用于AWS中自动扩展的静态IP [英] Static IP for Auto Scale in AWS
问题描述
我需要在AWS自动伸缩组中的所有实例都配置有(已知)静态IP。稍后,我将在邮件服务器中将所有这些IP列入白名单(这就是为什么需要所有IP都是静态的)的原因。可以使用常规的cloudformation方法吗?可能正在分配第二个NIC,并为其分配了来自静态IP范围的IP?有任何想法吗?
不幸的是,您无法访问自动缩放组的任何自定义IP范围。
您可以获取您正在工作的区域的IP范围,并将该区域的所有IP列入白名单,但这不会将另一个AWS账户中的实例列入黑名单。您可以在此处获得这些范围。。 p>
您可以在AWS中配置静态IP-它们称为弹性IP。弹性IP地址将在停止/启动之间持续存在实例。弹性IP也是弹性的,因为它们可以与一个网络接口或实例分离并附加到另一个网络接口或实例。
不幸的是,没有办法使自动缩放自动分配新启动实例的弹性IP地址。您需要编写一个在启动新实例时运行的脚本。您可以使用EC2用户数据运行此脚本。
然后可以使用CLI或SDK。该脚本需要为您的帐户分配一个新的弹性IP地址,然后将该弹性IP与实例相关联。
或者,您可以使用Lambda运行脚本来执行以下操作:
您可能会有其他问题:
- 默认情况下,每个区域的帐户中只能有5个弹性IP。您需要提交增加的限制以获取更多-这可能会成为一个持续的问题。
- 实例在ASG中终止时会发生什么?弹性IP将会解除关联-您需要为解除关联的弹性IP付费。您总是可以编写一个Lambda函数来响应自动释放的事件,该事件会释放任何未关联的弹性IP-但这甚至会增加开销。
不幸的是,没有解决此问题的好方法。最简单的方法是将该地区的所有Amazon IP列入白名单,但是您仍然会遇到潜在的安全问题。
编辑:
您也可以只创建一个代理实例。您可以将ASG中的所有实例配置为通过代理实例引导流量。然后,您可以为代理实例提供一个弹性IP,并将其允许进入防火墙。
唯一的潜在问题是代理服务器超负荷。您需要确保用于它的实例类型可以处理ASG所允许的最大实例数(满载)。
I need all of my instances in AWS auto scaling group to be configured with (known) static IP's. I will be whitelisting all of these IPs in a mail server later (that's why need all of them to be static). Is it possible using the regular cloudformation approach? May be assigning a second NIC and assigning it an IP from a static IP range? Any ideas?
Unfortunately, you can't gain access to any custom IP range for your autoscaling group.
You could get the IP range for the region you are working in, and whitelist all IPs from that region, but this wouldn't blacklist an instance from another AWS account. You can get these ranges here.
You can configure static IPs in AWS - They're called Elastic IPs. An Elastic IP address will persist with an instance between a stop/start. Elastic IPs are also "elastic" in that they can be detached from one network interface or instance and attached to another.
Unfortunately, there is no way to make autoscaling automatically assign an Elastic IP address to newly launched instances. You'd need to write a script that runs when a new instance is launched. You could run this script using EC2 user data.
You could then use the CLI or an SDK. The script would need allocate a new Elastic IP address to your account, and then associate that Elastic IP with the instance.
Alternatively, you could use Lambda to run a script to do the same thing, but in response to an autoscaling event.
Other problems you might have:
- By default, you can only have 5 Elastic IPs in your account per region. You'll need to submit a limit increase to get more - and this could end up being an ongoing problem.
- What happens when an instance is terminated in the ASG? That Elastic IP will become disassociated - you get charged for disassociated Elastic IPs. You could always write a Lambda function that runs in response to an autosclaing events that releases any disassociated Elastic IPs - but thats even more overhead.
Unfortunately, there is no nice solution to this problem. The easiest method would be to whitelist all Amazon IPs for that region, but you will still have potential security issues.
EDIT: You could also just create a proxy instance. You could configure all the instances in your ASG to direct traffic through the proxy instance. Then you could give the proxy instance an Elastic IP and allow it in your firewalls.
The only potential problem is your proxy server getting overloaded. You'd need to make sure the instance type you used for it could handle the max number of instances allowed in your ASG at full capacity.
这篇关于用于AWS中自动扩展的静态IP的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
