AWS Fargate与其他VPC中的RDS的连接 [英] AWS Fargate connection to RDS in a different VPC
问题描述
我有以下设置:
- VPC-1中的ECS(Fargate)集群
- VPC-2中的RDS
我在ECS中运行的应用程序使用DNS名称连接到RDS,但是不是专用IP,而是DNS解析公共IP地址.
My application running in ECS uses DNS name to connect to RDS however instead of private IP DNS resolves public IP address.
在RDS中,我想配置严格的安全规则以防止来自外界的连接-我想将其限制为仅接受来自VPC-1的连接.
In RDS I want to configure strict security rules to prevent connections from the outside world - I would like to limit it to only accept connections from VPC-1.
我尝试了以下操作:
- 同时查看VPC-1和VPC-2-没有帮助,在ECS中运行的应用仍然可以解析公共IP
- 将所有来自ECS群集的出站流量(0.0.0.0/0)路由到NAT网关(而非Internet网关),并在RDS中配置安全组以接受来自为NAT网关配置的弹性IP的连接-在这种情况下,我的应用程序不支持甚至不想开始,我怀疑这是由于出站流量是通过NAT路由而导致供应过程失败的原因
- 所有VPC的"DNS解析"和"DNS主机名"均设置为是"
我没有足够的想法来正确配置它.一旦我为RDS允许所有入站流量(0.0.0.0/0),一切就会开始正常工作,但我不希望这样.
I'm running out of ideas how to configure it correctly. As soon as I allow all inbound traffic (0.0.0.0/0) for my RDS everything starts to work fine but I don't want that.
我在这里想念什么?也许我应该使用完全不同的方法来保护对RDS的访问?
What am I missing here? Maybe I should use entirely different approach to secure access to my RDS?
推荐答案
我设法通过使用NAT网关的方法来解决问题-我不确定为什么它不能更早地起作用,因此我改变了方法,首先创建了VPC,然后然后创建ECS集群并将其与先前创建的VPC关联.
I managed to solve the problem by using approach with NAT gateway - I'm not sure why it did not work earlier, I changed approach to first create VPC and then create ECS cluster and associate it with previously created VPC.
-
使用本文所述的私有和公共子网创建弹性IP,NAT网关,VPC: NAT网关与专用子网关联
NAT gateway is associated with private subnet
在私有子网中创建的ECS集群
Created ECS cluster in private subnet
创建了负载均衡器并将其与公共网络关联
Created load balancer and associated it with public network
已修改RDS安全组,以允许来自先前创建的NAT网关上配置的Elastic IP的流量.
Modified security group for RDS to allow traffic from Elastic IP configured on previously created NAT gateway.
通过此设置,从应用程序到RDS的所有通信都将通过NAT进行,因此我可以设置安全组规则以允许这种通信.另一方面,公共子网中的负载平衡器能够与位于专用网络中的群集进行通信.
With this setup any traffic from application to RDS goes via NAT so I can setup security group rules to allow for this traffic. On another hand, load balancer in public subnet is able to communicate with cluster that sits in private network.
这篇关于AWS Fargate与其他VPC中的RDS的连接的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
