AWS - 从魔豆应用到EC2实例配置访问 [英] AWS - Configuring access to EC2 instance from Beanstalk App

问题描述

因此​​，对于原因，我宁愿去成，我的数据库是在欧盟 - 西1 EC2实例和我建立了一个豆茎应用美国东部-1。编号喜欢我的应用程序，用来同EC2实例一个MySQL端口（3306）上。

So for reasons Id rather not go into, my DB is on an EC2 instance in eu-west-1 and I have created a beanstalk app on us-east-1. Id like my app to talk to that EC2 instance on a MySQL port (3306).

任何人都可以协助标识如何设置此，我需要的入口规则设置的EC2安全组？鉴于我将有多个版本的豆茎的应用程序时，IP地址可能会定期更改（环境后重建等）。

Can anyone assist with how Id set this up, what ingress rules I need to setup on the EC2 security group? Given that I will have multiple versions of the app in beanstalk, the IP address may change regularly (after environment rebuilds etc).

任何帮助非常AP preciated。

Any help greatly appreciated.

推荐答案

有关重要概念<一href="http://docs.amazonwebservices.com/AWSEC2/latest/UserGuide/using-network-security.html#concepts-security">Security组规则你可能会缺少的是，你不必指定IP地址的流量来源独自一人，而经常会参考其他安全组，以及：

The important concept regarding Security Group Rules you might be missing is, that you do not necessarily specify IP addresses as traffic sources alone, rather regularly will refer to other security groups as well:

源可以是一个单独的IP地址（203.0.113.1），的范围内的   地址（例如，203.0.113.0/24），或一个EC2安全组。该   安全组可以是另一个组的AWS帐号，一组   另一AWS账户，或安全组本身。

The source can be an individual IP address (203.0.113.1), a range of addresses (e.g., 203.0.113.0/24), or an EC2 security group. The security group can be another group in your AWS account, a group in another AWS account, or the security group itself.

通过指定一个安全组作为源，您允许传入   流量属于源安全组的所有实例。   [...]你可以在你的帐户指定其他安全组，如果你要创建一个   三层Web服务（请参阅创建三层Web服务）。

By specifying a security group as the source, you allow incoming traffic from all instances that belong to the source security group. [...] You might specify another security group in your account if you're creating a three-tier web service (see Creating a Three-Tier Web Service).

[重点煤矿] 的

因此​​你只需要添加青苗应用实例安全组作为MySQL实例安全组内的流量来源为TCP端口3306。

Consequently you'll simply need to add the Beanstalk app instances security group as a traffic source for TCP port 3306 within the MySQL instance security group.

另外一个概念，使自己熟悉的是，你可以分配到一个实例中的多个安全组，从而使所产生的防火墙（可能是动态的）组成。

An additional concept to make oneself familiar with is, that you can have multiple security groups assigned to an instance, thus enabling (possibly dynamic) composition of the resulting firewall.

例如，对于较大的架构建议的做法表明，每角色指定专用安全组的实例有（而不是积聚在一个安全组照常一些规则），例如：我们有安全组像角色SSH（TCP端口22）和角色的mysql（TCP端口3306），根据需要又被分配到EC2实例。你可以阅读更多关于这个概念在如<一href="http://www.somic.org/2009/09/21/security-groups-most-underap$p$pciated-feature-of-amazon-ec2/">Security组 - 大多数Underap $ P $的亚马逊EC2 pciated功能

For example, a recommended practice for larger architectures suggests to specify a dedicated security group per 'role' your instances have (rather than accumulating several rules within one security group as usual), e.g. we have security groups like 'role-ssh' (TCP port 22) and 'role-mysql' (TCP port 3306), which are assigned to EC2 instances as needed in turn. You can read more about this concept in e.g. Security Groups - Most Underappreciated Feature of Amazon EC2.

这篇关于AWS - 从魔豆应用到EC2实例配置访问的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！