aws(学习笔记第六课)
-
AWS的虚拟私有,共有子网以及ACL,定义公网碉堡主机子网以及varnish反向代理
学习内容:
AWS的虚拟私有,共有子网以及ACL- 定义公网碉堡主机子网,私有子网和共有子网以及
varnish反向代理
1. AWS的虚拟私有,共有子网以及ACL
AWS的虚拟私有子网,共有云以及ACLAWS的虚拟私有子网
用户可以在AWS上定义自己的私有子网,比如数据库,应用程序和apache的server,可以在私有网络上构建,之后通过共有网络,进行访问,向外提供服务。其实和C++的面向对象中,private的变量和方法,一定不要定义成public的,对终端用户公开,如出一辙。能在私有云中定义,不需要公开的服务,都要定义要私有云中。AWS的虚拟共有云
与上面的AWS私有云对应的就是共有云,共有云最终提供给用户服务,对于终端客户开发网络端口,共有网络的服务承上启下,既可以提供服务给用公户,同时能够访问私有子网的应用服务,数据库服务等其他服务。
ACL(network access control list)和SecuityGroup的区别- 应用的对象不同
ACL的设定对象是Subnet,对于Subnet设定网络访问规则。注意,默认的场合,同一个VPC之间的网络都是相通的,但是如果定义了ACL,那么就会根据ACL的限制,没有允许的网络是不通的
SecurityGroup的设定对象是ec2 server等服务,而不是Subnet。
- 有状态(
state)和无状态(stateless)ACL没有状态,允许入站的包,如果没有符合出站规则,那么也不能出站。SecurityGroup有状态,允许入站的包,那么都会出站允许。
- 应用的对象不同
2. 定义公网碉堡主机子网,私有子网和共有子网
-
整体网络拓扑(这里右边的共有子网使用
varnish进行反向代理,公开私有子网的apache server)
-
逐步创建
VPC以及其他服务-
创建
VPC和IGW(Internet GateWay)"VPC": { "Type": "AWS::EC2::VPC", "Properties": { "CidrBlock": "10.0.0.0/16", "EnableDnsHostnames": "true" } }, "InternetGateway": { "Type": "AWS::EC2::InternetGateway", "Properties": { } }, "VPCGatewayAttachment": { "Type": "AWS::EC2::VPCGatewayAttachment", "Properties": { "VpcId": { "Ref": "VPC"}, "InternetGatewayId": { "Ref": "InternetGateway"} } }, -
创建堡垒机子网(共有子网)
Bastion
CidrBlock是10.0.1.0/24
RoutePublicSSHBastionToInternet定义,堡垒机子网能够访问internet。
NetworkAclEntryInPublicSSHBastionSSH,定义internet的其他主机能够访问使用22端口访问(入站规则,egress = true)。
NetworkAclEntryInPublicSSHBastionEphemeralPorts,定义VPC主机能够访问使用随机端口访问(入站规则,egress = true)。
NetworkAclEntryOutPublicSSHBastionSSH,定义堡垒子网的主机能够通过22端口访问其他主机(出站规则,egress = false)。
NetworkAclEntryOutPublicSSHBastionEphemeralPorts,定义internet的主机,能够访问使用随机端口访问(出站规则,egress = false)。"SubnetPublicSSHBastion": { "Type": "AWS::EC2::Subnet", "Properties": { "AvailabilityZone": { "Fn::Select": ["0", { "Fn::GetAZs": ""}]}, "CidrBlock": "10.0.1.0/24", "VpcId": { "Ref": "VPC"} } }, "RouteTablePublicSSHBastion": { "Type": "AWS::EC2::RouteTable", "Properties": { "VpcId": { "Ref": "VPC"} } }, "RouteTableAssociationPublicSSHBastion": { "Type": "AWS::EC2::SubnetRouteTableAssociation", "Properties": { "SubnetId": { "Ref": "SubnetPublicSSHBastion"}, "RouteTableId": { "Ref": "RouteTablePublicSSHBastion"} } }, "RoutePublicSSHBastionToInternet": { "Type": "AWS::EC2::Route", "Properties": { "RouteTableId": { "Ref": "RouteTablePublicSSHBastion"}, "DestinationCidrBlock": "0.0.0.0/0", "GatewayId": { "Ref": "InternetGateway"} }, "DependsOn": "VPCGatewayAttachment" }, "NetworkAclPublicSSHBastion": { "Type": "AWS::EC2::NetworkAcl", "Properties": { "VpcId": { "Ref": "VPC"} } }, "SubnetNetworkAclAssociationPublicSSHBastion": { "Type": "AWS::EC2::SubnetNetworkAclAssociation", "Properties": { "SubnetId": { "Ref": "SubnetPublicSSHBastion"}, "NetworkAclId": { "Ref": "NetworkAclPublicSSHBastion"} } }, "NetworkAclEntryInPublicSSHBastionSSH": { "Type": "AWS::EC2::NetworkAclEntry", "Properties": { "NetworkAclId": { "Ref": "NetworkAclPublicSSHBastion"}, "RuleNumber": "100", "Protocol": "6", "PortRange": { "From": "22", "To": "22" }, "RuleAction": "allow", "Egress": "false", "CidrBlock": "0.0.0.0/0" } }, "NetworkAclEntryInPublicSSHBastionEphemeralPorts": { "Type": "AWS::EC2::NetworkAclEntry", "Properties": { "NetworkAclId": { "Ref": "NetworkAclPublicSSHBastion"}, "RuleNumber": "200", "Protocol": "6", "PortRange": { "From": "1024", "To": "65535" }, "RuleAction": "allow", "Egress": "false", "CidrBlock": "10.0.0.0/16" } }, "NetworkAclEntryOutPublicSSHBastionSSH": { "Type": "AWS::EC2::NetworkAclEntry", "Properties": { "NetworkAclId": { "Ref": "NetworkAclPublicSSHBastion"}, "RuleNumber": "100", "Protocol": "6", "PortRange": { "From": "22", "To": "22" }, "RuleAction": "allow", "Egress": "true", "CidrBlock": "10.0.0.0/16" } }, "NetworkAclEntryOutPublicSSHBastionEphemeralPorts": { "Type": "AWS::EC2::NetworkAclEntry", "Properties": { "NetworkAclId": { "Ref": "NetworkAclPublicSSHBastion"}, "RuleNumber": "200", "Protocol": "6", "PortRange": { "From": "1024", "To": "65535" }, "RuleAction": "allow", "Egress": "true", "CidrBlock": "0.0.0.0/0" } }, -
创建varnish子网(共有子网)
varnish"SubnetPublicVarnish": { "Type": "AWS::EC2::Subnet", "Properties": { "AvailabilityZone": { "Fn::Select": ["0", { "Fn::GetAZs": ""}]}, "CidrBlock": "10.0.2.0/24", "VpcId": { "Ref": "VPC"} } }, "RouteTablePublicVarnish": { "Type": "AWS::EC2::RouteTable", "Properties": { "VpcId": { "Ref": "VPC"} } }, "RouteTableAssociationPublicVarnish": { "Type": "AWS::EC2::SubnetRouteTableAssociation", "Properties": { "SubnetId": { "Ref": "SubnetPublicVarnish"}, "RouteTableId": { "Ref": "RouteTablePublicVarnish"} } }, "RoutePublicVarnishToInternet": { "Type": "AWS::EC2::Route", "Properties": { "RouteTableId": { "Ref": "RouteTablePublicVarnish"}, "DestinationCidrBlock": "0.0.0.0/0", "GatewayId": { "Ref": "InternetGateway"} }, "DependsOn": "VPCGatewayAttachment" }, "NetworkAclPublicVarnish": { "Type": "AWS::EC2::NetworkAcl", "Properties": { "VpcId": { "Ref": "VPC"} } }, "SubnetNetworkAclAssociationPublicVarnish": { "Type": "AWS::EC2::SubnetNetworkAclAssociation", "Properties": { "SubnetId": { "Ref": "SubnetPublicVarnish"}, "NetworkAclId": { "Ref": "NetworkAclPublicVarnish"} } }, "NetworkAclEntryInPublicVarnishSSH": { "Type": "AWS::EC2::NetworkAclEntry", "Properties": { "NetworkAclId": { "Ref": "NetworkAclPublicVarnish"}, "RuleNumber": "100", "Protocol": "6", "PortRange": {
-
最低0.47元/天 解锁文章
扫一扫
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
