1

I have been trying to port a web application set-up to EC2 using VPC. The application requires an externally accessible web server which is to talk to a number of back end servers managing a database and other data resources within a subnet of the VPC. In addition to this I require a compute head node which should connect to a grid of EC2 worker nodes hosted in another subnet of the VPC accessible only through the head node which should act as a router between the two subnets of the VPC using NAT.

The basic configuration should be something similar to the below schematic:

-
-  External Connection ----------+
-                                |
-                            Web Server (Externally Facing + VPC Subnet 1)
-                                |
-          +---------------------+-----------------+
-          |                     |                 |
- Data Services Server    Database Server   Compute Headnode
-    (VPC Subnet 1)       (VPC Subnet 1)   (VPC Subnet 1 & 2)
-                                                  |
-                                   +--------------+--------------+
-                                   |              |              |
-                            Worker Node 01  Worker Node 02  Worker Node 03
-                            (VPC Subnet 2)  (VPC Subnet 2)  (VPC Subnet 2)

At the moment I have been able to configure the two subnets and set-up the required EC2 nodes.

I have set up the Network ACL within the two subnets to prevent the EC2 instances in subnet 1 from directly communicating with any IPs within subnet 2 by setting rules within the two subnets as follows:

Subnet 1:

  • 99 ALL Traffic ALL ALL 10.81.82.0/24 DENY
  • 100 ALL Traffic ALL ALL 0.0.0.0/0 ALLOW
  • * ALL Traffic ALL ALL 0.0.0.0/0 DENY

Subnet 2:

  • 80 ALL Traffic ALL ALL 10.81.82.0/24 ALLOW
  • 100 ALL Traffic ALL ALL 0.0.0.0/0 ALLOW
  • * ALL Traffic ALL ALL 0.0.0.0/0 DENY

The issue I seem to be having with this set-up is that I don't see any obvious way of allowing the compute node, which is attached to both subnet 1 and subnet 2, from not giving precedence to the 10.81.82.0/24 DENY rule of subnet 1 over the 10.81.82.0/24 ALLOW rule of subnet 2.

I have read most of the pages from Amazon's VPC networking documentation however I am still struggling to work out how to achieve this kind of hierarchical setup. Any help or pointers in the right direction would be much appreciated.

4

2 回答 2

0

问题解决了。

原来,优先级的问题不是直接由于网络 ACL 配置,而是网络配置(在子网安排方面)以及需要设置 Web 服务器和计算头节点以在不同子网之间执行 NAT .

关于子网安排,通过仔细检查 AWS 文档,似乎必须按如下方式设置这样的网络:

  • 子网 1:用于到 Web 服务器的外部连接(在我的例子中是 10.0.1.0/24)。此子网配置为将 0.0.0.0/0 路由到 Internet 网关。
  • 子网 2:对于不直接连接到外部连接的机器,不包括工作节点(在我的情况下为 10.0.2.0/24)。此子网配置为将 0.0.0.0/0 路由到 Web 服务器上的辅助网络接口(在子网内)。然后将 Web 服务器配置为在其 10.0.2.0/24 和 10.0.1.0/24 接口之间执行 NAT。
  • 子网 3:仅适用于工作节点(在我的情况下为 10.0.30/24)。此子网配置为将 0.0.0.0/0 路由到 Compute Headnode 上的辅助网络接口。然后将计算头节点配置为在其 10.0.3.0/24 和 10.0.2.0/24 接口之间执行 NAT。

然后,我能够限制这些子网之间的流量以强制执行 NAT 层次结构,如下所示使用网络 ACL 来处理传入和传出数据:

  • 子网 1 90 ALL Traffic ALL ALL 10.0.2.0/24 DENY:91 ALL Traffic ALL ALL 10.0.3.0/24 DENY100 ALL Traffic ALL ALL 0.0.0.0/0
  • 子网 2 90 ALL Traffic ALL ALL 10.0.1.0/24 DENY:91 ALL Traffic ALL ALL 10.0.3.0/24 DENY100 ALL Traffic ALL ALL 0.0.0.0/0
  • 子网 3 90 ALL Traffic ALL ALL 10.0.1.0/24 DENY:91 ALL Traffic ALL ALL 10.0.2.0/24 DENY100 ALL Traffic ALL ALL 0.0.0.0/0

因为我想在我的 EC2 上使用 FreeBSD 而不是 Linux,所以在设置所需的 NAT 实例时遇到了很多麻烦。

我最终在 2012 年 11 月号的FreeBSD Magazine中找到了一个非常有用的指南。虽然Daemonology.net上详述的最新 FreeBSD AMI 不再需要其中的一些配置步骤,但基本配置步骤自发布以来没有改变。

我想任何想要使用 Linux AMI 进行 NAT 做类似事情的人都会发现这个过程更容易一些,但由于我没有尝试过,所以我不能肯定地说。

无论如何,我希望这对任何有类似问题的人有所帮助。

于 2014-05-02T11:25:13.020 回答
0

您可以在此处使用安全组 将实例与安全组关联并在实例级别本身控制流量,对于计算节点,您可以使用 NACL 处理流量

问候开发

于 2014-05-01T10:59:00.393 回答