除非允许所有流量入站,否则无法从我的EC2实例连接出去 [英] Can't connect out from my EC2 instance unless allow all traffic inbound
问题描述
我遇到一个问题,我的linux EC2实例无法做任何出站操作(ping,curl,yum更新,wget,traceroute等.) 除非 我的VPC ACL入站规则集中有一条规则,该规则允许所有流量.
I have an issue where my linux EC2 instance can't do anything outbound(ping, curl, yum update, wget, traceroute, etc..) unless I have a rule in my VPC ACL inbound rule set that allows all traffic.
我的安全组和VPC都有出站规则,该规则允许所有流量流向所有内容.
My security group and VPC both have outbound rules that allows all traffic to everything.
附加到实例的安全组入站列表如下:
The security group inbound list attached to the instance looks like this:
VPC入站列表如下所示(规则200是我正在谈论的规则):
And the VPC inbound list looks like this(rule 200 is the one I'm talking about):
如果删除允许所有流量的入站规则(规则200),那么我将无法做任何出站操作.
If I delete the inbound rule that allows all traffic(rule 200), then I can't do anything outbound.
有什么我想念的吗?谢谢!
Could there be anything that I'm missing ? Thanks!
推荐答案
ACL规则是无状态的,这意味着它们在评估入站连接时不会跟踪您的出站连接.因此,如果您建立与服务器的出站连接,则除非您在ACL中明确允许来自该服务器的入站连接,否则ACL规则将阻止该服务器的响应.
ACL rules are stateless, which means they don't keep track of your outbound connections when evaluating inbound connections. So if you make an outbound connection to a server, the ACL rule will block that server's response unless you have explicitly allowed inbound connections from that server in the ACL.
这是大多数人仅使用安全组(有状态)而不是ACL规则的主要原因之一.查看您的网络ACL规则,那里没有发生安全组规则尚未涵盖的事情,那么为什么要使用ACL?
This is one of the primary reasons that most people only use Security Groups (which are stateful) instead of ACL rules. Looking at your network ACL rules, there is nothing happening there that isn't already covered by your Security Group rules, so why use ACLs?
这篇关于除非允许所有流量入站,否则无法从我的EC2实例连接出去的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
