AWS:安全组，允许从私有实例访问面向互联网的负载均衡器 [英] AWS: Security Group to allow access internet-facing Load balancer to be accessed from private instances

问题描述

我的问题是

就我而言，安全组必须限制对Load Balancer 1的访问.它必须具有一些列入白名单的IP.那么，我可以在其中放置哪些IP，以允许从Auto Scaling Group 2私有实例访问Load Balancer 1?

In my case the security group has to restrict the access to Load Balancer 1. It has to have some white listed IPs. So, which IPs can I put here that can allow access of Load Balancer 1 from Auto Scaling Group 2 private instances?

我尝试将NAT网关的弹性IP列入白名单IP，并且可以正常工作.我想了解为什么绝对需要将此IP放入安全组中，以便从同一VPC 的专用子网实例访问面向Internet的ALB.

I have tried putting the Elastic IP of NAT Gateway as a whitelisted IP and it works. I want to understand why it is absolutely necessary to put this IP in Security Group to access the internet-facing ALB from the private subnet instance of the same VPC.

推荐答案

我尝试将NAT网关的弹性IP列入白名单IP 它的工作原理.我想了解为什么绝对必要 将此IP放入安全组以从以下位置访问面向Internet的ALB 同一VPC的私有子网实例.

I have tried putting the Elastic IP of NAT Gateway as a whitelisted IP and it works. I want to understand why it is absolutely necessary to put this IP in Security Group to access the internet-facing ALB from the private subnet instance of the same VPC.

因为专用子网中的实例查找公用负载平衡器的DNS，将其解析为公用Internet IP，然后尝试连接到该IP，该IP通过NAT网关进行路由.

Because the instances in the private subnet look up the DNS of the public load balancer, resolve it to its public internet IP, and then attempt to connect to that IP, which gets routed through the NAT gateway.

据我所知，没有办法将公共Elastic Load Balancer解析为VPC内部的私有IP.因此，您将必须通过NAT网关才能从私有IP内部访问公共负载平衡器.

As far as I know there is no way to have a public Elastic Load Balancer that can also be resolved to a private IP inside your VPC. So you will have to go through the NAT gateway to access the public load balancer from inside your private IP.

另一种设置是创建第三个私有负载均衡器，该负载均衡器还指向自动伸缩组#1中的实例，并让您的私有子网实例与该负载均衡器通信.

An alternative setup would be to create a third load balancer, that is private, that also points to the instances in Auto-Scale Group #1, and have your private subnet instances communicate with that load balancer.

如果采用第三种负载均衡器方法，则将创建一个新的目标组，将该组分配给您现有的自动伸缩组，然后将新的负载均衡器指向新的目标组.关键点是，一个目标组只能由一个应用程序负载均衡器使用，但是实例可以属于多个目标组，而自动扩展组可以具有多个目标组.

If you go with the third load balancer approach, you would create a new target group, assign that group as to your existing auto-scaling group, and point the new load balancer to the new target group. The key point is that a target group can only be used by one Application Load Balancer, but instances can belong to multiple target groups and auto-scaling groups can have multiple target groups.

这篇关于AWS:安全组，允许从私有实例访问面向互联网的负载均衡器的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！