aws(学习笔记第七课) 私有子网使用NAT服务器

aws(学习笔记第七课)

  • AWS的私有子网使用NAT服务器

学习内容:

  • AWS的私有子网使用NAT服务器

1. AWS的私有子网使用NAT服务器

在上面的例子的网络构成图中,可能会发现一个问题。就是Private SubnetApache server无法访问互联网。比如,当需要软件更新的时候,或者访问其他web service的时候,不能实现互联网访问。那么有实现同时让Apache Server躲在堡垒机后面(没有公网IP地址),还能兼顾访问互联网吗,这个解决方案就是NAT服务。

在这里插入图片描述

  1. 首先学习什么是NAT

    • 学习参考

      • 全面解析NAT
      • SNATDNAT

    • NAT的概念
      网络地址转换(NAT)是一种网络技术,用于在不同网络之间转换IP地址。它主要解决了IPv4地址短缺的问题,同时也可以增强网络安全性和提高网络性能。通过在路由器或防火墙设备上配置NAT,可以实现私有网络和公共网络之间的IP地址转换,从而隐藏内部网络的真实拓扑结构。

      • 静态NAT
        静态 NAT:一对一映射,将一个私有IP地址映射到一个公共IP地址。在这里插入图片描述
      • 动态NAT
        动态分配公共IP地址给私有IP地址,使得多个私有IP地址可以共享少量公共IP地址。在这里插入图片描述

    • SNATDNAT

      • SNAT
        SNAT 又称源地址转换。源地址转换是内网地址向外访问时,发起访问的内网ip地址转换为指定的ip地址(可指定具体的服务以及相应的端口或端口范围),这可以使内网中使用保留ip地址的主机访问外部网络,即内网的多部主机可以通过一个有效的公网ip地址访问外部网络。
        • 数据包从内网发送到公网时,SNAT会把数据包的源地址由私网IP转换成公网IP。
        • 当相应的数据包从公网发送到内网时,会把数据包的目的地址由公网IP转换为私网IP。
      • DNAT
        DNAT 又称目标地址转换。将私网中web服务器映射到公网IP,使其公网IP作为目标地址被公网中主机进行访问。
        • 数据包从外网发送到内网时,DNAT会把数据包的目标地址由公网IP转换成私网IP。
        • 当相应的数据包从内网发送到公网时,会把数据包的源地址由私网IP转换为公网IP。

    • AWS中的NAT实现

      • 实现之后的网络结构
        在这个结构中,位于私有子网的Apache Server没有直接访问互联网的路由,如果访问互联网0.0.0.0的场合,将其路由到公网的NAT Server,这样经过NAT Server的网络转换,同样能访问互联网。
        在这里插入图片描述

    • 定义NAT Server以及Apache Server的路由指向

      • 定义NAT Server所在的subnet

        		"SubnetPublicNAT": {
			"Type": "AWS::EC2::Subnet",
			"Properties": {
				"AvailabilityZone": {"Fn::Select": ["0", {"Fn::GetAZs": ""}]},
				"CidrBlock": "10.0.0.0/24",
				"VpcId": {"Ref": "VPC"}
			}
		},
		"RouteTablePublicNAT": {
			"Type": "AWS::EC2::RouteTable",
			"Properties": {
				"VpcId": {"Ref": "VPC"}
			}
		},
		"RouteTableAssociationPublicNAT": {
			"Type": "AWS::EC2::SubnetRouteTableAssociation",
			"Properties": {
				"SubnetId": {"Ref": "SubnetPublicNAT"},
				"RouteTableId": {"Ref": "RouteTablePublicNAT"}
			}
		},
		"RoutePublicNATToInternet": {
			"Type": "AWS::EC2::Route",
			"Properties": {
				"RouteTableId": {"Ref": "RouteTablePublicNAT"},
				"DestinationCidrBlock": "0.0.0.0/0",
				"GatewayId": {"Ref": "InternetGateway"}
			},
			"DependsOn": "VPCGatewayAttachment"
		},
		"NetworkAclPublicNAT": {
			"Type": "AWS::EC2::NetworkAcl",
			"Properties": {
				"VpcId": {"Ref": "VPC"}
			}
		},
		"SubnetNetworkAclAssociationPublicNAT": {
			"Type": "AWS::EC2::SubnetNetworkAclAssociation",
			"Properties": {
				"SubnetId": {"Ref": "SubnetPublicNAT"},
				"NetworkAclId": {"Ref": "NetworkAclPublicNAT"}
			}
		},
		"NetworkAclEntryInPublicNATHTTP": {
			"Type": "AWS::EC2::NetworkAclEntry",
			"Properties": {
				"NetworkAclId": {"Ref": "NetworkAclPublicNAT"},
				"RuleNumber": "100",
				"Protocol": "6",
				"PortRange": {
					"From": "80",
					"To": "80"
				},
				"RuleAction": "allow",
				"Egress": "false",
				"CidrBlock": "10.0.0.0/16"
			}
		},
		"NetworkAclEntryInPublicNATHTTPS": {
			"Type": "AWS::EC2::NetworkAclEntry",
			"Properties": {
				"NetworkAclId": {"Ref": "NetworkAclPublicNAT"},
				"RuleNumber": "110",
				"Protocol": "6",
				"PortRange": {
					"From": "443",
					"To": "443"
				},
				"RuleAction": "allow",
				"Egress": "false",
				"CidrBlock": "10.0.0.0/16"
			}
		},
		"NetworkAclEntryInPublicNATEphemeralPorts": {
			"Type": "AWS::EC2::NetworkAclEntry",
			"Properties": {
				"NetworkAclId": {"Ref": "NetworkAclPublicNAT"},
				"RuleNumber": "200",
				"Protocol": "6",
				"PortRange": {
					"From": "1024",
					"To": "65535"
				},
				"RuleAction": "allow",
				"Egress": "false",
				"CidrBlock": "0.0.0.0/0"
			}
		},
		"NetworkAclEntryOutPublicNATHTTP": {
			"Type": "AWS::EC2::NetworkAclEntry",
			"Properties": {
				"NetworkAclId": {"Ref": "NetworkAclPublicNAT"},
				"RuleNumber": "100",
				"Protocol": "6",
				"PortRange": {
					"From": "80",
					"To": "80"
				},
				"RuleAction": "allow",
				"Egress": "true",
				"CidrBlock": "0.0.0.0/0"
			}
		},
		"NetworkAclEntryOutPublicNATHTTPS": {
			"Type": "AWS::EC2::NetworkAclEntry",
			"Properties": {
				"NetworkAclId": {"Ref": "NetworkAclPublicNAT"},
				"RuleNumber": "110",
				"Protocol": "6",
				"PortRange": {
					"From": "443",
					"To": "443"
				},
				"RuleAction": "allow",
				"Egress": "true",
				"CidrBlock": "0.0.0.0/0"
			}
		},
		"NetworkAclEntryOutPublicNATEphemeralPorts": {
			"Type": "AWS::EC2::NetworkAclEntry",
			"Properties": {
				"NetworkAclId": {"Ref": "NetworkAclPublicNAT"},
				"RuleNumber": "200",
				"Protocol": "6",
				"PortRange": {
					"From": "1024",
					"To": "65535"
				},
				"RuleAction": "allow",
				"Egress": "true",
				"CidrBlock": "0.0.0.0/0"
			}
		},

