AWS-使用EIP访问私有子网中的实例 [英] AWS - Accessing instances in private subnet using EIP

问题描述

我想使用EIP访问我的私有子网中的一些实例.有办法吗?我知道这没有多大意义.但是，让我详细解释一下.

I want to access a few instances in my private subnet using EIPs. Is there a way? I know it doesn't make much sense. But let me explain in detail.

我有一个带有2个子网的VPC.

I have a VPC with 2 subnets.

1)192.168.0.0/24(公共子网)附加了EIP

1) 192.168.0.0/24 (public subnet) has EIPs attached to it

2)192.168.1.0/24(专用子网)

2) 192.168.1.0/24 (private subnet)

在这些实例之间有一个NAT实例，以允许私有实例可以对Internet进行出站访问.一切正常，如此处所述: http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Scenario2.html

There is a NAT instance between these to allow the private instances have outbound access to the internet. Everything works fine as mentioned here : http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Scenario2.html

但是，现在，我需要暂时使用EIP直接从Internet寻址专用子网上的实例. 是否可以通过仅为该特定实例设置新的路由表来实现?还是其他? 这里是局限性:

But now, for a temporary time I need to address the instances on the private subnet directly from the internet using a EIP. Is this possible by setting up new route tables for that particular instance alone? or anything else? Here are the limitations :

1)私有子网中的任何实例都不会出现停机情况

1) There can't be any downtime on any instances on the private subnet

2)因此，不用说，我不能创建一个新的子网并将这些实例移到那里.

2) Hence it goes without saying, I can't create a new subnet and move these instances there.

它应该和->附件一样简单.使用 .消除. 我现在唯一的另一种方法是在iptables上进行某种类型的端口转发，从公用子网上的实例(具有EIP)到私有子网上的任何实例……但这看起来很混乱.

It should be as simple as -> Attach. Use . Remove. The only other way I have right now is some kind of port fowarding on iptables from instances on the public subnet (which have EIP) to any instance on private subnet... But this looks messy .

还有其他方法吗?

推荐答案

当然，专用子网中的内容位于专用子网中，因为不应从Internet进行访问. :)

Of course, the stuff in the private subnet is in the private subnet because it shouldn't be accessible from the Internet. :)

但是...我确定你有理由，所以去了:

But... I'm sure you have you reasons, so here goes:

首先，不，您不能通过简单的附件→来完成此操作.使用→删除方式，因为每个子网只有一个默认路由，并且指向igw对象(公共子网)或NAT实例(私有子网).如果将弹性IP绑定到专用子网中的计算机，则入站流量将到达实例，但是出站回复流量将通过NAT实例路由回去，这将丢弃或更改它，因为您无法通过NAT非对称路由，这就是这里发生的情况.

First, no, you can't do this in a straightforward attach → use → remove way, because each subnet has exactly one default route, and that either points to the igw object (public subnet) or the NAT instance (private subnet). If you bind an elastic IP to a machine in the private subnet, the inbound traffic would arrive at the instance, but the outbound reply traffic would be routed back through the NAT instance, which would either discard or mangle it, since you can't route asymmetrically through NAT, and that's what would happen here.

如果您的服务是TCP服务(http，远程桌面，yadda yadda)，那么这是一个短期黑客工具，可以很好地工作，避免iptables的麻烦，只暴露您需要的特定服务:

If your services are TCP services (http, remote desktop, yadda yadda) then here's a piece of short term hackery that would work very nicely and avoid the hassles of iptables and expose only the specific service you need:

在公共子网中使用ubuntu 12.04 LTS启动一个新的微型实例，并使用EIP和适当的安全组以允许入站Internet流量到达所需端口.允许您自己ssh访问新实例.允许从该计算机访问内部计算机.然后:

Fire up a new micro instance with ubuntu 12.04 LTS in the public subnet, with an EIP and appropriate security group to allow the inbound Internet traffic to the desired ports. Allow yourself ssh access to the new instance. Allow access from that machine to the inside machine. Then:

$ sudo apt-get update
$ sudo apt-get upgrade 
$ sudo apt-get install redir

假设您要将传入的端口80流量发送到私有实例上的端口80:

Assuming you want to send incoming port 80 traffic to port 80 on a private instance:

$ sudo redir --lport=80 --cport=80 --caddr=[private instance ip] --syslog &

完成.您将获得每次连接和断开连接的日志，以及在系统日志中传输的端口号和字节数.缺点是，如果您的专用主机正在查看连接计算机的IP，它将始终看到专用网络实例的内部IP.

Done. You'll have a log of every connect and disconnect with port numbers and bytes transferred in your syslogs. The disadvantage is that if your private host is looking at the IP of the connecting machine it will always see the internal IP of the private network instance.

如果要绑定到1024以下的端口，则只需使用sudo运行它，因为只有root可以绑定到较低的端口号.要停止它，请找到该pid并杀死它，或者sudo killall redir.

You only have to run it with sudo if you're binding to a port below 1024 since only root can bind to the lower port numbers. To stop it, find the pid and kill it, or sudo killall redir.

精美的redir实用程序在用户空间发挥了魔力，使其比iptables更简单(imho).它在指定的--lport端口上设置侦听套接字.对于每个入站连接，它会分叉自身，在--cport上建立与--caddr的出站连接，并将两个数据流绑定在一起.它不知道流中发生了什么，因此它几乎适用于任何TCP.这也意味着，尽管使用Micro，您仍然应该能够通过大量流量.

The spiffy little redir utility does its magic in user space, making it simpler (imho) than iptables. It sets up a listen socket on the designated --lport port. For each inbound connection, it forks itself, establishes an outbound connection to the --caddr on --cport and ties the two data streams together. It has no awareness of what's going on inside the stream, so it should work for just about anything TCP. This also means you should be able to pass quite a lot of traffic through, in spite of using a Micro.

完成后，丢弃微实例，您的网络将恢复正常.

When you're done, throw away the micro instance and your network is back to normal.

这篇关于AWS-使用EIP访问私有子网中的实例的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！