私有 EC2 和 HTTP 流量中的 AWS 应用程序 [英] AWS Application in Private EC2 and HTTP traffic
问题描述
我有一个应用程序在私有子网中的 EC2 实例中运行(以增加额外的安全性),直接从与公共子网关联的面向互联网的 NLB 接收流量.
I have an application running in an EC2 instance in a private subnet (to add extra security), receiving traffic directly from an internet-facing NLB that is associated to the public subnet.
我还在公共子网中配置了 NAT 网关,以便私有 EC2 实例可以从 Internet 下载任何需要的内容.
I have also configured a NAT Gateway in the public subnet so that the private EC2 instance can download whatever needed from the Internet.
我刚刚得出下一个结论:
I have just come out to the next conclusion:
如果我从 Internet 请求:http://index.html
私有 EC2 实例使用 NAT 网关发回 HTTP 响应,因此您需要为该 NAT 处理付费.
The private EC2 Instance uses the NAT Gateway to send back the HTTP response, and therefore you are charged for that NAT processing.
https://aws.amazon.com/vpc/pricing/
数据处理费用适用于通过 NAT 网关处理的每个千兆字节,无论流量的来源或目的地如何"
"Data processing charges apply for each Gigabyte processed through the NAT gateway regardless of the traffic’s source or destination"
与私有子网(Web/应用服务器所在的位置)相关联的路由表具有 { - local ;0.0.0.0/0 - NATGateway} 如果我删除 0.0.0.0/0 条目,则对服务器的 HTTP 请求不起作用.如果我删除 NAT 网关,我会遇到同样的问题.此外,当我拥有 NAT 网关和路由表以从私有子网使用它时,当我从 Internet 执行简单的 HTTP 请求时,我还可以在 NAT 网关的监控选项卡中看到流量 - http:///index.html
The Route Table associated to the Private Subnet (where the web/app server is located) has { - local ; 0.0.0.0/0 - NATGateway} If I remove the 0.0.0.0/0 entry, then the HTTP requests to the server do not work. And if I remove the NAT Gateway I get the same issue. Additionally, when I have the NAT Gateway and the route table to use it from the Private Subnet, I can also see traffic in the monitoring tab of the NAT Gateway when I do a simple HTTP request from the Internet - http:///index.html
有人遇到过同样的问题吗?我的理解正确吗?
Has someone faced the same issue? Is my understanding correct?
是否有任何解决方法可以避免这种情况?我只能想到以下几点:
Is there any workaround to avoid this? I can just think of the following:
将应用程序移动到 Web 层(在公共子网中),以便 EC2 实例具有公共 IP,因此它不需要 NAT 网关来响应每个 HTTP 请求
Move the application to a Web Tier (in a public subnet) so that the EC2 Instance has a public IP and therefore it does not need the NAT Gateway to respond to every HTTP request
除了应用层之外,还创建一个 Web 层,以便所有流量都来自 NLB <-> Web 层 <-> 应用层
Create a Web Tier in addition to the Application Tier, so that all traffic goes from the NLB <-> Web Tier <-> App Tier
创建 NAT 实例而不是 NAT 网关,这样您就无需为该 NAT 处理付费.
Create a NAT Instance instead of a NAT Gateway so that you are not charged for that NAT processing.
谢谢!
推荐答案
所以,结果证明 NLB 中有一个奇怪的行为(错误?),它需要一个默认路由到 something 以返回流量工作.
So, it turns out there is an strange behaviour (bug?) in NLB that requires a default route to something for return traffic to work.
场景:
- 公共子网中的 NLB
- 指向私有子网中的实例的 NLB 目标组
向 NLB 发送流量不会给出响应.
Sending traffic to the NLB will not give a response.
添加:
- NAT 网关
- 在私有路由表中添加一条指向 NAT 网关的路由
这行得通.
然而,它实际上并不使用 NAT 网关!
However, it doesn't actually use the NAT Gateway!
不是添加 NAT 网关,而是创建到另一个实例的默认路由,例如:
Instead of adding a NAT Gateway, you can instead create a default route to another instance, for example:
<代码>0.0.0.0/0 ->另一个实例
然后,连接到 NLB 工作!
Then, connecting to the NLB works!
在幕后,VPC 网络检测到来自实例的流量是为了响应通过 NLB 来的请求,并且流量将被路由出 NLB.
Behind the scenes, the VPC network detects that traffic coming out of the instance is in response to a request that came via the NLB, and traffic will be routed out the NLB.
然而,它仅在路由表中有有效默认路由时才有效.不使用路由——网络覆盖它,所以它指向什么并不重要.但是,它必须指向有效的资源.如果它指向一个没有附加到任何东西的 ENI,它就不起作用.在我的测试中,如果您将其指向同一个实例,它似乎也不起作用.但是,我将其指向了另一个实例,效果很好.
HOWEVER, it only works if there is a valid default route in the route table. The route isn't used -- the network overrides it, so it doesn't matter what it points to. However, it must point to a valid resource. It doesn't work if it points to an ENI that isn't attached to anything. In my tests, it also doesn't seem to work if you point it back to the same instance. But, I pointed it to another instance and it worked just fine.
AWS Support 同意这不是最好的行为,但这是目前必须配置的方式.
AWS Support agrees that this is not the best behaviour, but it's how things have to be configured for the moment.
底线:它不需要需要一个 NAT 网关.它只需要一个有效的默认路由,在路由返回流量时将被忽略.
Bottom line: It does not require a NAT Gateway. It just needs a valid default route that will be ignored when routing return traffic.
这篇关于私有 EC2 和 HTTP 流量中的 AWS 应用程序的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