      • 定义NAT Server

        		"NatServer": {
			"Type": "AWS::EC2::Instance",
			"Properties": {
				"ImageId": {"Fn::FindInMap": ["EC2RegionMap", {"Ref": "AWS::Region"}, "AmazonLinuxNATAMIHVMEBSBacked64bit"]},
				"InstanceType": "t2.micro",
				"KeyName": {"Ref": "KeyName"},
				"NetworkInterfaces": [{
					"AssociatePublicIpAddress": "true",
					"DeleteOnTermination": "true",
					"SubnetId": {"Ref": "SubnetPublicNAT"},
					"DeviceIndex": "0",
					"GroupSet": [{"Ref": "SecurityGroup"}]
				}],
				"SourceDestCheck": "false",
				"UserData": {"Fn::Base64": {"Fn::Join": ["", [
					"#!/bin/bash -ex\n",
					"/opt/aws/bin/cfn-signal --stack ", {"Ref": "AWS::StackName"}, " --resource NatServer --region ", {"Ref": "AWS::Region"}, "\n"
				]]}}
			},
			"DependsOn": "VPCGatewayAttachment"
		},

      • Apache Server的互联网0.0.0.0的连接路由指向NAT Server

        		"RoutePrivateApacheToInternet": {
			"Type": "AWS::EC2::Route",
			"Properties": {
				"RouteTableId": {"Ref": "RouteTablePrivateApache"},
				"DestinationCidrBlock": "0.0.0.0/0",
				"InstanceId": {"Ref": "NatServer"}
			}
		},

