aws(学习笔记第六课) AWS的虚拟私有,共有子网以及ACL,定义公网碉堡主机子网以及varnish反向代理

aws(学习笔记第六课)

  • AWS的虚拟私有,共有子网以及ACL,定义公网碉堡主机子网以及varnish反向代理

学习内容:

  • AWS的虚拟私有,共有子网以及ACL
  • 定义公网碉堡主机子网,私有子网和共有子网以及varnish反向代理

1. AWS的虚拟私有,共有子网以及ACL

  1. AWS的虚拟私有子网,共有云以及ACL
    • AWS的虚拟私有子网
      用户可以在AWS上定义自己的私有子网,比如数据库,应用程序和apache的server,可以在私有网络上构建,之后通过共有网络,进行访问,向外提供服务。其实和C++的面向对象中,private的变量和方法,一定不要定义成public的,对终端用户公开,如出一辙。能在私有云中定义,不需要公开的服务,都要定义要私有云中。
    • AWS的虚拟共有云
      与上面的AWS私有云对应的就是共有云,共有云最终提供给用户服务,对于终端客户开发网络端口,共有网络的服务承上启下,既可以提供服务给用公户,同时能够访问私有子网的应用服务,数据库服务等其他服务。
      ,
    • ACL(network access control list)和SecuityGroup的区别
      • 应用的对象不同
        ACL的设定对象是Subnet,对于Subnet设定网络访问规则。注意,默认的场合,同一个VPC之间的网络都是相通的,但是如果定义了ACL,那么就会根据ACL的限制,没有允许的网络是不通的
        SecurityGroup的设定对象是ec2 server等服务,而不是Subnet在这里插入图片描述
      • 有状态(state)和无状态(stateless)
        • ACL没有状态,允许入站的包,如果没有符合出站规则,那么也不能出站。
        • SecurityGroup有状态,允许入站的包,那么都会出站允许。

2. 定义公网碉堡主机子网,私有子网和共有子网

  1. 整体网络拓扑(这里右边的共有子网使用varnish进行反向代理,公开私有子网的apache server)
    在这里插入图片描述

  2. 逐步创建VPC以及其他服务

    • 创建VPCIGW (Internet GateWay)

      		"VPC": {
			"Type": "AWS::EC2::VPC",
			"Properties": {
				"CidrBlock": "10.0.0.0/16",
				"EnableDnsHostnames": "true"
			}
		},
		"InternetGateway": {
			"Type": "AWS::EC2::InternetGateway",
			"Properties": {
			}
		},
		"VPCGatewayAttachment": {
			"Type": "AWS::EC2::VPCGatewayAttachment",
			"Properties": {
				"VpcId": {"Ref": "VPC"},
				"InternetGatewayId": {"Ref": "InternetGateway"}
			}
		},

    • 创建堡垒机子网(共有子网) Bastion
      CidrBlock10.0.1.0/24
      RoutePublicSSHBastionToInternet定义,堡垒机子网能够访问internet
      NetworkAclEntryInPublicSSHBastionSSH,定义internet的其他主机能够访问使用22端口访问(入站规则,egress = true)。
      NetworkAclEntryInPublicSSHBastionEphemeralPorts,定义VPC主机能够访问使用随机端口访问(入站规则,egress = true)。
      NetworkAclEntryOutPublicSSHBastionSSH,定义堡垒子网的主机能够通过22端口访问其他主机(出站规则,egress = false)。
      NetworkAclEntryOutPublicSSHBastionEphemeralPorts,定义internet的主机,能够访问使用随机端口访问(出站规则,egress = false)。

      		"SubnetPublicSSHBastion": {
			"Type": "AWS::EC2::Subnet",
			"Properties": {
				"AvailabilityZone": {"Fn::Select": ["0", {"Fn::GetAZs": ""}]},
				"CidrBlock": "10.0.1.0/24",
				"VpcId": {"Ref": "VPC"}
			}
		},
		"RouteTablePublicSSHBastion": {
			"Type": "AWS::EC2::RouteTable",
			"Properties": {
				"VpcId": {"Ref": "VPC"}
			}
		},
		"RouteTableAssociationPublicSSHBastion": {
			"Type": "AWS::EC2::SubnetRouteTableAssociation",
			"Properties": {
				"SubnetId": {"Ref": "SubnetPublicSSHBastion"},
				"RouteTableId": {"Ref": "RouteTablePublicSSHBastion"}
			}
		},
		"RoutePublicSSHBastionToInternet": {
			"Type": "AWS::EC2::Route",
			"Properties": {
				"RouteTableId": {"Ref": "RouteTablePublicSSHBastion"},
				"DestinationCidrBlock": "0.0.0.0/0",
				"GatewayId": {"Ref": "InternetGateway"}
			},
			"DependsOn": "VPCGatewayAttachment"
		},
		"NetworkAclPublicSSHBastion": {
			"Type": "AWS::EC2::NetworkAcl",
			"Properties": {
				"VpcId": {"Ref": "VPC"}
			}
		},
		"SubnetNetworkAclAssociationPublicSSHBastion": {
			"Type": "AWS::EC2::SubnetNetworkAclAssociation",
			"Properties": {
				"SubnetId": {"Ref": "SubnetPublicSSHBastion"},
				"NetworkAclId": {"Ref": "NetworkAclPublicSSHBastion"}
			}
		},
		"NetworkAclEntryInPublicSSHBastionSSH": {
			"Type": "AWS::EC2::NetworkAclEntry",
			"Properties": {
				"NetworkAclId": {"Ref": "NetworkAclPublicSSHBastion"},
				"RuleNumber": "100",
				"Protocol": "6",
				"PortRange": {
					"From": "22",
					"To": "22"
				},
				"RuleAction": "allow",
				"Egress": "false",
				"CidrBlock": "0.0.0.0/0"
			}
		},
		"NetworkAclEntryInPublicSSHBastionEphemeralPorts": {
			"Type": "AWS::EC2::NetworkAclEntry",
			"Properties": {
				"NetworkAclId": {"Ref": "NetworkAclPublicSSHBastion"},
				"RuleNumber": "200",
				"Protocol": "6",
				"PortRange": {
					"From": "1024",
					"To": "65535"
				},
				"RuleAction": "allow",
				"Egress": "false",
				"CidrBlock": "10.0.0.0/16"
			}
		},
		"NetworkAclEntryOutPublicSSHBastionSSH": {
			"Type": "AWS::EC2::NetworkAclEntry",
			"Properties": {
				"NetworkAclId": {"Ref": "NetworkAclPublicSSHBastion"},
				"RuleNumber": "100",
				"Protocol": "6",
				"PortRange": {
					"From": "22",
					"To": "22"
				},
				"RuleAction": "allow",
				"Egress": "true",
				"CidrBlock": "10.0.0.0/16"
			}
		},
		"NetworkAclEntryOutPublicSSHBastionEphemeralPorts": {
			"Type": "AWS::EC2::NetworkAclEntry",
			"Properties": {
				"NetworkAclId": {"Ref": "NetworkAclPublicSSHBastion"},
				"RuleNumber": "200",
				"Protocol": "6",
				"PortRange": {
					"From": "1024",
					"To": "65535"
				},
				"RuleAction": "allow",
				"Egress": "true",
				"CidrBlock": "0.0.0.0/0"
			}
		},

