkerSG".

Various EC2 worker instances which need to connect to the application server's database when booting up. These worker instances belong to another security group: let's call it "WorkerSG".

安全组的入站规则如下.

The inbound rules for the Security Groups look as follows.

对于AppServerSG:

80 (HTTP)        0.0.0.0/0
3306 (MYSQL)     WorkerSG

对于WorkerSG

80 (HTTP)        AppServerSG

因此，从本质上说，只有应用服务器可以从外部访问，并且工作人员和应用应该可以相互通信.

So essentially only the application server should be reachable from outside, and the workers and application should be able to communicate with each other.

但是，只有在将数据库主机设置为应用程序服务器的专用IP而不是公共弹性IP的情况下，从工作程序实例连接到数据库的操作才会成功.

使用应用程序服务器的公共IP从辅助实例连接到数据库的唯一方法似乎是需要更改MYSQL规则，以允许AppServerSG上的所有连接(0.0.0.0/0)，这是我非常重视的事情不愿出于安全考虑而做.

The only way to connect to the database from a worker instance using the application server's public IP seems to require changing the MYSQL rule to allow all connections (0.0.0.0/0) on the AppServerSG, which is something I'm very reluctant to do out of security concerns.

将私有IP硬编码到工作程序实例中也不是一个好主意，因为每次停止/重新启动应用服务器实例时，都会为其分配一个新的私有IP，这将需要手动更改数据库地址每个工作人员实例都需要连接到的.

Hard-coding the private IP into the worker instances is also not such a good idea, since every time the app server instance is stopped/restarted, it is assigned a new private IP, which would then require manually changing the database address that each worker instance needs to connect to.

我基本上是想知道是否有人遇到了类似的麻烦，因为这似乎不应该使事情正常进行，所以我在设置中做错了什么，或者有某种解决方法.

I'm basically wondering if someone has run into similar trouble because this doesn't seem like the way things should work, so either I'm doing something wrong in my setup, or there's a workaround somehow.

非常感谢您的帮助！

此设置背后的动机是，如果我想使整个系统脱机，则可以安全地使其重新联机，而无需更改应用程序服务器和工作程序的配置.

The motivation behind this setup is that in the event that I want to take the whole thing offline, I can safely bring it back online without having to change the configurations of the application server and the workers.

如果我使用RDS，当再次使应用程序脱机/联机时，我将必须制作数据库快照并停止它，然后基于该快照创建一个新的数据库，该数据库将具有一个不同的地址，然后让我回到更改配置的问题.

Had I used RDS, when taking the application offline/online again I would have to take a snapshot of the DB and stop it, then create a new DB based on the snapshot, which would have a different address, which would then bring me back to the problem of changing the configuration.

老实说，如果我每次都要重新启动应用程序时都必须编辑配置，我宁愿将数据库存储在应用程序服务器上，并节省与RDS相关的成本.

Honestly if I'm going to have to edit the configuration every time I restart the application anyway, I'd rather have the database on the application server and save myself the costs associated with RDS.

这里的主要问题是，我不理解为什么在我使用公共弹性IP作为数据库地址时，安全组似乎不适用，是AWS方面的设计还是错误的?在我的某个地方的配置中?

The main issue here is that I don't understand why the security groups don't seem to apply when I'm using the public elastic IP for the database address, is it by design on the AWS side, or a mistake in the configuration somewhere on my part ?

AWS EC2安全组似乎未申请公共IP [英] AWS EC2 security groups don't seem to apply for Public IPs

问题描述

推荐答案

相关文章

数据库最新文章

热门教程

热门工具

登录关闭

AWS EC2安全组似乎未申请公共IP [英] AWS EC2 security groups don&#39;t seem to apply for Public IPs

问题描述

推荐答案

相关文章

数据库最新文章

热门教程

热门工具

登录 关闭

AWS EC2安全组似乎未申请公共IP [英] AWS EC2 security groups don't seem to apply for Public IPs

登录关闭