    • AWS中的NAT实现整体CloudFormation代码

      {
	"AWSTemplateFormatVersion": "2010-09-09",
	"Description": "(VPC)",
	"Parameters": {
		"KeyName": {
			"Description": "Key Pair name",
			"Type": "AWS::EC2::KeyPair::KeyName",
			"Default": "my-cli-key"
		}
	},
	"Mappings": {
		"EC2RegionMap": {
			"ap-northeast-1": {"AmazonLinuxAMIHVMEBSBacked64bit": "ami-03f584e50b2d32776", "AmazonLinuxNATAMIHVMEBSBacked64bit": "ami-03cf3903"},
			"ap-southeast-1": {"AmazonLinuxAMIHVMEBSBacked64bit": "ami-68d8e93a", "AmazonLinuxNATAMIHVMEBSBacked64bit": "ami-b49dace6"},
			"ap-southeast-2": {"AmazonLinuxAMIHVMEBSBacked64bit": "ami-fd9cecc7", "AmazonLinuxNATAMIHVMEBSBacked64bit": "ami-e7ee9edd"},
			"eu-central-1": {"AmazonLinuxAMIHVMEBSBacked64bit": "ami-a8221fb5", "AmazonLinuxNATAMIHVMEBSBacked64bit": "ami-46073a5b"},
			"eu-west-1": {"AmazonLinuxAMIHVMEBSBacked64bit": "ami-a10897d6", "AmazonLinuxNATAMIHVMEBSBacked64bit": "ami-6975eb1e"},
			"sa-east-1": {"AmazonLinuxAMIHVMEBSBacked64bit": "ami-b52890a8", "AmazonLinuxNATAMIHVMEBSBacked64bit": "ami-fbfa41e6"},
			"us-east-1": {"AmazonLinuxAMIHVMEBSBacked64bit": "ami-1ecae776", "AmazonLinuxNATAMIHVMEBSBacked64bit": "ami-303b1458"},
			"us-west-1": {"AmazonLinuxAMIHVMEBSBacked64bit": "ami-d114f295", "AmazonLinuxNATAMIHVMEBSBacked64bit": "ami-7da94839"},
			"us-west-2": {"AmazonLinuxAMIHVMEBSBacked64bit": "ami-e7527ed7", "AmazonLinuxNATAMIHVMEBSBacked64bit": "ami-69ae8259"}
		}
	},
	"Resources": {
		"SecurityGroup": {
			"Type": "AWS::EC2::SecurityGroup",
			"Properties": {
				"GroupDescription": "My security group",
				"VpcId": {"Ref": "VPC"}
			}
		},
		"SecurityGroupIngress": {
			"Type": "AWS::EC2::SecurityGroupIngress",
			"Properties":{
				"IpProtocol": "-1",
				"FromPort": "-1",
				"ToPort": "-1",
				"CidrIp": "0.0.0.0/0",
				"GroupId": {"Ref": "SecurityGroup"}
			}
		},
		"SecurityGroupEgress": {
			"Type": "AWS::EC2::SecurityGroupEgress",
			"Properties":{
				"IpProtocol": "-1",
				"FromPort": "-1",
				"ToPort": "-1",
				"CidrIp": "0.0.0.0/0",
				"GroupId": {"Ref": "SecurityGroup"}
			}
		},
		"VPC": {
			"Type": "AWS::EC2::VPC",
			"Properties": {
				"CidrBlock": "10.0.0.0/16",
				"EnableDnsHostnames": "true"
			}
		},
		"InternetGateway": {
			"Type": "AWS::EC2::InternetGateway",
			"Properties": {
			}
		},
		"VPCGatewayAttachment": {
			"Type": "AWS::EC2::VPCGatewayAttachment",
			"Properties": {
				"VpcId": {"Ref": "VPC"},
				"InternetGatewayId": {"Ref": "InternetGateway"}
			}
		},
		"SubnetPublicNAT": {
			"Type": "AWS::EC2::Subnet",
			"Properties": {
				"AvailabilityZone": {"Fn::Select": ["0", {"Fn::GetAZs": ""}]},
				"CidrBlock": "10.0.0.0/24",
				"VpcId": {"Ref": "VPC"}
			}
		},
		"RouteTablePublicNAT": {
			"Type": "AWS::EC2::RouteTable",
			"Properties": {
				"VpcId": {"Ref": "VPC"}
			}
		},
		"RouteTableAssociationPublicNAT": {
			"Type": "AWS::EC2::SubnetRouteTableAssociation",
			"Properties": {
				"SubnetId": {"Ref": "SubnetPublicNAT"},
				"RouteTableId": {"Ref": "RouteTablePublicNAT"}
			}
		},
		"RoutePublicNATToInternet": {
			"Type": "AWS::EC2::Route",
			"Properties": {
				"RouteTableId": {"Ref": "RouteTablePublicNAT"},
				"DestinationCidrBlock": "0.0.0.0/0",
				"GatewayId": {"Ref": "InternetGateway"}
			},
			"DependsOn": "VPCGatewayAttachment"
		},
		"NetworkAclPublicNAT": {
			"Type": "AWS::EC2::NetworkAcl",
			"Properties": {
				"VpcId": {"Ref": "VPC"}
			}
		},
		"SubnetNetworkAclAssociationPublicNAT": {
			"Type": "AWS::EC2::SubnetNetworkAclAssociation",
			"Properties": {
				"SubnetId": {"Ref": "SubnetPublicNAT"},
				"NetworkAclId": {"Ref": "NetworkAclPublicNAT"}
			}
		},
		"NetworkAclEntryInPublicNATHTTP": {
			"Type": "AWS::EC2::NetworkAclEntry",
			"Properties": {
				"NetworkAclId": {"Ref": "NetworkAclPublicNAT"},
				"RuleNumber": "100",
				"Protocol": "6",
				"PortRange": {
					"From": "80",
					"To": "80"
				},
				"RuleAction": "allow",
				"Egress": "false",
				"CidrBlock": "10.0.0.0/16"
			}
		},
		"NetworkAclEntryInPublicNATHTTPS": {
			"Type": "AWS::EC2::NetworkAclEntry",
			"Properties": {
				"NetworkAclId": {"Ref": "NetworkAclPublicNAT"},
				"RuleNumber": "110",
				"Protocol": "6",
				"PortRange": {
					"From": "443",
					"To": "443"
				},
				"RuleAction": "allow",
				"Egress": "false",
				"CidrBlock": "10.0.0.0/16"
			}
		},
		"NetworkAclEntryInPublicNATEphemeralPorts": {
			"Type": "AWS::EC2::NetworkAclEntry",
			"Properties": {
				"NetworkAclId": {"Ref": "NetworkAclPublicNAT"},
				"RuleNumber": "200",
				"Protocol": "6",
				"PortRange": {
					"From": "1024",
					"To": "65535"
				},
				"RuleAction": "allow",
				"Egress": "false",
				"CidrBlock": "0.0.0.0/0"
			}
		},