    • 创建varnish子网(共有子网) varnish

      		"SubnetPublicVarnish": {
			"Type": "AWS::EC2::Subnet",
			"Properties": {
				"AvailabilityZone": {"Fn::Select": ["0", {"Fn::GetAZs": ""}]},
				"CidrBlock": "10.0.2.0/24",
				"VpcId": {"Ref": "VPC"}
			}
		},
		"RouteTablePublicVarnish": {
			"Type": "AWS::EC2::RouteTable",
			"Properties": {
				"VpcId": {"Ref": "VPC"}
			}
		},
		"RouteTableAssociationPublicVarnish": {
			"Type": "AWS::EC2::SubnetRouteTableAssociation",
			"Properties": {
				"SubnetId": {"Ref": "SubnetPublicVarnish"},
				"RouteTableId": {"Ref": "RouteTablePublicVarnish"}
			}
		},
		"RoutePublicVarnishToInternet": {
			"Type": "AWS::EC2::Route",
			"Properties": {
				"RouteTableId": {"Ref": "RouteTablePublicVarnish"},
				"DestinationCidrBlock": "0.0.0.0/0",
				"GatewayId": {"Ref": "InternetGateway"}
			},
			"DependsOn": "VPCGatewayAttachment"
		},
		"NetworkAclPublicVarnish": {
			"Type": "AWS::EC2::NetworkAcl",
			"Properties": {
				"VpcId": {"Ref": "VPC"}
			}
		},
		"SubnetNetworkAclAssociationPublicVarnish": {
			"Type": "AWS::EC2::SubnetNetworkAclAssociation",
			"Properties": {
				"SubnetId": {"Ref": "SubnetPublicVarnish"},
				"NetworkAclId": {"Ref": "NetworkAclPublicVarnish"}
			}
		},
		"NetworkAclEntryInPublicVarnishSSH": {
			"Type": "AWS::EC2::NetworkAclEntry",
			"Properties": {
				"NetworkAclId": {"Ref": "NetworkAclPublicVarnish"},
				"RuleNumber": "100",
				"Protocol": "6",
				"PortRange": {
					"From": "22",
					"To": "22"
				},
				"RuleAction": "allow",
				"Egress": "false",
				"CidrBlock": "10.0.1.0/24"
			}
		},
		"NetworkAclEntryInPublicVarnishHTTP": {
			"Type": "AWS::EC2::NetworkAclEntry",
			"Properties": {
				"NetworkAclId": {"Ref": "NetworkAclPublicVarnish"},
				"RuleNumber": "110",
				"Protocol": "6",
				"PortRange": {
					"From": "80",
					"To": "80"
				},
				"RuleAction": "allow",
				"Egress": "false",
				"CidrBlock": "0.0.0.0/0"
			}
		},
		"NetworkAclEntryInPublicVarnishEphemeralPorts": {
			"Type": "AWS::EC2::NetworkAclEntry",
			"Properties": {
				"NetworkAclId": {"Ref": "NetworkAclPublicVarnish"},
				"RuleNumber": "200",
				"Protocol": "6",
				"PortRange": {
					"From": "1024",
					"To": "65535"
				},
				"RuleAction": "allow",
				"Egress": "false",
				"CidrBlock": "0.0.0.0/0"
			}
		},
		"NetworkAclEntryOutPublicVarnishHTTP": {
			"Type": "AWS::EC2::NetworkAclEntry",
			"Properties": {
				"NetworkAclId": {"Ref": "NetworkAclPublicVarnish"},
				"RuleNumber": "100",
				"Protocol": "6",
				"PortRange": {
					"From": "80",
					"To": "80"
				},
				"RuleAction": "allow",
				"Egress": "true",
				"CidrBlock": "0.0.0.0/0"
			}
		},
		"NetworkAclEntryOutPublicVarnishHTTPS": {
			"Type": "AWS::EC2::NetworkAclEntry",
			"Properties": {
				"NetworkAclId": {"Ref": "NetworkAclPublicVarnish"},
				"RuleNumber": "110",
				"Protocol": "6",
				"PortRange": {
					"From": "443",
					"To": "443"
				},
				"RuleAction": "allow",
				"Egress": "true",
				"CidrBlock": "0.0.0.0/0"
			}
		},
		"NetworkAclEntryOutPublicVarnishEphemeralPorts": {
			"Type": "AWS::EC2::NetworkAclEntry",
			"Properties": {
				"NetworkAclId": {"Ref": "NetworkAclPublicVarnish"},
				"RuleNumber": "200",
				"Protocol": "6",
				"PortRange": {
					"From": "1024",
					"To": "65535"
				},
				"RuleAction": "allow",
				"Egress": "true",
				"CidrBlock": "0.0.0.0/0"
			}
		},

