有什么方法可以配置AWS安全组以允许私有实例访问面向公共的负载均衡器? [英] Any way to configure AWS security group to allow private instances to access a public-facing Load Balancer?
问题描述
我有一个包含两个不同站点的Web应用程序.每个都可以通过HTTP访问.当您访问站点#1时,它将直接为该站点提供服务.当您访问站点2时,它实际上将通过REST API调用在后台连接到站点1.下图显示了这种体系结构.
I have a web application with two different sites. Each can be accessed via HTTP. When you access Site #1, it will serve that site directly. When you access site #2, it will actually connect to site #1 behind the scenes via REST API calls. This architecture is shown in the diagram below.
所有显示的实例(蓝色)仅具有私有IP地址.两个负载均衡器都面向互联网,因为VPC外部的人员需要访问该应用程序.每个自动伸缩组都有一个关联的安全组,该安全组将应用于每个实例.
All instances shown (in blue) have ONLY private IP addresses. Both Load Balancers are internet-facing because people from outside the VPC need to access the application. Each autoscale group has an associated security group which is applied to each of its' instances.
鉴于那些实例没有公共IP地址,我如何配置LoadBalancer#1接受来自自动缩放组#2的HTTP调用?我是否需要一台面向私人的负载均衡器和一台面向互联网的负载均衡器?
How can I configure LoadBalancer #1 to accept HTTP calls from Auto-Scale Group #2 given that those instances don't have public IP addresses? Do I need to have one private-facing Load Balancer and one internet-facing load balancer?
我希望所有这些配置都可以在Cloudformation文件中自动完成.
I want all this configuration to be done automatically in my Cloudformation file.
推荐答案
AWS Elastic Load Balancing服务为负载均衡器提供 DNS名称.访问负载平衡器时应使用此名称.
The AWS Elastic Load Balancing service provides a DNS Name for the load balancer. This name should be used when accessing the load balancer.
DNS名称解析为多个公用IP地址之一.因此,Auto Scaling组#2中的实例需要访问Internet .
The DNS name resolves to one of several public IP addresses. Therefore, instances in Auto Scaling Group #2 require access to the Internet.
如果所有实例都位于公共子网中,则它们应该能够访问Internet,因此可以访问负载均衡器#1.
If all instances are in a Public subnet, then they should be able to access the Internet and, therefore, Load Balancer #1.
如果实例位于私有子网中,则它们将需要一些访问Internet的方式.通常,这是通过在公用子网中启动NAT实例并在专用子网上配置路由表以将Internet流量路由到NAT服务器来完成的.
If the instances are in a Private subnet, they will require some means of accessing the Internet. This is typically done by launching a NAT instance in a Public subnet and configuring Route Tables on the Private subnet to route Internet traffic to the NAT server.
流量实际上不会穿越Internet.相反,他们将弹出VPC,然后再次返回,从而遍历AWS的Internet的边缘.
The traffic won't actually traverse the Internet. Rather, they will traverse AWS's edge of the Internet by popping out of the VPC and then back in again.
负载均衡器#1不需要配置,因为它已经接受了传入流量.
There is no configuration required on Load Balancer #1, since it is already accepting incoming traffic.
这篇关于有什么方法可以配置AWS安全组以允许私有实例访问面向公共的负载均衡器?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