		"NetworkAclEntryOutPublicNATHTTP": {
			"Type": "AWS::EC2::NetworkAclEntry",
			"Properties": {
				"NetworkAclId": {"Ref": "NetworkAclPublicNAT"},
				"RuleNumber": "100",
				"Protocol": "6",
				"PortRange": {
					"From": "80",
					"To": "80"
				},
				"RuleAction": "allow",
				"Egress": "true",
				"CidrBlock": "0.0.0.0/0"
			}
		},
		"NetworkAclEntryOutPublicNATHTTPS": {
			"Type": "AWS::EC2::NetworkAclEntry",
			"Properties": {
				"NetworkAclId": {"Ref": "NetworkAclPublicNAT"},
				"RuleNumber": "110",
				"Protocol": "6",
				"PortRange": {
					"From": "443",
					"To": "443"
				},
				"RuleAction": "allow",
				"Egress": "true",
				"CidrBlock": "0.0.0.0/0"
			}
		},
		"NetworkAclEntryOutPublicNATEphemeralPorts": {
			"Type": "AWS::EC2::NetworkAclEntry",
			"Properties": {
				"NetworkAclId": {"Ref": "NetworkAclPublicNAT"},
				"RuleNumber": "200",
				"Protocol": "6",
				"PortRange": {
					"From": "1024",
					"To": "65535"
				},
				"RuleAction": "allow",
				"Egress": "true",
				"CidrBlock": "0.0.0.0/0"
			}
		},
		"SubnetPublicSSHBastion": {
			"Type": "AWS::EC2::Subnet",
			"Properties": {
				"AvailabilityZone": {"Fn::Select": ["0", {"Fn::GetAZs": ""}]},
				"CidrBlock": "10.0.1.0/24",
				"VpcId": {"Ref": "VPC"}
			}
		},
		"RouteTablePublicSSHBastion": {
			"Type": "AWS::EC2::RouteTable",
			"Properties": {
				"VpcId": {"Ref": "VPC"}
			}
		},
		"RouteTableAssociationPublicSSHBastion": {
			"Type": "AWS::EC2::SubnetRouteTableAssociation",
			"Properties": {
				"SubnetId": {"Ref": "SubnetPublicSSHBastion"},
				"RouteTableId": {"Ref": "RouteTablePublicSSHBastion"}
			}
		},
		"RoutePublicSSHBastionToInternet": {
			"Type": "AWS::EC2::Route",
			"Properties": {
				"RouteTableId": {"Ref": "RouteTablePublicSSHBastion"},
				"DestinationCidrBlock": "0.0.0.0/0",
				"GatewayId": {"Ref": "InternetGateway"}
			},
			"DependsOn": "VPCGatewayAttachment"
		},
		"NetworkAclPublicSSHBastion": {
			"Type": "AWS::EC2::NetworkAcl",
			"Properties": {
				"VpcId": {"Ref": "VPC"}
			}
		},
		"SubnetNetworkAclAssociationPublicSSHBastion": {
			"Type": "AWS::EC2::SubnetNetworkAclAssociation",
			"Properties": {
				"SubnetId": {"Ref": "SubnetPublicSSHBastion"},
				"NetworkAclId": {"Ref": "NetworkAclPublicSSHBastion"}
			}
		},
		"NetworkAclEntryInPublicSSHBastionSSH": {
			"Type": "AWS::EC2::NetworkAclEntry",
			"Properties": {
				"NetworkAclId": {"Ref": "NetworkAclPublicSSHBastion"},
				"RuleNumber": "100",
				"Protocol": "6",
				"PortRange": {
					"From": "22",
					"To": "22"
				},
				"RuleAction": "allow",
				"Egress": "false",
				"CidrBlock": "0.0.0.0/0"
			}
		},
		"NetworkAclEntryInPublicSSHBastionEphemeralPorts": {
			"Type": "AWS::EC2::NetworkAclEntry",
			"Properties": {
				"NetworkAclId": {"Ref": "NetworkAclPublicSSHBastion"},
				"RuleNumber": "200",
				"Protocol": "6",
				"PortRange": {
					"From": "1024",
					"To": "65535"
				},
				"RuleAction": "allow",
				"Egress": "false",
				"CidrBlock": "10.0.0.0/16"
			}
		},
		"NetworkAclEntryOutPublicSSHBastionSSH": {
			"Type": "AWS::EC2::NetworkAclEntry",
			"Properties": {
				"NetworkAclId": {"Ref": "NetworkAclPublicSSHBastion"},
				"RuleNumber": "100",
				"Protocol": "6",
				"PortRange": {
					"From": "22",
					"To": "22"
				},
				"RuleAction": "allow",
				"Egress": "true",
				"CidrBlock": "10.0.0.0/16"
			}
		},
		"NetworkAclEntryOutPublicSSHBastionEphemeralPorts": {
			"Type": "AWS::EC2::NetworkAclEntry",
			"Properties": {
				"NetworkAclId": {"Ref": "NetworkAclPublicSSHBastion"},
				"RuleNumber": "200",
				"Protocol": "6",
				"PortRange": {
					"From": "1024",
					"To": "65535"
				},
				"RuleAction": "allow",
				"Egress": "true",
				"CidrBlock": "0.0.0.0/0"
			}
		},
		"SubnetPublicVarnish": {
			"Type": "AWS::EC2::Subnet",
			"Properties": {
				"AvailabilityZone": {"Fn::Select": ["0", {"Fn::GetAZs": ""}]},
				"CidrBlock": "10.0.2.0/24",
				"VpcId": {"Ref": "VPC"}
			}
		},
		"RouteTablePublicVarnish": {
			"Type": "AWS::EC2::RouteTable",
			"Properties": {
				"VpcId": {"Ref": "VPC"}
			}
		},
		"RouteTableAssociationPublicVarnish": {
			"Type": "AWS::EC2::SubnetRouteTableAssociation",
			"Properties": {
				"SubnetId": {"Ref": "SubnetPublicVarnish"},
				"RouteTableId": {"Ref": "RouteTablePublicVarnish"}
			}
		},
		"RoutePublicVarnishToInternet": {
			"Type": "AWS::EC2::Route",
			"Properties": {
				"RouteTableId": {"Ref": "RouteTablePublicVarnish"},
				"DestinationCidrBlock": "0.0.0.0/0",
				"GatewayId": {"Ref": "InternetGateway"}
			},
			"DependsOn": "VPCGatewayAttachment"
		},
		"NetworkAclPublicVarnish": {
			"Type": "AWS::EC2::NetworkAcl",
			"Properties": {
				"VpcId": {"Ref": "VPC"}