    • 创建私有子网

      		"SubnetPrivateApache": {
			"Type": "AWS::EC2::Subnet",
			"Properties": {
				"AvailabilityZone": {"Fn::Select": ["0", {"Fn::GetAZs": ""}]},
				"CidrBlock": "10.0.3.0/24",
				"VpcId": {"Ref": "VPC"}
			}
		},
		"RouteTablePrivateApache": {
			"Type": "AWS::EC2::RouteTable",
			"Properties": {
				"VpcId": {"Ref": "VPC"}
			}
		},
		"RouteTableAssociationPrivateApache": {
			"Type": "AWS::EC2::SubnetRouteTableAssociation",
			"Properties": {
				"SubnetId": {"Ref": "SubnetPrivateApache"},
				"RouteTableId": {"Ref": "RouteTablePrivateApache"}
			}
		},
		"RoutePrivateApacheToInternet": {
			"Type": "AWS::EC2::Route",
			"Properties": {
				"RouteTableId": {"Ref": "RouteTablePrivateApache"},
				"DestinationCidrBlock": "0.0.0.0/0",
				"InstanceId": {"Ref": "NatServer"}
			}
		},
		"NetworkAclPrivateApache": {
			"Type": "AWS::EC2::NetworkAcl",
			"Properties": {
				"VpcId": {"Ref": "VPC"}
			}
		},
		"SubnetNetworkAclAssociationPrivateApache": {
			"Type": "AWS::EC2::SubnetNetworkAclAssociation",
			"Properties": {
				"SubnetId": {"Ref": "SubnetPrivateApache"},
				"NetworkAclId": {"Ref": "NetworkAclPrivateApache"}
			}
		},
		"NetworkAclEntryInPrivateApacheSSH": {
			"Type": "AWS::EC2::NetworkAclEntry",
			"Properties": {
				"NetworkAclId": {"Ref": "NetworkAclPrivateApache"},
				"RuleNumber": "100",
				"Protocol": "6",
				"PortRange": {
					"From": "22",
					"To": "22"
				},
				"RuleAction": "allow",
				"Egress": "false",
				"CidrBlock": "10.0.1.0/24"
			}
		},
		"NetworkAclEntryInPrivateApacheHTTP": {
			"Type": "AWS::EC2::NetworkAclEntry",
			"Properties": {
				"NetworkAclId": {"Ref": "NetworkAclPrivateApache"},
				"RuleNumber": "110",
				"Protocol": "6",
				"PortRange": {
					"From": "80",
					"To": "80"
				},
				"RuleAction": "allow",
				"Egress": "false",
				"CidrBlock": "10.0.2.0/24"
			}
		},
		"NetworkAclEntryInPrivateApacheEphemeralPorts": {
			"Type": "AWS::EC2::NetworkAclEntry",
			"Properties": {
				"NetworkAclId": {"Ref": "NetworkAclPrivateApache"},
				"RuleNumber": "200",
				"Protocol": "6",
				"PortRange": {
					"From": "1024",
					"To": "65535"
				},
				"RuleAction": "allow",
				"Egress": "false",
				"CidrBlock": "0.0.0.0/0"
			}
		},
		"NetworkAclEntryOutPrivateApacheHTTP": {
			"Type": "AWS::EC2::NetworkAclEntry",
			"Properties": {
				"NetworkAclId": {"Ref": "NetworkAclPrivateApache"},
				"RuleNumber": "100",
				"Protocol": "6",
				"PortRange": {
					"From": "80",
					"To": "80"
				},
				"RuleAction": "allow",
				"Egress": "true",
				"CidrBlock": "0.0.0.0/0"
			}
		},
		"NetworkAclEntryOutPrivateApacheHTTPS": {
			"Type": "AWS::EC2::NetworkAclEntry",
			"Properties": {
				"NetworkAclId": {"Ref": "NetworkAclPrivateApache"},
				"RuleNumber": "110",
				"Protocol": "6",
				"PortRange": {
					"From": "443",
					"To": "443"
				},
				"RuleAction": "allow",
				"Egress": "true",
				"CidrBlock": "0.0.0.0/0"
			}
		},
		"NetworkAclEntryOutPrivateApacheEphemeralPorts": {
			"Type": "AWS::EC2::NetworkAclEntry",
			"Properties": {
				"NetworkAclId": {"Ref": "NetworkAclPrivateApache"},
				"RuleNumber": "200",
				"Protocol": "6",
				"PortRange": {
					"From": "1024",
					"To": "65535"
				},
				"RuleAction": "allow",
				"Egress": "true",
				"CidrBlock": "10.0.0.0/16"
			}
		},

