碼上歡樂
相關內容    簡體    繁體

在AWS中創建NAT節點

本文轉載自   查看原文   2015-01-18 16:55   2688    DevOps

NAT, Network Address Translation,即網絡地址轉換。當內部網絡的主機想要訪問外網,但是又不想直接暴露給公網,可以通過NAT節點來訪問外網。這樣做有兩個好處,第一是內網的主機無需擁有公網IP就可訪問網絡(NAT節點需要公網IP),節約了公網IP;第二是內網的主機由於沒有公網IP,所以公網的電腦無法訪問到它,這樣就可以隱藏自己。一個很經典的示例是假如你有一台數據庫服務器放置在內網中,為在同一個內網中的web服務器提供數據服務,為了安全性考慮你不會把它直接暴露在公網中。但是數據庫服務器有時候自己是需要訪問公網的,比如需要升級數據庫服務器中的某些軟件等。采用NAT方案可以很好的解決這個問題。

下圖是NAT節點的功能示意圖。

一些路由器或者裝有特定軟件的主機都可以作為NAT節點。在AWS中如果你想創建一個NAT節點的話那是非常的方便,因為AWS直接提供了預裝了NAT軟件的AMI,你只需直接使用該AMI在你的公共子網中實例化一台機器,並進行相應的配置即可。

下面的圖展示了在AWS中的一個經典的VPC架構。該VPC里面建立了兩個子網,一個是公共子網,通過Intenet Geteway和公網連接;一個是私有子網,無法直接訪問公網。然后在公共子網中建立了一個EC2機器,使用的是AWS提供的具有NAT功能的AMI,並為它分配了一個彈性IP,這樣該EC2就是一個NAT節點。在私有子網的所有機器都具有了通過該NAT節點訪問外網的能力。

為了創建這樣一套網絡及機器,最簡便的方式當然是使用AWS提供的CloudFormation了。如果不了解CloudFormation,可以看我以前寫過的一篇文章 《亞馬遜雲服務之CloudFormation》。下面展示的是創建該整個VPC的CloudFormation腳本。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324