			}
		},
		"SubnetNetworkAclAssociationPublicVarnish": {
			"Type": "AWS::EC2::SubnetNetworkAclAssociation",
			"Properties": {
				"SubnetId": {"Ref": "SubnetPublicVarnish"},
				"NetworkAclId": {"Ref": "NetworkAclPublicVarnish"}
			}
		},
		"NetworkAclEntryInPublicVarnishSSH": {
			"Type": "AWS::EC2::NetworkAclEntry",
			"Properties": {
				"NetworkAclId": {"Ref": "NetworkAclPublicVarnish"},
				"RuleNumber": "100",
				"Protocol": "6",
				"PortRange": {
					"From": "22",
					"To": "22"
				},
				"RuleAction": "allow",
				"Egress": "false",
				"CidrBlock": "10.0.1.0/24"
			}
		},
		"NetworkAclEntryInPublicVarnishHTTP": {
			"Type": "AWS::EC2::NetworkAclEntry",
			"Properties": {
				"NetworkAclId": {"Ref": "NetworkAclPublicVarnish"},
				"RuleNumber": "110",
				"Protocol": "6",
				"PortRange": {
					"From": "80",
					"To": "80"
				},
				"RuleAction": "allow",
				"Egress": "false",
				"CidrBlock": "0.0.0.0/0"
			}
		},
		"NetworkAclEntryInPublicVarnishEphemeralPorts": {
			"Type": "AWS::EC2::NetworkAclEntry",
			"Properties": {
				"NetworkAclId": {"Ref": "NetworkAclPublicVarnish"},
				"RuleNumber": "200",
				"Protocol": "6",
				"PortRange": {
					"From": "1024",
					"To": "65535"
				},
				"RuleAction": "allow",
				"Egress": "false",
				"CidrBlock": "0.0.0.0/0"
			}
		},
		"NetworkAclEntryOutPublicVarnishHTTP": {
			"Type": "AWS::EC2::NetworkAclEntry",
			"Properties": {
				"NetworkAclId": {"Ref": "NetworkAclPublicVarnish"},
				"RuleNumber": "100",
				"Protocol": "6",
				"PortRange": {
					"From": "80",
					"To": "81"
				},
				"RuleAction": "allow",
				"Egress": "true",
				"CidrBlock": "0.0.0.0/0"
			}
		},
		"NetworkAclEntryOutPublicVarnishHTTPS": {
			"Type": "AWS::EC2::NetworkAclEntry",
			"Properties": {
				"NetworkAclId": {"Ref": "NetworkAclPublicVarnish"},
				"RuleNumber": "110",
				"Protocol": "6",
				"PortRange": {
					"From": "443",
					"To": "443"
				},
				"RuleAction": "allow",
				"Egress": "true",
				"CidrBlock": "0.0.0.0/0"
			}
		},
		"NetworkAclEntryOutPublicVarnishEphemeralPorts": {
			"Type": "AWS::EC2::NetworkAclEntry",
			"Properties": {
				"NetworkAclId": {"Ref": "NetworkAclPublicVarnish"},
				"RuleNumber": "200",
				"Protocol": "6",
				"PortRange": {
					"From": "1024",
					"To": "65535"
				},
				"RuleAction": "allow",
				"Egress": "true",
				"CidrBlock": "0.0.0.0/0"
			}
		},
		"SubnetPrivateApache": {
			"Type": "AWS::EC2::Subnet",
			"Properties": {
				"AvailabilityZone": {"Fn::Select": ["0", {"Fn::GetAZs": ""}]},
				"CidrBlock": "10.0.3.0/24",
				"VpcId": {"Ref": "VPC"}
			}
		},
		"RouteTablePrivateApache": {
			"Type": "AWS::EC2::RouteTable",
			"Properties": {
				"VpcId": {"Ref": "VPC"}
			}
		},
		"RouteTableAssociationPrivateApache": {
			"Type": "AWS::EC2::SubnetRouteTableAssociation",
			"Properties": {
				"SubnetId": {"Ref": "SubnetPrivateApache"},
				"RouteTableId": {"Ref": "RouteTablePrivateApache"}
			}
		},
		"RoutePrivateApacheToInternet": {
			"Type": "AWS::EC2::Route",
			"Properties": {
				"RouteTableId": {"Ref": "RouteTablePrivateApache"},
				"DestinationCidrBlock": "0.0.0.0/0",
				"InstanceId": {"Ref": "NatServer"}
			}
		},
		"NetworkAclPrivateApache": {
			"Type": "AWS::EC2::NetworkAcl",
			"Properties": {
				"VpcId": {"Ref": "VPC"}
			}
		},
		"SubnetNetworkAclAssociationPrivateApache": {
			"Type": "AWS::EC2::SubnetNetworkAclAssociation",
			"Properties": {
				"SubnetId": {"Ref": "SubnetPrivateApache"},
				"NetworkAclId": {"Ref": "NetworkAclPrivateApache"}
			}
		},
		"NetworkAclEntryInPrivateApacheSSH": {
			"Type": "AWS::EC2::NetworkAclEntry",
			"Properties": {
				"NetworkAclId": {"Ref": "NetworkAclPrivateApache"},
				"RuleNumber": "100",
				"Protocol": "6",
				"PortRange": {
					"From": "22",
					"To": "22"
				},
				"RuleAction": "allow",
				"Egress": "false",
				"CidrBlock": "10.0.1.0/24"
			}
		},
		"NetworkAclEntryInPrivateApacheHTTP": {
			"Type": "AWS::EC2::NetworkAclEntry",
			"Properties": {
				"NetworkAclId": {"Ref": "NetworkAclPrivateApache"},
				"RuleNumber": "110",
				"Protocol": "6",
				"PortRange": {
					"From": "80",
					"To": "80"
				},
				"RuleAction": "allow",
				"Egress": "false",
				"CidrBlock": "10.0.2.0/24"
			}
		},
		"NetworkAclEntryInPrivateApacheEphemeralPorts": {
			"Type": "AWS::EC2::NetworkAclEntry",
			"Properties": {
				"NetworkAclId": {"Ref": "NetworkAclPrivateApache"},
				"RuleNumber": "200",
				"Protocol": "6",
				"PortRange": {
					"From": "1024",
					"To": "65535"
				},
				"RuleAction": "allow",
				"Egress": "false",
				"CidrBlock": "0.0.0.0/0"
			}
		},
		"NetworkAclEntryOutPrivateApacheHTTP": {
			"Type": "AWS::EC2::NetworkAclEntry",