    • 创建整体的AWSstack

      {
	"AWSTemplateFormatVersion": "2010-09-09",
	"Description": "(VPC)",
	"Parameters": {
		"KeyName": {
			"Description": "Key Pair name",
			"Type": "AWS::EC2::KeyPair::KeyName",
			"Default": "my-cli-key"
		}
	},
	"Mappings": {
		"EC2RegionMap": {
			"ap-northeast-1": {"AmazonLinuxAMIHVMEBSBacked64bit": "ami-cbf90ecb", "AmazonLinuxNATAMIHVMEBSBacked64bit": "ami-03cf3903"},
			"ap-southeast-1": {"AmazonLinuxAMIHVMEBSBacked64bit": "ami-68d8e93a", "AmazonLinuxNATAMIHVMEBSBacked64bit": "ami-b49dace6"},
			"ap-southeast-2": {"AmazonLinuxAMIHVMEBSBacked64bit": "ami-fd9cecc7", "AmazonLinuxNATAMIHVMEBSBacked64bit": "ami-e7ee9edd"},
			"eu-central-1": {"AmazonLinuxAMIHVMEBSBacked64bit": "ami-a8221fb5", "AmazonLinuxNATAMIHVMEBSBacked64bit": "ami-46073a5b"},
			"eu-west-1": {"AmazonLinuxAMIHVMEBSBacked64bit": "ami-a10897d6", "AmazonLinuxNATAMIHVMEBSBacked64bit": "ami-6975eb1e"},
			"sa-east-1": {"AmazonLinuxAMIHVMEBSBacked64bit": "ami-b52890a8", "AmazonLinuxNATAMIHVMEBSBacked64bit": "ami-fbfa41e6"},
			"us-east-1": {"AmazonLinuxAMIHVMEBSBacked64bit": "ami-1ecae776", "AmazonLinuxNATAMIHVMEBSBacked64bit": "ami-303b1458"},
			"us-west-1": {"AmazonLinuxAMIHVMEBSBacked64bit": "ami-d114f295", "AmazonLinuxNATAMIHVMEBSBacked64bit": "ami-7da94839"},
			"us-west-2": {"AmazonLinuxAMIHVMEBSBacked64bit": "ami-e7527ed7", "AmazonLinuxNATAMIHVMEBSBacked64bit": "ami-69ae8259"}
		}
	},
	"Resources": {
		"SecurityGroup": {
			"Type": "AWS::EC2::SecurityGroup",
			"Properties": {
				"GroupDescription": "My security group",
				"VpcId": {"Ref": "VPC"}
			}
		},
		"SecurityGroupIngress": {
			"Type": "AWS::EC2::SecurityGroupIngress",
			"Properties":{
				"IpProtocol": "-1",
				"FromPort": "-1",
				"ToPort": "-1",
				"CidrIp": "0.0.0.0/0",
				"GroupId": {"Ref": "SecurityGroup"}
			}
		},
		"SecurityGroupEgress": {
			"Type": "AWS::EC2::SecurityGroupEgress",
			"Properties":{
				"IpProtocol": "-1",
				"FromPort": "-1",
				"ToPort": "-1",
				"CidrIp": "0.0.0.0/0",
				"GroupId": {"Ref": "SecurityGroup"}
			}
		},
		"VPC": {
			"Type": "AWS::EC2::VPC",
			"Properties": {
				"CidrBlock": "10.0.0.0/16",
				"EnableDnsHostnames": "true"
			}
		},
		"InternetGateway": {
			"Type": "AWS::EC2::InternetGateway",
			"Properties": {
			}
		},
		"VPCGatewayAttachment": {
			"Type": "AWS::EC2::VPCGatewayAttachment",
			"Properties": {
				"VpcId": {"Ref": "VPC"},
				"InternetGatewayId": {"Ref": "InternetGateway"}
			}
		},
		"SubnetPublicSSHBastion": {
			"Type": "AWS::EC2::Subnet",
			"Properties": {
				"AvailabilityZone": {"Fn::Select": ["0", {"Fn::GetAZs": ""}]},
				"CidrBlock": "10.0.1.0/24",
				"VpcId": {"Ref": "VPC"}
			}
		},
		"RouteTablePublicSSHBastion": {
			"Type": "AWS::EC2::RouteTable",
			"Properties": {
				"VpcId": {"Ref": "VPC"}
			}
		},
		"RouteTableAssociationPublicSSHBastion": {
			"Type": "AWS::EC2::SubnetRouteTableAssociation",
			"Properties": {
				"SubnetId": {"Ref": "SubnetPublicSSHBastion"},
				"RouteTableId": {"Ref": "RouteTablePublicSSHBastion"}
			}
		},
		"RoutePublicSSHBastionToInternet": {
			"Type": "AWS::EC2::Route",
			"Properties": {
				"RouteTableId": {"Ref": "RouteTablePublicSSHBastion"},
				"DestinationCidrBlock": "0.0.0.0/0",
				"GatewayId": {"Ref": "InternetGateway"}
			},
			"DependsOn": "VPCGatewayAttachment"
		},
		"NetworkAclPublicSSHBastion": {
			"Type": "AWS::EC2::NetworkAcl",
			"Properties": {
				"VpcId": {"Ref": "VPC"}
			}
		},
		"SubnetNetworkAclAssociationPublicSSHBastion": {
			"Type": "AWS::EC2::SubnetNetworkAclAssociation",
			"Properties": {
				"SubnetId": {"Ref": "SubnetPublicSSHBastion"},
				"NetworkAclId": {"Ref": "NetworkAclPublicSSHBastion"}
			}
		},
		"NetworkAclEntryInPublicSSHBastionSSH": {
			"Type": "AWS::EC2::NetworkAclEntry",
			"Properties": {
				"NetworkAclId": {"Ref": "NetworkAclPublicSSHBastion"},
				"RuleNumber": "100",
				"Protocol": "6",
				"PortRange": {
					"From": "22",
					"To": "22"
				},
				"RuleAction": "allow",
				"Egress": "false",
				"CidrBlock": "0.0.0.0/0"
			}
		},
		"NetworkAclEntryInPublicSSHBastionEphemeralPorts": {
			"Type": "AWS::EC2::NetworkAclEntry",
			"Properties": {
				"NetworkAclId": {"Ref": "NetworkAclPublicSSHBastion"},
				"RuleNumber": "200",
				"Protocol": "6",
				"PortRange": {
					"From": "1024",
					"To": "65535"
				},
				"RuleAction": "allow",
				"Egress": "false",
				"CidrBlock": "10.0.0.0/16"
			}
		},
		"NetworkAclEntryOutPublicSSHBastionSSH": {
			"Type": "AWS::EC2::NetworkAclEntry",
			"Properties": {
				"NetworkAclId": {"Ref": "NetworkAclPublicSSHBastion"},
				"RuleNumber": "100",
				"Protocol": "6",
				"PortRange": {
					"From": "22",
					"To": "22"
				},
				"RuleAction": "allow",
				"Egress": "true",
				"CidrBlock": "10.0.0.0/16"
			}
		},
		"NetworkAclEntryOutPublicSSHBastionEphemeralPorts": {
			"Type": "AWS::EC2::NetworkAclEntry",
