如何使用公共IP设置EC2进行自身连接? [英] How to set up EC2 with public IP for connections from itself?

问题描述

我有一个EC2实例(正在运行kafka)，该实例需要通过公共IP进行访问，但是我不想对整个世界开放网络ACL.

I have an EC2 instance (running kafka) which needs to access itself via public IPs, but I would like to not open the network ACLs to the whole world.

基本原理是，当与kafka代理建立连接时，代理会通告哪些kafka节点可用.由于kafka将在EC2的内部和外部使用，因此唯一常见的选择是代理发布其公共IP.

The rationale is that when a connection is made to a kafka broker, the broker advertises which kafka nodes are available. As kafka will be used inside and outside EC2, the only common option is for the broker to advertise its public IP.

我的设置:

• 具有公共IP(不是是弹性IP)的实例
• vpc
• 一个安全组，允许从我的工作网络访问kafka端口
• 互联网网关
• 允许通过网关进行外部访问的路由

• an instance, with public IP (not an elastic IP)
• a vpc
• a security group, allowing access to the kafka ports from my work network
• an internet gateway
• a route allowing external access via the gateway

安全组如下:

Custom TCP Rule, proto=TCP, port=9092, src=<my office network>
Custom TCP Rule, prtot=TCP, port=2181, src=<my office network>

简而言之，如果我使用本地主机，则在实例内部一切正常. 如果我使用公共IP，则在实例之外一切正常.

In short, all works fine inside the instance if I use localhost. All works fine outside the instance if I use the public IP.

我现在想要的是在具有公共IP的实例内部使用kafka.

What I now want is to use kafka from inside the instance with the public IP.

如果我向全世界开放kafka端口:

If I open the kafka ports to the whole world:

Custom TCP Rule, proto=TCP, port=9092, src=0.0.0.0/0
Custom TCP Rule, prtot=TCP, port=2181, src=0.0.0.0/0

它可以按预期工作，但并不安全.

It works, as expected, but it does not feel safe.

如何设置网络ACL以在不打开太多内容的情况下接受来自本地实例/子网/vpv的入站流量(无关紧要)?

How could I setup the network ACL to accept inbound traffic from my local instance/subnet/vpv (does not matter which) without opening too much?

推荐答案

好吧，这虽然不干净，但是它具有不必支付外部带宽的额外优势.

Well, this is not clean, but it has the added advantage of not having to pay for external bandwidth.

我没有(通过安全组)找到我所期望的方法，而只是通过更新ec2实例上的/etc/hosts并实际使用主机名而不是IP来完成所有工作.

I did not find a way as I expected (via the security groups), but just by updating the /etc/hosts on my ec2 instance, and actually using a hostname instead of an IP, all works as expected.

例如，如果我将实例的主机名设置为kafka.example.com，则在/etc/hosts中添加以下行:

For instance, if I give the instance the hostname kafka.example.com, then by having the following line in /etc/hosts:

127.0.0.1 kafka.example.com

127.0.0.1 kafka.example.com

我可以在任何地方使用名称kafka.example.com，即使它实际上根据呼叫的位置指向不同的IP.

I can use the name kafka.example.com everywhere, even if it actually points to a different IP depending on where the call is made.

这篇关于如何使用公共IP设置EC2进行自身连接?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！