			"Properties": {
				"NetworkAclId": {"Ref": "NetworkAclPrivateApache"},
				"RuleNumber": "100",
				"Protocol": "6",
				"PortRange": {
					"From": "80",
					"To": "80"
				},
				"RuleAction": "allow",
				"Egress": "true",
				"CidrBlock": "0.0.0.0/0"
			}
		},
		"NetworkAclEntryOutPrivateApacheHTTPS": {
			"Type": "AWS::EC2::NetworkAclEntry",
			"Properties": {
				"NetworkAclId": {"Ref": "NetworkAclPrivateApache"},
				"RuleNumber": "110",
				"Protocol": "6",
				"PortRange": {
					"From": "443",
					"To": "443"
				},
				"RuleAction": "allow",
				"Egress": "true",
				"CidrBlock": "0.0.0.0/0"
			}
		},
		"NetworkAclEntryOutPrivateApacheEphemeralPorts": {
			"Type": "AWS::EC2::NetworkAclEntry",
			"Properties": {
				"NetworkAclId": {"Ref": "NetworkAclPrivateApache"},
				"RuleNumber": "200",
				"Protocol": "6",
				"PortRange": {
					"From": "1024",
					"To": "65535"
				},
				"RuleAction": "allow",
				"Egress": "true",
				"CidrBlock": "10.0.0.0/16"
			}
		},
		"NatServer": {
			"Type": "AWS::EC2::Instance",
			"Properties": {
				"ImageId": {"Fn::FindInMap": ["EC2RegionMap", {"Ref": "AWS::Region"}, "AmazonLinuxNATAMIHVMEBSBacked64bit"]},
				"InstanceType": "t2.micro",
				"KeyName": {"Ref": "KeyName"},
				"NetworkInterfaces": [{
					"AssociatePublicIpAddress": "true",
					"DeleteOnTermination": "true",
					"SubnetId": {"Ref": "SubnetPublicNAT"},
					"DeviceIndex": "0",
					"GroupSet": [{"Ref": "SecurityGroup"}]
				}],
				"SourceDestCheck": "false",
				"UserData": {"Fn::Base64": {"Fn::Join": ["", [
					"#!/bin/bash -ex\n",
					"/opt/aws/bin/cfn-signal --stack ", {"Ref": "AWS::StackName"}, " --resource NatServer --region ", {"Ref": "AWS::Region"}, "\n"
				]]}}
			},
			"DependsOn": "VPCGatewayAttachment"
		},
		"BastionHost": {
			"Type": "AWS::EC2::Instance",
			"Properties": {
				"ImageId": {"Fn::FindInMap": ["EC2RegionMap", {"Ref": "AWS::Region"}, "AmazonLinuxAMIHVMEBSBacked64bit"]},
				"InstanceType": "t2.micro",
				"KeyName": {"Ref": "KeyName"},
				"NetworkInterfaces": [{
					"AssociatePublicIpAddress": "true",
					"DeleteOnTermination": "true",
					"SubnetId": {"Ref": "SubnetPublicSSHBastion"},
					"DeviceIndex": "0",
					"GroupSet": [{"Ref": "SecurityGroup"}]
				}]
			},
			"DependsOn": "VPCGatewayAttachment"
		},
		"VarnishServer": {
			"Type": "AWS::EC2::Instance",
			"Properties": {
				"ImageId": {"Fn::FindInMap": ["EC2RegionMap", {"Ref": "AWS::Region"}, "AmazonLinuxAMIHVMEBSBacked64bit"]},
				"InstanceType": "t2.micro",
				"KeyName": {"Ref": "KeyName"},
				"NetworkInterfaces": [{
					"AssociatePublicIpAddress": "true",
					"DeleteOnTermination": "true",
					"SubnetId": {"Ref": "SubnetPublicVarnish"},
					"DeviceIndex": "0",
					"GroupSet": [{"Ref": "SecurityGroup"}]
				}],
				"UserData": {"Fn::Base64": {"Fn::Join": ["", [
					"#!/bin/bash -ex\n",
					"sudo -i\n",
					"yum -y install nginx\n",
					"cat > /etc/nginx/conf.d/http81.conf << EOF\n",
					" server {\n",
					"      listen     81;\n",
					"      location / {\n",
					"               proxy_pass http://", {"Fn::GetAtt": ["ApacheServer", "PrivateIp"]} ,":80;\n",
					"      }\n",
					" }\n",
					"EOF\n",
					"service nginx start\n"
				]]}}
			},
			"DependsOn": "VPCGatewayAttachment"
		},
		"ApacheServer": {
			"Type": "AWS::EC2::Instance",
			"Properties": {
				"ImageId": {"Fn::FindInMap": ["EC2RegionMap", {"Ref": "AWS::Region"}, "AmazonLinuxAMIHVMEBSBacked64bit"]},
				"InstanceType": "t2.micro",
				"KeyName": {"Ref": "KeyName"},
				"NetworkInterfaces": [{
					"AssociatePublicIpAddress": "false",
					"DeleteOnTermination": "true",
					"SubnetId": {"Ref": "SubnetPrivateApache"},
					"DeviceIndex": "0",
					"GroupSet": [{"Ref": "SecurityGroup"}]
				}],
				"UserData": {"Fn::Base64": {"Fn::Join": ["", [
					"#!/bin/bash -ex\n",
					"yum -y install httpd\n",
					"service httpd start\n",
					"/opt/aws/bin/cfn-signal --stack ", {"Ref": "AWS::StackName"}, " --resource ApacheServer --region ", {"Ref": "AWS::Region"}, "\n"
				]]}}
			},
			"DependsOn": "NatServer"
		}
	},
	"Outputs": {
		"BastionHostPublicName": {
			"Value": {"Fn::GetAtt": ["BastionHost", "PublicDnsName"]},
			"Description": "connect via SSH as user ec2-user"
		},
		"VarnishServerPublicName": {
			"Value": {"Fn::GetAtt": ["VarnishServer", "PublicDnsName"]},
			"Description": "handles HTTP requests"
		},
		"VarnishServerPrivateIp": {
			"Value": {"Fn::GetAtt": ["VarnishServer", "PrivateIp"]},
			"Description": "connect via SSH from bastion host"
		},
		"ApacheServerPrivateIp": {
			"Value": {"Fn::GetAtt": ["ApacheServer", "PrivateIp"]},
			"Description": "connect via SSH from bastion host"
		}
	}
}

