我应该如何限制负载均衡的 Web 流量到我的 Elastic Beanstalk 环境? [英] How should I restrict load balanced Web traffic to my Elastic Beanstalk environments?
问题描述
我正在尝试配置对我的 EB 环境的访问,并希望将 HTTP 访问(通过 ELB)限制为某些 IP 地址.
I'm trying to configure access to my EB environments, and would like to restrict HTTP access (through the ELB) to certain IP addresses.
我有一个开箱即用的 EB 应用程序(实际上是一堆,每个应用程序有几个环境)并且希望能够 (a) 限制对特定 IP 集的访问,同时 (b) 让所有流量都通过ELB.至关重要的是,我想通过 (c) 创建几个组(例如,允许我的 IP 的管理员 SG,允许团队 IP 的开发 SG,以及允许所有 IP 的公共 SG)并应用这些组来做到这一点根据每个 EB 环境的需要(通常以不同的方式组合到不同的环境中),而不必在团队成员的 IP 更改或团队成员更改时更新每个环境中的源.我想在不深入研究网络结构的情况下执行此操作,只使用默认的 EB 结构.
I have an out of the box EB app (a bunch, actually, with a few environments each) and would like be able to (a) restrict access to specific sets of IPs while (b) having all traffic come through the ELBs. Critically, I'd like to do this by (c) creating a few groups (e.g an admin SG that allows my IP, and a dev SG that allows a team's IPs, and a public SG that allows all IPs) and applying the groups as needed to each EB environment (often in different combinations to different environments) rather than having to update sources in every environment whenever a team member's IP changes or team membership changes. I'd like to do this without digging around in the network structure and just use the default EB structure.
默认的 ELB 安全组允许从所有 IP 访问并且不打算进行编辑(修改可能会影响到未来 ELB 的流量"),所以我似乎(天真地)可以采取三种方法:
The default ELB security group allows access from all IPs and is not meant to be edited ("Modifications could impact traffic to future ELBs"), so it seems (naively) there are three approaches I could take:
为 HTTP 创建一个具有受限 IP 源的新安全组,并将其分配给 ELB,而不是默认的 ELB SG.
Create a new security group with restricted IP sources for HTTP, and assign it to the ELB instead of the default ELB SG.
为 HTTP 创建一个具有受限 IP 源的新安全组,并将其设置为我环境安全组中的 HTTP 源.
Create a new security group with restricted IP sources for HTTP, and set it as the source for HTTP in my environment's security group.
保留默认 ELB,但限制我的 EB 环境安全组中允许的源 IP 范围(而不是将 ELB 的 SG 指定为源).
Leave the default ELB in as is, but restrict the range of allowed source IPs in my EB environment's security group (instead of specifying the ELB's SG as a source).
但是 (1) 似乎要求我还指定新 SG,而不是默认的 ELB SG,作为我每个环境中的源,并且 (2) 似乎要求我将新 SG 分配给环境的ELB;虽然在 (3) 流量是否通过 ELB 或被 ELB 过滤 中不清楚.
But (1) seems to require that I also specify the new SG, instead of the default ELB SG, as a source in each of my environments, and (2) seems to require that I assign the new SG to the environment's ELB; while it's not clear in (3) whether traffic goes through or is filtered by the ELB at all.
对于我的目的(至少在理论上)的理想解决方案是拥有少量安全组来控制 Web 访问(例如,一个用于列出特定 IP 作为来源的管理员用户,另一个用于列出更广泛范围的测试人员IP,另一个用于公共访问),并根据需要将这些分配给环境(作为其 SG 规则的来源).但是这种方法(基本上是上面的 2)似乎要求我还将组分配给每个环境的 ELB(即我需要结合 1 和 2).(这不会那么尴尬,除了克隆环境似乎总是为他们的 SG 设置默认规则,并为他们的 ELB 设置默认的 SG.)
The ideal solution for my purposes (at least in theory) would be to have a a small number of security groups for controlling Web access (e.g. one for admin users that lists specific IPs as sources, another for testers that lists a broader range of IPs, and another for public access), and to assign these to environments (as sources for their SG's rules) as appropriate. But this approach (basically 2, above) seems to require that I also assign the groups to each environment's ELB (i.e. I need combine 1 and 2). (This wouldn't be so quite so awkward except that cloned environments seem to always have default rules for their SGs and default the default SG for their ELBs.)
所有这些看起来都太麻烦了,这表明我缺少一些更简单的方法.我应该如何限制负载均衡的 Web 流量到我的 Elastic Beanstalk 环境?
All this seems too cumbersome and suggests that I'm missing some simpler approach. How should I restrict load balanced Web traffic to my Elastic Beanstalk environments?
推荐答案
您需要做的是转到 EC2 安全组并创建您的安全组和访问权限.
What you'd need to do is go to the EC2 Security Groups and create your security groups and access permissions.
设置完这些安全组后,请转到您的 Elastic Beanstalk 环境并选择配置,然后选择实例.您将在 Server 部分下看到一个名为 EC2 Security Groups 的字段;以及您之前创建的安全组的名称(逗号分隔).
Once you have setup those security groups head on over to your Elastic Beanstalk Environment and select Configuration and then Instances. You will see a field called EC2 Security Groups under the Server section; and the names of the security groups (comma separated) that you created previously.
注意:离开已经定义好的安全组.
注意:默认安全组允许来自ELB的所有流量
Note: Leave the security group that has already been defined.
Note: The default security group allows all traffic from the ELB
这篇关于我应该如何限制负载均衡的 Web 流量到我的 Elastic Beanstalk 环境?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
