如何使用公共 IP 设置 EC2 以进行来自自身的连接? [英] How to set up EC2 with public IP for connections from itself?

问题描述

我有一个需要通过公共 IP 访问自身的 EC2 实例(运行 kafka)，但我不想向全世界开放网络 ACL.

基本原理是，当与 kafka 代理建立连接时，代理会通告哪些 kafka 节点可用.由于 kafka 将在 EC2 内部和外部使用，唯一常见的选择是代理公布其公共 IP.

我的设置:

• 一个实例，具有公共 IP(不是弹性 IP)
• 一个 vpc
• 一个安全组，允许从我的工作网络访问 kafka 端口
• 互联网网关
• 允许通过网关进行外部访问的路由

安全组如下:

自定义 TCP 规则，proto=TCP，端口=9092，src=<我的办公网络>自定义TCP规则，prtot=TCP，端口=2181，src=<我的办公网络>

简而言之，如果我使用 localhost，则在实例内一切正常.如果我使用公共 IP，则在实例外一切正常.

我现在想要的是从具有公共 IP 的实例内部使用 kafka.

如果我向全世界开放 kafka 端口:

自定义 TCP 规则，proto=TCP，端口=9092，src=0.0.0.0/0自定义 TCP 规则，prtot=TCP，端口=2181，src=0.0.0.0/0

它按预期工作，但感觉不安全.

如何设置网络 ACL 以接受来自我的本地实例/子网/vpv(不管哪个)的入站流量，而不会打开太多?

解决方案

嗯，这并不干净，但它有一个额外的好处，即不必为外部带宽付费.

我没有找到我预期的方法(通过安全组)，但只​​是通过更新我的 ec2 实例上的/etc/hosts 并实际使用主机名而不是 IP，一切都按预期工作.

例如，如果我为实例提供主机名 kafka.example.com，则在/etc/hosts 中包含以下行:

<块引用>

127.0.0.1 kafka.example.com

我可以在任何地方使用名称 kafka.example.com，即使它实际上指向不同的 IP，具体取决于调用的位置.

I have an EC2 instance (running kafka) which needs to access itself via public IPs, but I would like to not open the network ACLs to the whole world.

The rationale is that when a connection is made to a kafka broker, the broker advertises which kafka nodes are available. As kafka will be used inside and outside EC2, the only common option is for the broker to advertise its public IP.

My setup:

• an instance, with public IP (not an elastic IP)
• a vpc
• a security group, allowing access to the kafka ports from my work network
• an internet gateway
• a route allowing external access via the gateway

The security group is as follow:

Custom TCP Rule, proto=TCP, port=9092, src=<my office network>
Custom TCP Rule, prtot=TCP, port=2181, src=<my office network>

In short, all works fine inside the instance if I use localhost. All works fine outside the instance if I use the public IP.

What I now want is to use kafka from inside the instance with the public IP.

If I open the kafka ports to the whole world:

Custom TCP Rule, proto=TCP, port=9092, src=0.0.0.0/0
Custom TCP Rule, prtot=TCP, port=2181, src=0.0.0.0/0

It works, as expected, but it does not feel safe.

How could I setup the network ACL to accept inbound traffic from my local instance/subnet/vpv (does not matter which) without opening too much?

解决方案

Well, this is not clean, but it has the added advantage of not having to pay for external bandwidth.

I did not find a way as I expected (via the security groups), but just by updating the /etc/hosts on my ec2 instance, and actually using a hostname instead of an IP, all works as expected.

For instance, if I give the instance the hostname kafka.example.com, then by having the following line in /etc/hosts:

127.0.0.1 kafka.example.com

I can use the name kafka.example.com everywhere, even if it actually points to a different IP depending on where the call is made.

这篇关于如何使用公共 IP 设置 EC2 以进行来自自身的连接?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！