本文来自互联网用户投稿,该文观点仅代表作者本人,不代表本站立场。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如若转载,请注明出处:/a/895846.html

如若内容造成侵权/违法违规/事实不符,请联系我们进行投诉反馈qq邮箱809451989@qq.com,一经查实,立即删除!

相关文章

MySQL【知识改变命运】10

MySQL【知识改变命运】10

联合查询 0.前言1.联合查询在MySQL里面的原理2.练习一个完整的联合查询2.1.构造练习案例数据2.2 案例&#xff1a;⼀个完整的联合查询的过程2.2.1. 确定参与查询的表&#xff0c;学⽣表和班级表2.2.2. 确定连接条件&#xff0c;student表中的class_id与class表中id列的值相等2.…
阅读更多...
Win11右键默认显示更多选项

Win11右键默认显示更多选项

Win11默认显示 想要效果 解决方案1 先按住Shift键&#xff0c;再按右键试试。 解决方案2 1.启动命令行&#xff0c;输入命令 reg.exe add "HKCU\Software\Classes\CLSID\{86ca1aa0-34aa-4e8b-a509-50c905bae2a2}\InprocServer32" /f /ve2.显示操作成功完成&#…
阅读更多...
2024java高频面试之JVM-第二弹

2024java高频面试之JVM-第二弹

什么是 STW Java 中「「Stop-The-World机制简称 STW」」 &#xff0c;是在执行垃圾收集算法时&#xff0c;Java 应用程序的其他所有线程都被挂起&#xff08;除了垃圾收集帮助器之外&#xff09;。「Java 中一种全局暂停现象&#xff0c;全局停顿」&#xff0c;所有 Java 代码…
阅读更多...
子比美化 – WP添加网站翻译功能 | 实现国际化多语言[js翻译]

子比美化 – WP添加网站翻译功能 | 实现国际化多语言[js翻译]

前言 本教程适用于子比主题&#xff0c;其它程序或主题请自行适配&#xff01;&#xff01;&#xff01; 图片展示 目前支持五种语言 教程开始 首先在后台自定义CSS代码中添加以下代码 .ignore:hover{color:var(--theme-color);transition:color .2s,transform .3s;}#tran…
阅读更多...
怎么通过docker搭建一个mqtt服务器

怎么通过docker搭建一个mqtt服务器

由于debug需要排查mqtt的连接问题&#xff0c;为了方便&#xff0c;自己在云服务器上搭建一个mqtt服务器。 文中涉及的IP是虚构的IP&#xff0c;请替换成自己云服务器的IP&#xff0c;如有雷同&#xff0c;纯属巧合。 大致分为三部分&#xff1a; 一、安装docker 二、安装m…
阅读更多...
cisco网络安全技术第3章测试及考试

cisco网络安全技术第3章测试及考试

测试 使用本地数据库保护设备访问&#xff08;通过使用 AAA 中央服务器来解决&#xff09;有什么缺点&#xff1f; 试题 1选择一项&#xff1a; 必须在每个设备上本地配置用户帐户&#xff0c;是一种不可扩展的身份验证解决方案。 请参见图示。AAA 状态消息的哪一部分可帮助…
阅读更多...
<Project-11 Calculator> 计算器 0.2 工时计算器 WorkHours Calculator HTTP + JS

<Project-11 Calculator> 计算器 0.2 工时计算器 WorkHours Calculator HTTP + JS

灵感 给工人发工资是按小时计算的&#xff0c;每次都要上网&#xff0c;我比较喜欢用 Hours Calculator &#xff0c;也喜欢它的其它的功能&#xff0c; 做个类似的。 我以为是 Python&#xff0c;结果在学 javascript 看 HTML&#xff0c;页面的基础还停留在 Frontpage 2000…
阅读更多...
Cloudlog delete_oqrs_line 未授权SQL注入漏洞复现

Cloudlog delete_oqrs_line 未授权SQL注入漏洞复现

0x01 产品简介 Cloudlog 是一个自托管的 PHP 应用程序,可让您在任何地方记录您的业余无线电联系人。使用PHP和MySQL构建的基于Web的业余无线电记录应用程序支持从HF到微波的一般站记录任务 0x02 漏洞概述 Cloudlog delete_oqrs_line 接口存在未授权SQL注入漏洞,未经身份验…
阅读更多...
Marin说PCB之GMSL2 的Layout走线的注意事项

Marin说PCB之GMSL2 的Layout走线的注意事项

昨天有一位铁粉私信问我能不能讲解一下GMSL走线的一些注意事项啥的&#xff0c;我说当等我从以色列出差回来就给你更新一下这个&#xff0c;当然后来又很多的热心的粉丝提出很多的想法&#xff0c;我会一一给大家解答分享的&#xff0c;本期文章主要先给大家分享一下美信的手册…
阅读更多...
[Python学习日记-50] Python 中的序列化模块 —— pickle 和 json

