SSH进入VPC专用子网中的AWS EC2实例 [英] SSH'ing into AWS EC2 Instance located in Private Subnet in a VPC
问题描述
我已经解决了这个问题了几个小时,也许不可能,也许是。
I've been going at this problem for a couple of hours and maybe its not possible, maybe it is.
我在AWS中有一个VPC,其中有一个
I have a VPC in AWS, with a couple of EC2 instances and Lambda Instances.
到目前为止,Lambda可以毫无问题地调用,ssh等到EC2服务器。
As of right now, The lambda can invoke, ssh and so on to the EC2 server without a problem.
我的lambda使用的安全组的出站中只有HTTP,HTTPS和SSH。
My lambdas are using a security group with only HTTP, HTTPS AND SSH in "Outbound".
我的ec2默认安全组仅接受22个入站(来自我的Lambda安全组和我的办公室IP)。
My ec2 default security group only accepts 22 inbound (From my Lambda security group, AND my office IP).
如果我在公共子网中创建ec2实例,我和我的lambda函数都可以通过ssh访问它。
If i create an ec2 instance on my public subnet, both me and my lambda functions can access it through ssh.
如果我在PRIVATE子网中创建它, lambdas可以ssh,但是我不能...
If i create it on my PRIVATE subnet, my lambdas can ssh but i CANT...
我真的必须拥有一个NAT服务器才能实现这一目标吗?
Do i really have to have a NAT SERVER in order to achieve this?
TL:DR;只有我的办公室和我的lambda才可以访问我的ec2实例。
TL:DR; Only my office and my lambdas should have access to my ec2 instances.
推荐答案
应该考虑通过SSH访问EC2实例的第一个选项是用于Shell访问EC2实例的AWS Systems Manager会话管理器。这可能很重要。没有更多的堡垒,也没有允许入站端口22的防火墙规则。基本上,您在浏览器中运行SSH会话,并且可以将所有EC2实例作为目标,而与公用/专用IP或子网无关。 EC2实例必须运行最新版本的SSM代理,并且必须以适当的IAM角色(包括AmazonEC2RoleForSSM的关键策略)启动。
First option to consider for SSH access to EC2 instances should be AWS Systems Manager Session Manager for Shell Access to EC2 Instances. It's potentially a big deal. No more bastions, no more firewall rules allowing inbound port 22. You basically run an SSH session in your browser and it can target all EC2 instances, regardless of public/private IP or subnet. EC2 instances have to be running an up to date version of the SSM Agent and must have been launched with an appropriate IAM role (including the key policies from AmazonEC2RoleForSSM).
要考虑的第二个选项是 AWS Systems Manager运行命令,可让您在EC2实例上远程运行命令。它不像SSH那样具有交互性,但是如果您只想运行一系列脚本,那就很好了。同样,该实例必须运行SSM代理并具有适当的IAM策略,并且该选项避免了通过堡垒主机进行隧道传输的需求。
The second option to consider is AWS Systems Manager Run Command which allows you to run commands remotely on your EC2 instances. It's not interactive like SSH but if you simply want to run a sequence of scripts then it's very good. Again, the instance has to be running the SSM Agent and have an appropriate IAM policy, and this option avoids the need to tunnel through bastion hosts.
最后,如果您确实必须将SSH从办公室笔记本电脑SSH到私有子网中的EC2实例,您需要做一些事情:
Finally, if you really must SSH from your office laptop to an EC2 instance in a private subnet you need a few things:
- VPC中的IGW和NAT
- 在VPC公用子网中具有公共IP的堡垒主机
- 该堡垒上的安全组,允许从您的便携式计算机上入站SSH
- 从私有子网到私有EC2实例上NAT的默认路由
- 安全组,允许从堡垒的入站SSH
- IGW and NAT in the VPC
- bastion host with public IP in the VPC's public subnet
- security group on the bastion allowing inbound SSH from your laptop
- a default route from the private subnet to the NAT
- security group on the private EC2 instance that allows inbound SSH from the bastion
然后,您必须通过堡垒主机进行隧道传输。请参阅安全地连接到在私有Amazon VPC中运行的Linux实例以获取更多信息。
Then you have to tunnel through the bastion host. See Securely Connect to Linux Instances Running in a Private Amazon VPC for more.
这篇关于SSH进入VPC专用子网中的AWS EC2实例的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