{  "AWSTemplateFormatVersion": "2010-09-09",  "Description": "Setup a vpc, which contains two subnets and one NAT machine",  "Parameters": {  "KeyName": {  "Description": "Name of and existing EC2 KeyPair to enable SSH access to the instance",  "Type": "String"  },  "VpcCidr": {  "Description": "CIDR address for the VPC to be created.",  "Type": "String",  "Default": "10.2.0.0/16"  },  "AnyCidr": {  "Description": "CIDR address for Any Where.",  "Type": "String",  "Default": "0.0.0.0/0"  },  "AvailabilityZone1": {  "Description": "First AZ.",  "Type": "String",  "Default": "cn-north-1a"  },  "PublicSubnetCidr": {  "Description": "Address range for a public subnet to be created in AZ1.",  "Type": "String",  "Default": "10.2.1.0/24"  },  "PrivateSubnetCidr": {  "Description": "Address range for private subnet.",  "Type": "String",  "Default": "10.2.2.0/24"  },  "NATInstanceType": {  "Description": "Instance type for NAT",  "Type": "String",  "Default": "t1.micro"  }  },  "Mappings": {  "AWSNATAMI": {  "cn-north-1": {  "AMI": "ami-eab220d3"  }  }  },  "Resources": {  "VPC": {  "Type": "AWS::EC2::VPC",  "Properties": {  "CidrBlock": {  "Ref": "VpcCidr"  },  "Tags": [  {  "Key": "Name",  "Value": "VPC"  }  ]  }  },  "InternetGateWay": {  "Type": "AWS::EC2::InternetGateway",  "Properties": {  "Tags": [  {  "Key": "Name",  "Value": "INTERNET_GATEWAY"  }  ]  }  },  "GatewayToInternet": {  "Type": "AWS::EC2::VPCGatewayAttachment",  "Properties": {  "InternetGatewayId": {  "Ref": "InternetGateWay"  },  "VpcId": {  "Ref": "VPC"  }  }  },  "PublicSubnet": {  "Type": "AWS::EC2::Subnet",  "Properties": {  "CidrBlock": {  "Ref": "PublicSubnetCidr"  },  "AvailabilityZone": {  "Ref": "AvailabilityZone1"  },  "Tags": [  {  "Key": "Name",  "Value": "PUBLIC_SUBNET"  }  ],  "VpcId": {  "Ref": "VPC"  }  }  },  "PrivateSubnet": {  "Type": "AWS::EC2::Subnet",  "Properties": {  "CidrBlock": {  "Ref": "PrivateSubnetCidr"  },  "AvailabilityZone": {  "Ref": "AvailabilityZone1"  },  "Tags": [  {  "Key": "Name",  "Value": "PRIVATE_SUBNET"  }  ],  "VpcId": {  "Ref": "VPC"  }  }  },  "DefaultSecurityGroup": {  "Type": "AWS::EC2::SecurityGroup",  "Properties": {  "GroupDescription": "Default Instance SecurityGroup",  "SecurityGroupIngress": [  {  "IpProtocol": "-1",  "CidrIp": {  "Ref": "VpcCidr"  }  }  ],  "Tags": [  {  "Key": "Name",  "Value": "DEFAULT_SECURITY_GROUP"  }  ],  "VpcId": {  "Ref": "VPC"  }  }  },  "PublicRouteTable": {  "Type": "AWS::EC2::RouteTable",  "Properties": {  "VpcId": {  "Ref": "VPC"  },  "Tags": [  {  "Key": "Name",  "Value": "PUBLIC_ROUTE_TABLE"  }  ]  }  },  "PublicRoute": {  "Type": "AWS::EC2::Route",  "Properties": {  "DestinationCidrBlock": {  "Ref": "AnyCidr"  },  "GatewayId": {  "Ref": "InternetGateWay"  },  "RouteTableId": {  "Ref": "PublicRouteTable"  }  }  },  "PublicSubnetRouteTableAssociation": {  "Type": "AWS::EC2::SubnetRouteTableAssociation",  "Properties": {  "RouteTableId": {  "Ref": "PublicRouteTable"  },  "SubnetId": {  "Ref": "PublicSubnet"  }  }  },  "NATEIP": {  "Type": "AWS::EC2::EIP",  "Properties": {  "InstanceId": {  "Ref": "NATInstance"  }  }  },  "NATInstance": {  "Type": "AWS::EC2::Instance",  "Properties": {  "InstanceType": {  "Ref": "NATInstanceType"  },  "KeyName": {  "Ref": "KeyName"  },  "SubnetId": {  "Ref": "PublicSubnet"  },  "SourceDestCheck": false,  "ImageId": {  "Fn::FindInMap": [  "AWSNATAMI",  {  "Ref": "AWS::Region"  },  "AMI"  ]  },  "Tags": [  {  "Key": "Name",  "Value": "NAT"  }  ],  "SecurityGroupIds": [  {  "Ref": "NATSecurityGroup"  }  ]  }  },  "PrivateSubnetRouteTable": {  "Type": "AWS::EC2::RouteTable",  "Properties": {  "VpcId": {  "Ref": "VPC"  },  "Tags": [  {  "Key": "Name",  "Value": "PRIVATE_SUBNET_ROUTE_TABLE"  }  ]  }  },  "PrivateSubnetRoute": {  "Type": "AWS::EC2::Route",  "Properties": {  "DestinationCidrBlock": {  "Ref": "AnyCidr"  },  "InstanceId": {  "Ref": "NATInstance"  },  "RouteTableId": {  "Ref": "PrivateSubnetRouteTable"  }  }  },  "PrivateSubnetRouteTableAssociation": {  "Type": "AWS::EC2::SubnetRouteTableAssociation",  "Properties": {  "RouteTableId": {  "Ref": "PrivateSubnetRouteTable"  },  "SubnetId": {  "Ref": "PrivateSubnet"  }  }  },  "NATSecurityGroup": {  "Type": "AWS::EC2::SecurityGroup",  "Properties": {  "GroupDescription": "NAT Instance SecurityGroup",  "SecurityGroupIngress": [  {  "IpProtocol": "-1",  "CidrIp": {  "Ref": "VpcCidr"  }  }  ],  "Tags": [  {  "Key": "Name",  "Value": "NAT_SECURITY_GROUP"  }  ],  "VpcId": {  "Ref": "VPC"  }  }  }  },  "Outputs": {  "VPCId": {  "Description": "VPC id",  "Value": {  "Ref": "VPC"  }  },  "PublicSubnetId": {  "Description": "public subnet id",  "Value": {  "Ref": "PublicSubnet"  }  },  "PrivateSubnetId": {  "Description": "private subnet id",  "Value": {  "Ref": "PrivateSubnet"  }  },  "NATSecurityGroupId": {  "Description": "NAT SG id",  "Value": {  "Ref": "NATSecurityGroup"  }  },  "NATEIP": {  "Description": "NAT Server EIP.",  "Value": {  "Ref": "NATEIP"  }  }  } }

你可以通過AWS提供的圖形化界面AWS Management Console來使用該CloudFormation腳本,也可以通過AWS CLI來使用。使用以上的CloudFormation腳本創建的VPC可以一鍵創建你AWS中的基礎網絡架構。從此再也不用為配置網絡發愁了。


免責聲明!

本站轉載的文章為個人學習借鑒使用,本站對版權不負任何法律責任。如果侵犯了您的隱私權益,請聯系本站郵箱yoyou2525@163.com刪除。



猜您在找 [AWS] NAT Gateway 10.1.2 在AWS中創建Redis集群 創建節點並插入HTML中 AWS EKS 集群創建 AWS系列-創建AMI AWS系列-創建AMI AWS 創建 pem 文件 aws 通過eksctl 創建eks jQuery中的查找節點、創建節點、插入節點、刪除節點、替換節點、復制節點操作方法 通過NAT實例實現外部訪問AWS的ElastiCache資源
 
粵ICP備18138465號   © 2018-2025 CODEPRJ.COM