[Python学习日记-50] Python 中的序列化模块 —— pickle 和 json

[Python学习日记-50] Python 中的序列化模块 —— pickle 和 json 简介 pickle 模块 json 模块 pickle VS json 简介 什么叫序列化&#xff1f; 序列化指的是将对象转换为可以在网络上传输或者存储到文件系统中的字节流的过程。序列化使得对象可以被保存、传输和恢复&#…
阅读更多...
机器学习与神经网络:科技的星辰大海

机器学习与神经网络:科技的星辰大海

前提 近日&#xff0c;2024年诺贝尔物理学奖颁发给了机器学习与神经网络领域的研究者&#xff0c;这是历史上首次出现这样的情况。这项奖项原本只授予对自然现象和物质的物理学研究作出重大贡献的科学家&#xff0c;如今却将全球范围内对机器学习和神经网络的研究和开发作为了一…
阅读更多...
基于K8S的StatefulSet部署mysql主从

基于K8S的StatefulSet部署mysql主从

StatefulSet特性 StatefulSet的网络状态 拓扑状态&#xff1a;应用的多个实例必须按照某种顺序启动&#xff0c;并且必须成组存在&#xff0c;例如一个应用中必须存在一 个A Pod和两个B Pod&#xff0c;且A Pod必须先于B Pod启动的场景 存储状态&#xff1a;应用存在多个实例…
阅读更多...
ChatGPT01-preivew体验报告:内置思维链和多个llm组合出的COT有啥区别呢?丹田与练气+中学生物理奥赛题测试,名不虚传还是名副其实?

ChatGPT01-preivew体验报告:内置思维链和多个llm组合出的COT有啥区别呢?丹田与练气+中学生物理奥赛题测试,名不虚传还是名副其实?

一个月前&#xff0c;o1发布的时候&#xff0c;我写了篇文章介绍 逻辑推理能力堪比博士生&#xff0c;OpenAI发布全新AI模型系列&#xff1a; o1 - 大模型或许进入新阶段&#xff0c;还翻译了官方的介绍 解密OpenAI o1是如何让LLMs获得逻辑推理能力的 - CoT * RL&#xff0c;也…
阅读更多...
【Linux】多线程安全之道:互斥、加锁技术与底层原理

【Linux】多线程安全之道:互斥、加锁技术与底层原理

目录 1.线程的互斥 1.1.进程线程间的互斥相关背景概念 1.2.互斥量mutex的基本概念 所以多线程之间为什么要有互斥&#xff1f; 为什么抢票会抢到负数&#xff0c;无法获得正确结果&#xff1f; 为什么--操作不是原子性的呢&#xff1f; 解决方式&#xff1a; 2.三种加锁…
阅读更多...
基于SpringBoot+Vue的厨艺交流系统的设计与实现(源码+定制开发)厨艺知识与美食交流系统开发、在线厨艺分享与交流平台开发、智能厨艺交流与分享系统开发

基于SpringBoot+Vue的厨艺交流系统的设计与实现(源码+定制开发)厨艺知识与美食交流系统开发、在线厨艺分享与交流平台开发、智能厨艺交流与分享系统开发

博主介绍&#xff1a; ✌我是阿龙&#xff0c;一名专注于Java技术领域的程序员&#xff0c;全网拥有10W粉丝。作为CSDN特邀作者、博客专家、新星计划导师&#xff0c;我在计算机毕业设计开发方面积累了丰富的经验。同时&#xff0c;我也是掘金、华为云、阿里云、InfoQ等平台…
阅读更多...
第五届人工智能与教育国际学术会议(ICAIE 2024)

第五届人工智能与教育国际学术会议(ICAIE 2024)

文章目录 一、会议详情二、重要信息三、大会介绍四、出席嘉宾五、征稿主题六、咨询 一、会议详情 二、重要信息 大会官网&#xff1a;https://ais.cn/u/vEbMBz提交检索&#xff1a;EI Compendex、IEEE Xplore、Scopus 三、大会介绍 第五届人工智能与教育国际学术会议&#x…
阅读更多...
java逻辑运算符 C语言结构体定义

java逻辑运算符 C语言结构体定义

1. public static void main(String[] args) {System.out.println(true&true);//&两者均为true才trueSystem.out.println(false|false);// | 两边都是false才是falseSystem.out.println(true^false);//^ 相同为false&#xff0c;不同为trueSystem.out.println(!false)…
阅读更多...
【python爬虫实战】爬取全年天气数据并做数据可视化分析!附源码

【python爬虫实战】爬取全年天气数据并做数据可视化分析!附源码

由于篇幅限制&#xff0c;无法展示完整代码&#xff0c;需要的朋友可在下方获取&#xff01;100%免费。 一、主题式网络爬虫设计方案 1. 主题式网络爬虫名称&#xff1a;天气预报爬取数据与可视化数据 2. 主题式网络爬虫爬取的内容与数据特征分析&#xff1a; - 爬取内容&am…
阅读更多...
蜜罐技术的出现究竟影响了什么

蜜罐技术的出现究竟影响了什么

自网络诞生以来&#xff0c;攻击威胁事件层出不穷&#xff0c;网络攻防对抗已成为信息时代背景下的无硝烟战争。然而&#xff0c;传统的网络防御技术如防火墙、入侵检测技术等都是一种敌暗我明的被动防御&#xff0c;难以有效应对攻击者随时随地发起的无处不在的攻击和威胁。蜜…
阅读更多...
IO多路复用概述与epoll简介

IO多路复用概述与epoll简介

一、引言 在网络编程中&#xff0c;高并发的场景下处理大量连接请求是一项挑战。传统的阻塞式IO模型会让线程在等待数据的过程中陷入停顿&#xff0c;导致系统效率低下。为了解决这个问题&#xff0c;IO多路复用应运而生。它允许一个线程同时监听多个文件描述符&#xff08;如…
阅读更多...
最新文章

Copyright @ 2022~2023