我正在尝试使用 terraform 来描述 VPC,例如这篇文章 https://networkfirewall.workshop.aws/setup/distributedmodel.html
# VPC
resource "aws_vpc" "eu-central-1" {
cidr_block = "10.11.0.0/16"
}
resource "aws_subnet" "private_a" {
vpc_id = aws_vpc.eu-central-1.id
cidr_block = "10.11.0.0/20"
availability_zone = "eu-central-1a"
tags = {
Name = "Private A"
}
}
resource "aws_subnet" "private_b" {
vpc_id = aws_vpc.eu-central-1.id
cidr_block = "10.11.16.0/20"
availability_zone = "eu-central-1b"
tags = {
Name = "Private B"
}
}
resource "aws_subnet" "public_a" {
vpc_id = aws_vpc.eu-central-1.id
cidr_block = "10.11.64.0/20"
availability_zone = "eu-central-1a"
map_public_ip_on_launch = true
tags = {
Name = "Public A"
}
}
resource "aws_subnet" "public_b" {
vpc_id = aws_vpc.eu-central-1.id
cidr_block = "10.11.80.0/20"
availability_zone = "eu-central-1b"
map_public_ip_on_launch = true
tags = {
Name = "Public B"
}
}
resource "aws_subnet" "firewall_a" {
vpc_id = aws_vpc.eu-central-1.id
cidr_block = "10.11.255.16/28"
availability_zone = "eu-central-1a"
map_public_ip_on_launch = true
tags = {
Name = "Firewall A"
}
}
resource "aws_subnet" "firewall_b" {
vpc_id = aws_vpc.eu-central-1.id
cidr_block = "10.11.255.32/28"
availability_zone = "eu-central-1b"
map_public_ip_on_launch = true
tags = {
Name = "Firewall B"
}
}
# Routes
resource "aws_route_table" "private_a" {
vpc_id = aws_vpc.eu-central-1.id
route {
cidr_block = "0.0.0.0/0"
nat_gateway_id = aws_nat_gateway.nat_gw_a.id
}
}
resource "aws_route_table" "private_b" {
vpc_id = aws_vpc.eu-central-1.id
route {
cidr_block = "0.0.0.0/0"
nat_gateway_id = aws_nat_gateway.nat_gw_b.id
}
}
resource "aws_route_table" "public_a" {
vpc_id = aws_vpc.eu-central-1.id
route {
cidr_block = "0.0.0.0/0"
vpc_endpoint_id = tolist(aws_networkfirewall_firewall.firewall_a.firewall_status[0].sync_states)[0].attachment[0].endpoint_id
}
}
resource "aws_route_table" "public_b" {
vpc_id = aws_vpc.eu-central-1.id
route {
cidr_block = "0.0.0.0/0"
vpc_endpoint_id = tolist(aws_networkfirewall_firewall.firewall_b.firewall_status[0].sync_states)[0].attachment[0].endpoint_id
}
}
resource "aws_route_table" "firewall_all" {
vpc_id = aws_vpc.eu-central-1.id
route {
cidr_block = "0.0.0.0/0"
gateway_id = aws_internet_gateway.gw.id
}
}
resource "aws_route_table" "igw" {
vpc_id = aws_vpc.eu-central-1.id
route {
cidr_block = "10.11.80.0/20"
vpc_endpoint_id = tolist(aws_networkfirewall_firewall.firewall_b.firewall_status[0].sync_states)[0].attachment[0].endpoint_id
}
route {
cidr_block = "10.11.64.0/20"
vpc_endpoint_id = tolist(aws_networkfirewall_firewall.firewall_a.firewall_status[0].sync_states)[0].attachment[0].endpoint_id
}
}
resource "aws_route_table_association" "igw" {
gateway_id = aws_internet_gateway.gw.id
route_table_id = aws_route_table.igw.id
}
resource "aws_route_table_association" "private_a" {
subnet_id = aws_subnet.private_a.id
route_table_id = aws_route_table.private_a.id
}
resource "aws_route_table_association" "private_b" {
subnet_id = aws_subnet.private_b.id