			"Properties": {
				"NetworkAclId": {"Ref": "NetworkAclPublicSSHBastion"},
				"RuleNumber": "200",
				"Protocol": "6",
				"PortRange": {
					"From": "1024",
					"To": "65535"
				},
				"RuleAction": "allow",
				"Egress": "true",
				"CidrBlock": "0.0.0.0/0"
			}
		},
		"SubnetPublicVarnish": {
			"Type": "AWS::EC2::Subnet",
			"Properties": {
				"AvailabilityZone": {"Fn::Select": ["0", {"Fn::GetAZs": ""}]},
				"CidrBlock": "10.0.2.0/24",
				"VpcId": {"Ref": "VPC"}
			}
		},
		"RouteTablePublicVarnish": {
			"Type": "AWS::EC2::RouteTable",
			"Properties": {
				"VpcId": {"Ref": "VPC"}
			}
		},
		"RouteTableAssociationPublicVarnish": {
			"Type": "AWS::EC2::SubnetRouteTableAssociation",
			"Properties": {
				"SubnetId": {"Ref": "SubnetPublicVarnish"},
				"RouteTableId": {"Ref": "RouteTablePublicVarnish"}
			}
		},
		"RoutePublicVarnishToInternet": {
			"Type": "AWS::EC2::Route",
			"Properties": {
				"RouteTableId": {"Ref": "RouteTablePublicVarnish"},
				"DestinationCidrBlock": "0.0.0.0/0",
				"GatewayId": {"Ref": "InternetGateway"}
			},
			"DependsOn": "VPCGatewayAttachment"
		},
		"NetworkAclPublicVarnish": {
			"Type": "AWS::EC2::NetworkAcl",
			"Properties": {
				"VpcId": {"Ref": "VPC"}
			}
		},
		"SubnetNetworkAclAssociationPublicVarnish": {
			"Type": "AWS::EC2::SubnetNetworkAclAssociation",
			"Properties": {
				"SubnetId": {"Ref": "SubnetPublicVarnish"},
				"NetworkAclId": {"Ref": "NetworkAclPublicVarnish"}
			}
		},
		"NetworkAclEntryInPublicVarnishSSH": {
			"Type": "AWS::EC2::NetworkAclEntry",
			"Properties": {
				"NetworkAclId": {"Ref": "NetworkAclPublicVarnish"},
				"RuleNumber": "100",
				"Protocol": "6",
				"PortRange": {
					"From": "22",
					"To": "22"
				},
				"RuleAction": "allow",
				"Egress": "false",
				"CidrBlock": "10.0.1.0/24"
			}
		},
		"NetworkAclEntryInPublicVarnishHTTP": {
			"Type": "AWS::EC2::NetworkAclEntry",
			"Properties": {
				"NetworkAclId": {"Ref": "NetworkAclPublicVarnish"},
				"RuleNumber": "110",
				"Protocol": "6",
				"PortRange": {
					"From": "80",
					"To": "80"
				},
				"RuleAction": "allow",
				"Egress": "false",
				"CidrBlock": "0.0.0.0/0"
			}
		},
		"NetworkAclEntryInPublicVarnishEphemeralPorts": {
			"Type": "AWS::EC2::NetworkAclEntry",
			"Properties": {
				"NetworkAclId": {"Ref": "NetworkAclPublicVarnish"},
				"RuleNumber": "200",
				"Protocol": "6",
				"PortRange": {
					"From": "1024",
					"To": "65535"
				},
				"RuleAction": "allow",
				"Egress": "false",
				"CidrBlock": "0.0.0.0/0"
			}
		},
		"NetworkAclEntryOutPublicVarnishHTTP": {
			"Type": "AWS::EC2::NetworkAclEntry",
			"Properties": {
				"NetworkAclId": {"Ref": "NetworkAclPublicVarnish"},
				"RuleNumber": "100",
				"Protocol": "6",
				"PortRange": {
					"From": "80",
					"To": "80"
				},
				"RuleAction": "allow",
				"Egress": "true",
				"CidrBlock": "0.0.0.0/0"
			}
		},
		"NetworkAclEntryOutPublicVarnishHTTPS": {
			"Type": "AWS::EC2::NetworkAclEntry",
			"Properties": {
				"NetworkAclId": {"Ref": "NetworkAclPublicVarnish"},
				"RuleNumber": "110",
				"Protocol": "6",
				"PortRange": {
					"From": "443",
					"To": "443"
				},
				"RuleAction": "allow",
				"Egress": "true",
				"CidrBlock": "0.0.0.0/0"
			}
		},
		"NetworkAclEntryOutPublicVarnishEphemeralPorts": {
			"Type": "AWS::EC2::NetworkAclEntry",
			"Properties": {
				"NetworkAclId": {"Ref": "NetworkAclPublicVarnish"},
				"RuleNumber": "200",
				"Protocol": "6",
				"PortRange": {
					"From": "1024",
					"To": "65535"
				},
				"RuleAction": "allow",
				"Egress": "true",
				"CidrBlock": "0.0.0.0/0"
			}
		},
		"SubnetPrivateApache": {
			"Type": "AWS::EC2::Subnet",
			"Properties": {
				"AvailabilityZone": {"Fn::Select": ["0", {"Fn::GetAZs": ""}]},
				"CidrBlock": "10.0.3.0/24",
				"VpcId": {"Ref": "VPC"}
			}
		},
		"RouteTablePrivateApache": {
			"Type": "AWS::EC2::RouteTable",
			"Properties": {
				"VpcId": {"Ref": "VPC"}
			}
		},
		"RouteTableAssociationPrivateApache": {
			"Type": "AWS::EC2::SubnetRouteTableAssociation",
			"Properties": {
				"SubnetId": {"Ref": "SubnetPrivateApache"},
				"RouteTableId": {"Ref": "RouteTablePrivateApache"}
			}
		},
		"NetworkAclPrivateApache": {
			"Type": "AWS::EC2::NetworkAcl",
			"Properties": {
				"VpcId": {"Ref": "VPC"}
			}
		},
		"SubnetNetworkAclAssociationPrivateApache": {
			"Type": "AWS::EC2::SubnetNetworkAclAssociation",
			"Properties": {
				"SubnetId": {"Ref": "SubnetPrivateApache"},
				"NetworkAclId": {"Ref": "NetworkAclPrivateApache"}
			}
		},
		"NetworkAclEntryInPrivateApacheSSH": {
			"Type": "AWS::EC2::NetworkAclEntry",
			"Properties": {
				"NetworkAclId": {"Ref": "NetworkAclPrivateApache"},
				"RuleNumber": "100",
				"Protocol": "6",
				"PortRange": {
					"From": "22",
					"To": "22"
				},
				"RuleAction": "allow",
				"Egress": "false",
