我应该如何限制负载平衡Web流量到我的弹性魔豆环境? [英] How should I restrict load balanced Web traffic to my Elastic Beanstalk environments?
问题描述
我想配置到我的EB环境准入,并想限制HTTP访问(通过ELB),以特定的IP地址。
I'm trying to configure access to my EB environments, and would like to restrict HTTP access (through the ELB) to certain IP addresses.
我有一个现成的EB程序的(一堆,其实,有一些环境每种),并希望能够(一)限制访问的IP地址的特定集合,而(b)在所有流量都通过ELBs。重要的是,我想用(C)做这创造了几组(如管理员SG,让我的IP,和一个开发SG,让球队的IP地址,并公开SG允许所有IP地址)和应用组根据需要向每个EB环境(通常是在不同的组合,以不同的环境中),而不是具有以更新在每一个环境来源每当一个小组成员的IP改变或团队成员资格的变化。我想这样做,而不在网络结构周围挖,只是使用默认的EB结构。
I have an out of the box EB app (a bunch, actually, with a few environments each) and would like be able to (a) restrict access to specific sets of IPs while (b) having all traffic come through the ELBs. Critically, I'd like to do this by (c) creating a few groups (e.g an admin SG that allows my IP, and a dev SG that allows a team's IPs, and a public SG that allows all IPs) and applying the groups as needed to each EB environment (often in different combinations to different environments) rather than having to update sources in every environment whenever a team member's IP changes or team membership changes. I'd like to do this without digging around in the network structure and just use the default EB structure.
默认ELB安全组允许从所有IP地址的访问,并不意味着要修改(修改可能影响交通未来ELBs),如此看来(天真)有三种方法我可以采取:
The default ELB security group allows access from all IPs and is not meant to be edited ("Modifications could impact traffic to future ELBs"), so it seems (naively) there are three approaches I could take:
-
创建一个新的安全组的HTTP限制的IP来源,并将其分配给ELB而不是默认的ELB SG。
Create a new security group with restricted IP sources for HTTP, and assign it to the ELB instead of the default ELB SG.
创建一个新的安全组的HTTP限制的IP来源,并将其设置为源HTTP在我的环境中的安全组。
Create a new security group with restricted IP sources for HTTP, and set it as the source for HTTP in my environment's security group.
保留默认ELB的原样,但限制所允许的源IP地址的范围,我的EB环境的安全组(而不是指定的ELB的SG作为源)。
Leave the default ELB in as is, but restrict the range of allowed source IPs in my EB environment's security group (instead of specifying the ELB's SG as a source).
但是(1)似乎要求我还指定新SG,而不是默认ELB SG,如在我的每个环境中的源,和(2)似乎要求我分配新SG到环境中的ELB;虽然目前尚不清楚(3)流量是否经过或通过ELB所有的过滤。
But (1) seems to require that I also specify the new SG, instead of the default ELB SG, as a source in each of my environments, and (2) seems to require that I assign the new SG to the environment's ELB; while it's not clear in (3) whether traffic goes through or is filtered by the ELB at all.
我的目的(至少在理论上)将有AA少数安全组用于控制网络访问(例如一个用于管理用户,列出具体的IP地址作为源的理想解决方案,另一个用于测试,其中列出一个更广泛的范围内的IP地址,另一个用于公共接入),并将这些分配到环境(如源的SG的规则)的标准。但是,这种方法(基本上如图2所示,上述)似乎要求我也分配到的组的每个环境的ELB(即我需要结合图1和2)。 (这不会是这么这么别扭,除了克隆环境似乎总是有默认的规则,了解他们的SGS及默认默认SG他们ELBs。)
The ideal solution for my purposes (at least in theory) would be to have a a small number of security groups for controlling Web access (e.g. one for admin users that lists specific IPs as sources, another for testers that lists a broader range of IPs, and another for public access), and to assign these to environments (as sources for their SG's rules) as appropriate. But this approach (basically 2, above) seems to require that I also assign the groups to each environment's ELB (i.e. I need combine 1 and 2). (This wouldn't be so quite so awkward except that cloned environments seem to always have default rules for their SGs and default the default SG for their ELBs.)
这一切似乎太麻烦,并建议我错过了一些简单的方法。我应该如何限制负载平衡Web流量到我的弹性魔豆环境?
All this seems too cumbersome and suggests that I'm missing some simpler approach. How should I restrict load balanced Web traffic to my Elastic Beanstalk environments?
推荐答案
什么你需要做的就是去到EC2安全组和创建安全组和访问权限。
What you'd need to do is go to the EC2 Security Groups and create your security groups and access permissions.
在你安装这些安全组头部到您的弹性魔豆环境并选择配置,然后实例。你会看到一个名为下的Server部分EC2安全组领域;与安全组的名称(用逗号隔开)所创建previously。
Once you have setup those security groups head on over to your Elastic Beanstalk Environment and select Configuration and then Instances. You will see a field called EC2 Security Groups under the Server section; and the names of the security groups (comma separated) that you created previously.
注意:退出已定义的安全集团 - 注意:的默认安全组允许所有流量从ELB
Note: Leave the security group that has already been defined.
Note: The default security group allows all traffic from the ELB
这篇关于我应该如何限制负载平衡Web流量到我的弹性魔豆环境?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
