EC2安全组无法相互通信 [英] EC2 security groups cannot communicate with each other

问题描述

我有两个试图通过自定义TCP端口相互通信的AWS EC2实例.每个实例都有其自己的安全组，但彼此之间无法通话.

I have two AWS EC2 instances that are trying to talk to each other over a custom TCP port. Each instance has its own security group, but neither can talk to each other.

这是我的设置:

EC2实例1

• 名称:instance-1
• 公共IP地址:aaa.bbb.ccc.ddd
• 安全组ID:sg-xxxxxxxxxx1
• SG入站规则:无
• SG出站规则:
  • 类型:所有流量，协议:全部，端口范围:全部，目的地:0.0.0.0/0
  • Name: instance-1
  • Public IP address: aaa.bbb.ccc.ddd
  • Security group ID: sg-xxxxxxxxxx1
  • SG inbound rules: none
  • SG outbound rules:
    • Type: All traffic, Protocol: All, Port Range: All, Destination: 0.0.0.0/0

    EC2实例2

    • 名称:instance-2
    • 公共IP地址:www.xxx.yyy.zzz
    • 安全组ID:sg-xxxxxxxxxx2
    • SG入站规则:
      • 类型:自定义TCP规则，协议:TCP，端口范围:12345，源:sg-xxxxxxxxxx1
      • Name: instance-2
      • Public IP address: www.xxx.yyy.zzz
      • Security group ID: sg-xxxxxxxxxx2
      • SG inbound rules:
        • Type: Custom TCP Rule, Protocol: TCP, Port Range: 12345, Source: sg-xxxxxxxxxx1

        SG出站规则:

        • 类型:所有流量，协议:全部，端口范围:全部，目的地:0.0.0.0/0

        问题

        每当instance-1尝试向www.xxx.yyy.zzz:12345发起TCP请求时，连接就会超时.

        Whenever instance-1 tries to initiate a TCP request to www.xxx.yyy.zzz:12345, the connection times out.

        如果我将以下入站规则添加到实例2的SG，则可以正常工作:

        If I add the following inbound rule to instance-2's SG, it works just fine:

        • 类型:所有流量，协议:全部，端口范围:12345，源:0.0.0.0/0

        摘要

        我需要instance-1与instance-2进行对话，而不允许任何地方的流量访问端口12345.有没有办法做到这一点?

        I need instance-1 to talk to instance-2 without allowing traffic from anywhere to access port 12345. Is there a way to do this?

        推荐答案

        您不能使用安全组作为传入源来访问公共IP.

        You cannot access a public IP using a security group as the incoming source.

        当您将安全组指定为规则的源或目标时，该规则会影响与该安全组关联的所有实例.基于与源安全组关联的实例的私有IP地址(而不是公共IP或弹性IP地址)，允许传入流量.有关IP地址的更多信息，请参阅Amazon EC2实例IP寻址.

        When you specify a security group as the source or destination for a rule, the rule affects all instances associated with the security group. Incoming traffic is allowed based on the private IP addresses of the instances that are associated with the source security group (and not the public IP or Elastic IP addresses). For more information about IP addresses, see Amazon EC2 Instance IP Addressing.

        使用私有IP地址或使用公共IP作为来源.

        Use the private IP address or use the public IP as the source.

        参考

        安全性组连接跟踪

        这篇关于EC2安全组无法相互通信的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！