				"CidrBlock": "10.0.1.0/24"
			}
		},
		"NetworkAclEntryInPrivateApacheHTTP": {
			"Type": "AWS::EC2::NetworkAclEntry",
			"Properties": {
				"NetworkAclId": {"Ref": "NetworkAclPrivateApache"},
				"RuleNumber": "110",
				"Protocol": "6",
				"PortRange": {
					"From": "80",
					"To": "80"
				},
				"RuleAction": "allow",
				"Egress": "false",
				"CidrBlock": "10.0.2.0/24"
			}
		},
		"NetworkAclEntryInPrivateApacheEphemeralPorts": {
			"Type": "AWS::EC2::NetworkAclEntry",
			"Properties": {
				"NetworkAclId": {"Ref": "NetworkAclPrivateApache"},
				"RuleNumber": "200",
				"Protocol": "6",
				"PortRange": {
					"From": "1024",
					"To": "65535"
				},
				"RuleAction": "allow",
				"Egress": "false",
				"CidrBlock": "0.0.0.0/0"
			}
		},
		"NetworkAclEntryOutPrivateApacheHTTP": {
			"Type": "AWS::EC2::NetworkAclEntry",
			"Properties": {
				"NetworkAclId": {"Ref": "NetworkAclPrivateApache"},
				"RuleNumber": "100",
				"Protocol": "6",
				"PortRange": {
					"From": "80",
					"To": "80"
				},
				"RuleAction": "allow",
				"Egress": "true",
				"CidrBlock": "0.0.0.0/0"
			}
		},
		"NetworkAclEntryOutPrivateApacheHTTPS": {
			"Type": "AWS::EC2::NetworkAclEntry",
			"Properties": {
				"NetworkAclId": {"Ref": "NetworkAclPrivateApache"},
				"RuleNumber": "110",
				"Protocol": "6",
				"PortRange": {
					"From": "443",
					"To": "443"
				},
				"RuleAction": "allow",
				"Egress": "true",
				"CidrBlock": "0.0.0.0/0"
			}
		},
		"NetworkAclEntryOutPrivateApacheEphemeralPorts": {
			"Type": "AWS::EC2::NetworkAclEntry",
			"Properties": {
				"NetworkAclId": {"Ref": "NetworkAclPrivateApache"},
				"RuleNumber": "200",
				"Protocol": "6",
				"PortRange": {
					"From": "1024",
					"To": "65535"
				},
				"RuleAction": "allow",
				"Egress": "true",
				"CidrBlock": "10.0.0.0/16"
			}
		},
		"BastionHost": {
			"Type": "AWS::EC2::Instance",
			"Properties": {
				"ImageId": {"Fn::FindInMap": ["EC2RegionMap", {"Ref": "AWS::Region"}, "AmazonLinuxAMIHVMEBSBacked64bit"]},
				"InstanceType": "t2.micro",
				"KeyName": {"Ref": "KeyName"},
				"NetworkInterfaces": [{
					"AssociatePublicIpAddress": "true",
					"DeleteOnTermination": "true",
					"SubnetId": {"Ref": "SubnetPublicSSHBastion"},
					"DeviceIndex": "0",
					"GroupSet": [{"Ref": "SecurityGroup"}]
				}]
			},
			"DependsOn": "VPCGatewayAttachment"
		},
		"VarnishServer": {
			"Type": "AWS::EC2::Instance",
			"Properties": {
				"ImageId": {"Fn::FindInMap": ["EC2RegionMap", {"Ref": "AWS::Region"}, "AmazonLinuxAMIHVMEBSBacked64bit"]},
				"InstanceType": "t2.micro",
				"KeyName": {"Ref": "KeyName"},
				"NetworkInterfaces": [{
					"AssociatePublicIpAddress": "true",
					"DeleteOnTermination": "true",
					"SubnetId": {"Ref": "SubnetPublicVarnish"},
					"DeviceIndex": "0",
					"GroupSet": [{"Ref": "SecurityGroup"}]
				}],
				"UserData": {"Fn::Base64": {"Fn::Join": ["", [
					"#!/bin/bash -ex\n",
					"yum -y install varnish-3.0.7\n",
					"cat > /etc/varnish/default.vcl << EOF\n",
					"backend default {\n",
					"  .host = \"", {"Fn::GetAtt": ["ApacheServer", "PrivateIp"]} ,"\";\n",
					"  .port = \"80\";\n",
					"}\n",
					"EOF\n",
					"sed -i.bak \"s/^VARNISH_LISTEN_PORT=.*/VARNISH_LISTEN_PORT=80/\" /etc/sysconfig/varnish\n",
					"service varnish start\n",
					"/opt/aws/bin/cfn-signal --stack ", {"Ref": "AWS::StackName"}, " --resource VarnishServer --region ", {"Ref": "AWS::Region"}, "\n"
				]]}}
			},
			"DependsOn": "VPCGatewayAttachment"
		},
		"ApacheServer": {
			"Type": "AWS::EC2::Instance",
			"Properties": {
				"ImageId": {"Fn::FindInMap": ["EC2RegionMap", {"Ref": "AWS::Region"}, "AmazonLinuxAMIHVMEBSBacked64bit"]},
				"InstanceType": "t2.micro",
				"KeyName": {"Ref": "KeyName"},
				"NetworkInterfaces": [{
					"AssociatePublicIpAddress": "false",
					"DeleteOnTermination": "true",
					"SubnetId": {"Ref": "SubnetPrivateApache"},
					"DeviceIndex": "0",
					"GroupSet": [{"Ref": "SecurityGroup"}]
				}],
				"UserData": {"Fn::Base64": {"Fn::Join": ["", [
					"#!/bin/bash -ex\n",
					"yum -y install httpd\n",
					"service httpd start\n",
					"/opt/aws/bin/cfn-signal --stack ", {"Ref": "AWS::StackName"}, " --resource ApacheServer --region ", {"Ref": "AWS::Region"}, "\n"
				]]}}
			}
		}
	},
	"Outputs": {
		"BastionHostPublicName": {
			"Value": {"Fn::GetAtt": ["BastionHost", "PublicDnsName"]},
			"Description": "connect via SSH as user ec2-user"
		},
		"VarnishServerPublicName": {
			"Value": {"Fn::GetAtt": ["VarnishServer", "PublicDnsName"]},
			"Description": "handles HTTP requests"
		},
		"VarnishServerPrivateIp": {
			"Value": {"Fn::GetAtt": ["VarnishServer", "PrivateIp"]},
			"Description": "connect via SSH from bastion host"
		},
		"ApacheServerPrivateIp": {
			"Value": {"Fn::GetAtt": ["ApacheServer", "PrivateIp"]},
			"Description": "connect via SSH from bastion host"
		}
	}
}

    • 测试创建结果

      • 执行结果
        在这里插入图片描述

      • 一点注意
        不要认为连接ec2 server使用的用户就是ec2-user,有的AMI使用的是ubuntu用户
        最好在ec2 server的连接画面进行确认。 在这里插入图片描述

      • 通过堡垒机SSH访问apache server(私有子网)
        ssh -A ubuntu@ec2-13-230-4-241.ap-northeast-1.compute.amazonaws.com通过AgentForward模式进行访问堡垒机。
        ssh 10.0.3.198直接就可以访问私有子网的apache主机。

        Dell@DESKTOP-DHMQMJG MINGW64 /
$ eval `ssh-agent`
Agent pid 2195

Dell@DESKTOP-DHMQMJG MINGW64 /
$ ssh-add ~/.ssh/my-cli-key.pem
Identity added: /c/Users/Dell/.ssh/my-cli-key.pem (/c/Users/Dell/.ssh/my-cli-key.pem)

Dell@DESKTOP-DHMQMJG MINGW64 /
$ ssh -A ubuntu@ec2-13-230-4-241.ap-northeast-1.compute.amazonaws.com
Welcome to Ubuntu 24.04.1 LTS (GNU/Linux 6.8.0-1016-aws x86_64)

ubuntu@ip-10-0-1-169:~$ ssh 10.0.3.198
Welcome to Ubuntu 24.04.1 LTS (GNU/Linux 6.8.0-1016-aws x86_64)

      • 通过堡varnish反向代理HTTP访问apache server(私有子网)

        ubuntu@ip-10-0-1-169:~$ ssh ec2-52-195-182-135.ap-northeast-1.compute.amazonaws.com
The authenticity of host 'ec2-52-195-182-135.ap-northeast-1.compute.amazonaws.com (10.0.2.170)' can't be established.
ED25519 key fingerprint is SHA256:r4A9nVkEUhL1ovBuKc90hnYZUNilz/xxFKlPYj0kyOQ.

本文来自互联网用户投稿,该文观点仅代表作者本人,不代表本站立场。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如若转载,请注明出处:/a/894027.html

如若内容造成侵权/违法违规/事实不符,请联系我们进行投诉反馈qq邮箱809451989@qq.com,一经查实,立即删除!

相关文章

Docker 教程十(Docker Compose)

Docker 教程十(Docker Compose)

Docker Compose简介 Compose 是用于定义和运行多容器 Docker 应用程序的工具。通过 Compose&#xff0c;您可以使用 YML 文件来配置应用程序需要的所有服务。然后&#xff0c;使用一个命令&#xff0c;就可以从 YML 文件配置中创建并启动所有服务。 如果你还不了解 YML 文件配…
阅读更多...
Request2:Post请求和Json

Request2:Post请求和Json

百度翻译拿到自己想看的数据&#xff0c;下图查看请求到数据的请求 preview提前看下 取出对应的RequestUrl &#xff0c;看出来要使用的话得用post请求 #!/usr/bin/env python # -*- coding:utf-8 -*- import requests import json if __name__ "__main__":#1.指定…
阅读更多...
Leetcode 字符串解码

Leetcode 字符串解码

该代码的算法思想可以分为以下几个步骤&#xff1a; 1. 使用栈来处理嵌套结构&#xff1a; 我们需要处理像 k[encoded_string] 这种格式&#xff0c;其中的 encoded_string 可能是嵌套的&#xff0c;即像 3[a2[c]] 这样的输入。因此&#xff0c;我们可以借助 栈&#xff08;S…
阅读更多...
涂鸦智能落地 Koupleless 合并部署,实现云服务降本增效

涂鸦智能落地 Koupleless 合并部署,实现云服务降本增效

文&#xff5c;八幡、朵拉 杭州涂鸦智能技术专家 主要研究微服务与可观测、消息引擎、任务调度、数据层中间件等领域。 本文 5389 字 阅读 15 分钟 当前涂鸦通过 Koupleless 的静态合并部署能力&#xff0c;很好地解决了资源浪费问题。 为了进一步提升研发效率&#xff0c;涂鸦…
阅读更多...
强化学习与深度强化学习:深入解析与代码实现

强化学习与深度强化学习:深入解析与代码实现

个人主页&#xff1a;chian-ocean 文章专栏 强化学习与深度强化学习&#xff1a;深入解析与代码实现 强化学习&#xff08;Reinforcement Learning, RL&#xff09;是一种机器学习方法&#xff0c;通过智能体&#xff08;agent&#xff09;与环境&#xff08;environment&am…
阅读更多...
[Linux] 创建可以免密登录的SFTP用户

[Linux] 创建可以免密登录的SFTP用户

本文主要包含: 创建新用户创建密钥对用于免密登录新用户将新建用户改造为SFTP用户为SFTP上传数据设置限速 1. 创建新用户 sudo useradd sftp_user sudo passwd sftp_user # 输入密码2. 创建密钥对 参考这篇文章 [Linux] 生成 PEM 密钥对实现服务器的免密登录 3. 将新建用户…
阅读更多...
性能测试:流量回放工具-GoReplay!结合一款无需CA证书即可抓取HTTPS明文的工具,简直无敌

性能测试:流量回放工具-GoReplay!结合一款无需CA证书即可抓取HTTPS明文的工具,简直无敌

性能测试&#xff1a;流量回放工具-GoReplay&#xff01;结合一款无需CA证书即可抓取HTTPS明文的工具&#xff0c;简直无敌。 GoReplay 是一个开源网络监控工具&#xff0c;可以将实时 HTTP 流量捕获并重放到测试环境。 应用成熟的过程中&#xff0c;测试所需的工作量往往会成…
阅读更多...
设计模式之组合模式(Composite)

