专用EC2和HTTP流量中的AWS应用程序 [英] AWS Application in Private EC2 and HTTP traffic
问题描述
我有一个应用程序在私有子网的EC2实例中运行(以增加安全性),直接从与公共子网关联的面向Internet的NLB接收流量.
I have an application running in an EC2 instance in a private subnet (to add extra security), receiving traffic directly from an internet-facing NLB that is associated to the public subnet.
我还在公共子网中配置了NAT网关,以便私有EC2实例可以从Internet下载所需的任何内容.
I have also configured a NAT Gateway in the public subnet so that the private EC2 instance can download whatever needed from the Internet.
我刚刚得出了下一个结论:
I have just come out to the next conclusion:
-
如果我从Internet请求: http://index.html
私有EC2实例使用NAT网关发送回HTTP响应,因此您需要为该NAT处理付费.
The private EC2 Instance uses the NAT Gateway to send back the HTTP response, and therefore you are charged for that NAT processing.
https://aws.amazon.com/vpc/pricing/
无论流量的来源或目的地如何,通过NAT网关处理的每个千兆字节都将收取数据处理费用"
"Data processing charges apply for each Gigabyte processed through the NAT gateway regardless of the traffic’s source or destination"
与专用子网(Web/应用服务器所在的位置)相关联的路由表具有{-local; 0.0.0.0/0-NATGateway}如果删除0.0.0.0/0条目,则对服务器的HTTP请求将无法正常工作.如果我删除了NAT网关,也会遇到同样的问题. 此外,当我具有NAT网关和从专用子网中使用它的路由表时,当我从Internet执行简单的HTTP请求时,我也可以在NAT网关的监视选项卡中看到流量-http:///index .html
The Route Table associated to the Private Subnet (where the web/app server is located) has { - local ; 0.0.0.0/0 - NATGateway} If I remove the 0.0.0.0/0 entry, then the HTTP requests to the server do not work. And if I remove the NAT Gateway I get the same issue. Additionally, when I have the NAT Gateway and the route table to use it from the Private Subnet, I can also see traffic in the monitoring tab of the NAT Gateway when I do a simple HTTP request from the Internet - http:///index.html
有人遇到过同样的问题吗?我的理解正确吗?
Has someone faced the same issue? Is my understanding correct?
有什么解决方法可以避免这种情况?我可以想到以下几点:
Is there any workaround to avoid this? I can just think of the following:
-
将应用程序移动到Web层(在公共子网中),以便EC2实例具有公共IP,因此不需要NAT网关来响应每个HTTP请求
Move the application to a Web Tier (in a public subnet) so that the EC2 Instance has a public IP and therefore it does not need the NAT Gateway to respond to every HTTP request
除了创建应用层之外,还创建一个Web层,以便所有流量都来自NLB<-> Web层<->应用层
Create a Web Tier in addition to the Application Tier, so that all traffic goes from the NLB <-> Web Tier <-> App Tier
创建一个NAT实例而不是NAT网关,这样就无需为该NAT处理付费.
Create a NAT Instance instead of a NAT Gateway so that you are not charged for that NAT processing.
谢谢!
推荐答案
因此,事实证明,NLB中存在一个奇怪的行为(错误?),需要默认路由到达某物才能返回流量工作.
So, it turns out there is an strange behaviour (bug?) in NLB that requires a default route to something for return traffic to work.
场景:
- 公共子网中的NLB
- NLB目标组指向私有子网中的一个实例
将流量发送到NLB将不给出响应.
Sending traffic to the NLB will not give a response.
添加:
- NAT网关
- 在专用路由表"中添加一条路由以指向NAT网关
这有效.
但是,它实际上并没有使用NAT网关!
However, it doesn't actually use the NAT Gateway!
代替添加NAT网关,您可以改为创建到另一个实例的默认路由,例如:
Instead of adding a NAT Gateway, you can instead create a default route to another instance, for example:
0.0.0.0/0 -> another instance
然后,连接到NLB即可!
Then, connecting to the NLB works!
在后台,VPC网络检测到来自实例的流量是对通过NLB发出的请求的响应,并且流量将被路由到NLB.
Behind the scenes, the VPC network detects that traffic coming out of the instance is in response to a request that came via the NLB, and traffic will be routed out the NLB.
但是,仅当路由表中存在有效的默认路由时,此方法才有效.该路由未使用-网络会覆盖它,因此它指向的内容无关紧要.但是,它必须指向有效的资源.如果它指向未附加任何内容的ENI,它将不起作用.在我的测试中,如果将其指向同一实例,它似乎也不起作用.但是,我将其指向另一个实例,并且它工作得很好.
HOWEVER, it only works if there is a valid default route in the route table. The route isn't used -- the network overrides it, so it doesn't matter what it points to. However, it must point to a valid resource. It doesn't work if it points to an ENI that isn't attached to anything. In my tests, it also doesn't seem to work if you point it back to the same instance. But, I pointed it to another instance and it worked just fine.
AWS支持人员认为这不是最好的行为,但这是目前必须配置的方式.
AWS Support agrees that this is not the best behaviour, but it's how things have to be configured for the moment.
底线: 不需要不需要NAT网关.它只需要一个有效的默认路由,当路由返回流量时,该默认路由将被忽略.
Bottom line: It does not require a NAT Gateway. It just needs a valid default route that will be ignored when routing return traffic.
这篇关于专用EC2和HTTP流量中的AWS应用程序的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