route_table_id = aws_route_table.private_b.id
}
resource "aws_route_table_association" "public_a" {
subnet_id = aws_subnet.public_a.id
route_table_id = aws_route_table.public_a.id
}
resource "aws_route_table_association" "public_b" {
subnet_id = aws_subnet.public_b.id
route_table_id = aws_route_table.public_b.id
}
resource "aws_route_table_association" "firewall_a" {
subnet_id = aws_subnet.firewall_a.id
route_table_id = aws_route_table.firewall_all.id
}
resource "aws_route_table_association" "firewall_b" {
subnet_id = aws_subnet.firewall_b.id
route_table_id = aws_route_table.firewall_all.id
}
# Net instances
resource "aws_internet_gateway" "gw" {
vpc_id = aws_vpc.eu-central-1.id
}
resource "aws_nat_gateway" "nat_gw_a" {
allocation_id = aws_eip.nat_gw_a.id
subnet_id = aws_subnet.public_a.id
tags = {
Name = "NAT gw A"
}
}
resource "aws_nat_gateway" "nat_gw_b" {
allocation_id = aws_eip.nat_gw_b.id
subnet_id = aws_subnet.public_b.id
tags = {
Name = "NAT gw B"
}
}
# firewall
resource "aws_networkfirewall_firewall_policy" "test" {
name = "test"
firewall_policy {
stateless_default_actions = ["aws:pass"]
stateless_fragment_default_actions = ["aws:drop"]
}
}
resource "aws_networkfirewall_firewall" "firewall_a" {
name = "firewall-a"
firewall_policy_arn = aws_networkfirewall_firewall_policy.test.arn
vpc_id = aws_vpc.eu-central-1.id
subnet_mapping {
subnet_id = aws_subnet.firewall_a.id
}
}
resource "aws_networkfirewall_firewall" "firewall_b" {
name = "firewall-b"
firewall_policy_arn = aws_networkfirewall_firewall_policy.test.arn
vpc_id = aws_vpc.eu-central-1.id
subnet_mapping {
subnet_id = aws_subnet.firewall_b.id
}
}
但是,当我分析从“Internet 网关”到子网“public_b”中的 EC2 实例的包路径时,我看到一个错误:“Route from 10.11.80.0/20 to gatewayId, in route table rtb-0b6f63fddc7b98f40, cannot transfer the packet因为数据包的目标地址匹配更具体的路由。”
{
"explanationCode": "MORE_SPECIFIC_ROUTE",
"routeTable": {
"arn": "arn:aws:ec2:eu-central-1:107128487986:route-table/rtb-0b6f63fddc7b98f40",
"id": "rtb-0b6f63fddc7b98f40"
},
"routeTableRoute": {
"destinationCidr": "10.11.80.0/20",
"gatewayId": "vpce-008edd7f85458d8b7",
"origin": "createroute"
},
"vpc": {
"arn": "arn:aws:ec2:eu-central-1:107128487986:vpc/vpc-04a2b379c648fedb0",
"id": "vpc-04a2b379c648fedb0"
}
}
如果我删除路线:
route {
cidr_block = "10.11.80.0/20"
vpc_endpoint_id = tolist(aws_networkfirewall_firewall.firewall_b.firewall_status[0].sync_states)[0].attachment[0].endpoint_id
}
route {
cidr_block = "10.11.64.0/20"
vpc_endpoint_id = tolist(aws_networkfirewall_firewall.firewall_a.firewall_status[0].sync_states)[0].attachment[0].endpoint_id
}
我看到另一个错误:
{
"destination": {
"arn": "arn:aws:ec2:eu-central-1:107128487986:internet-gateway/igw-0a78290a9915b1562",
"id": "igw-0a78290a9915b1562"
},
"explanationCode": "NO_ROUTE_TO_DESTINATION",
"routeTable": {
"arn": "arn:aws:ec2:eu-central-1:107128487986:route-table/rtb-05eac5e7d51bb9b98",
"id": "rtb-05eac5e7d51bb9b98"
},
"vpc": {
"arn": "arn:aws:ec2:eu-central-1:107128487986:vpc/vpc-04a2b379c648fedb0",
"id": "vpc-04a2b379c648fedb0"
}
}