设计模式之组合模式(Composite)

一、组合模式介绍 组合模式(Composite Pattern) 的定义是&#xff1a;将对象组合成树形结构以表示整个部分的层 次结构。组合模式可以让用户统一对待单个对象和对象的组合。 如在windows操作系统中的目录结构&#xff0c;其实就是树形目录结构&#xff0c;可以通过 tree /f 命令…
阅读更多...
PCL 点云配准-4PCS算法(粗配准)

PCL 点云配准-4PCS算法(粗配准)

目录 一、概述 1.1原理 1.2实现步骤 1.3应用场景 二、代码实现 2.1关键函数 2.1.1 加载点云数据 2.1.2 执行4PCS粗配准 2.1.3 可视化源点云、目标点云和配准结果 2.2完整代码 三、实现效果 3.1原始点云 3.2配准后点云 PCL点云算法汇总及实战案例汇总的目录地址链接…
阅读更多...
面试八股(自用)

面试八股(自用)

什么是java序列化&#xff0c;什么时候需要序列化? 序列化是指将java对象转化成字节流的过程&#xff0c;反序列化是指将字节流转化成java对象的过程。 当java对象需要在网络上传输 或者 持久化到存储文件中&#xff0c;就需要对java对象进行序列化处理。 JVM的主要组成部分…
阅读更多...
Lumerical学习——分析工具(Analysis tools)

Lumerical学习——分析工具(Analysis tools)

一、分析工具和模拟环境&#xff08;Analysis tools and the simulation environment&#xff09; 模拟计算完成后&#xff0c;模拟计算数据紧接着写到模拟工程文件中&#xff1b;甚至当模拟计算提前结束时计算得到的部分数据集也会写到文件中。当模拟完成后单击退出按钮、或者…
阅读更多...
为什么inet_ntoa会返回错误的IP地址?

为什么inet_ntoa会返回错误的IP地址?

目录 1、调用inet_addr和inet_ntoa实现整型IP与点式字符串之间的转换 1.1、调用inet_addr将点式字符串IP转换成整型IP 1.2、调用inet_ntoa将整型IP转换成点式字符串IP 2、调用inet_ntoa返回错误点式字符串IP的原因分析 3、解决多线程调用inet_ntoa返回错误点式字符串IP的办…
阅读更多...
RTSP与ONVIF协议的区别及其在EasyCVR视频汇聚平台中的应用

RTSP与ONVIF协议的区别及其在EasyCVR视频汇聚平台中的应用

在视频监控和物联网设备领域&#xff0c;RTSP&#xff08;Real Time Streaming Protocol&#xff09;和ONVIF&#xff08;Open Network Video Interface Forum&#xff09;是两个重要的协议&#xff0c;它们各自在视频流的传输和控制上发挥着不同的作用&#xff0c;并在实际应用…
阅读更多...
,1.2,unity动画Animator

,1.2,unity动画Animator

1.步骤&#xff1a; &#xff08;1&#xff09;导入模型 &#xff08;2&#xff09;添加状态机 &#xff08;3&#xff09;添加动画控制器 &#xff08;4&#xff09;通过脚本触发条件 (5)控制脚本代码 using System.Collections; using System.Collections.Generic; usin…
阅读更多...
HarmonyOS中ArkUi框架中常用的装饰器

HarmonyOS中ArkUi框架中常用的装饰器

目录 1.装饰器 1&#xff09;Component 1--装饰内容 2&#xff09;Entry 1--装饰内容 2--使用说明 3&#xff09;Preview 1--装饰内容 2--使用说明 4&#xff09;CustomDialog 1--装饰内容 2--使用说明 5&#xff09;Observed 1--装饰内容 2--使用说明 6&#xff09;ObjectLin…
阅读更多...
我的创作纪念日-365天的感悟

我的创作纪念日-365天的感悟

时光荏苒&#xff0c;岁月如梭。转眼间&#xff0c;自己在CSDN注册已经整整15个年头了。回想起当初&#xff0c;还是个满怀憧憬、对未来充满无限好奇的学生哥。如今&#xff0c;虽然身份和角色发生了诸多变化&#xff0c;但CSDN始终陪伴着我&#xff0c;见证了我的成长与蜕变。…
阅读更多...
HDFS详细分析

HDFS详细分析

目录 一、HDFS架构 &#xff08;1&#xff09;Block - 数据块 &#xff08;2&#xff09;MetaData - 元数据 &#xff08;3&#xff09;NameNode - 主结点 &#xff08;4&#xff09;DataNode - 从结点 &#xff08;5&#xff09;SecondaryNameNode 二、HDFS的特点 &…
阅读更多...
Spring Security 基础配置详解(附Demo)

Spring Security 基础配置详解(附Demo)

目录 前言1. 基本知识2. Demo3. 实战 前言 基本的Java知识推荐阅读&#xff1a; java框架 零基础从入门到精通的学习路线 附开源项目面经等&#xff08;超全&#xff09;【Java项目】实战CRUD的功能整理&#xff08;持续更新&#xff09; 1. 基本知识 HttpSecurity 是 Spri…
阅读更多...
ubuntu 安装docker, docker-compose

ubuntu 安装docker, docker-compose

1. 安装curl apt-get update apt upgradeapt install curl 2.安装&#xff1a; curl -fsSL https://get.docker.com | bash -s docker --mirror Aliyun 3. 验证&#xff1a; docker -v 4. 安装docker-compose : # 下载 curl -L "https://github.com/docker/compose/rel…
阅读更多...
无人机之定高算法篇

无人机之定高算法篇

一、无人机高度测量原理 无人机的高度测量通常依赖于多种传感器&#xff0c;其中主要包括&#xff1a; 气压计&#xff1a;通过测量大气压力的变化来确定高度。在大气中&#xff0c;随着高度的增加&#xff0c;气压会逐渐降低。无人机搭载的气压计会感知大气的压力变化&#…
阅读更多...
最新文章

Copyright @ 2022~2023