问题 如何在AWS VPC w / Terraform中的两个子网之间路由?


更新: 一直在努力解决这个问题。似乎无法获得具有两个子网和SSH堡垒的工作配置。将赏金用于完整的.tf文件配置: *创建两个私有子网 *创造一个堡垒 *在通过堡垒配置的每个子网上旋转ec2实例(通过堡垒运行一些任意shell命令) *配置了互联网网关 *为私有子​​网上的主机提供nat网关 *具有相应配置的路由和安全组

原帖: 我正在尝试学习Terraform并构建原型。我有一个通过Terraform配置的AWS VPC。除了DMZ子网,我还有一个公共子网“web”,可以从互联网接收流量。我有一个无法从互联网访问的私有子网'app'。我正在尝试配置堡垒主机,以便terraform可以在私有“app”子网上配置实例。我还没有能够让这个工作。

当我进入堡垒时,我无法从堡垒主机SSH到私有子网内的任何实例。我怀疑存在路由问题。我通过几个可用的示例和文档构建了这个原型。许多示例通过aws提供程序使用略有不同的技术和terraform路由定义。

有人可以提供理想或正确的方法来定义这三个子网(公共'网络',公共'dmz'瓦特堡垒和私人'应用程序'),以便“网络”子网上的实例可以访问“应用程序”子网并且DMZ中的堡垒主机可以在私有“app”子网中配置实例?

我的配置片段如下:

resource "aws_subnet" "dmz" {
    vpc_id = "${aws_vpc.vpc-poc.id}"
    cidr_block = "${var.cidr_block_dmz}"
}

resource "aws_route_table" "dmz" {
    vpc_id = "${aws_vpc.vpc-poc.id}"
    route {
        cidr_block = "0.0.0.0/0"
        gateway_id = "${aws_internet_gateway.gateway.id}"
    }
}

resource "aws_route_table_association" "dmz" {
    subnet_id = "${aws_subnet.dmz.id}"
    route_table_id = "${aws_route_table.dmz.id}"
}

resource "aws_subnet" "web" {
    vpc_id = "${aws_vpc.vpc-poc.id}"
    cidr_block = "10.200.2.0/24"
}

resource "aws_route_table" "web" {
    vpc_id = "${aws_vpc.vpc-poc.id}"
    route {
        cidr_block = "0.0.0.0/0"
        instance_id = "${aws_instance.bastion.id}"
    }
}

resource "aws_route_table_association" "web" {
    subnet_id = "${aws_subnet.web.id}"
    route_table_id = "${aws_route_table.web.id}"
}

resource "aws_subnet" "app" {
    vpc_id = "${aws_vpc.vpc-poc.id}"
    cidr_block = "10.200.3.0/24"
}

resource "aws_route_table" "app" {
    vpc_id = "${aws_vpc.vpc-poc.id}"
    route {
        cidr_block = "0.0.0.0/0"
        instance_id = "${aws_instance.bastion.id}"
    }
}

resource "aws_route_table_association" "app" {
    subnet_id = "${aws_subnet.app.id}"
    route_table_id = "${aws_route_table.app.id}"
}

10183
now


起源
如果您需要更多帮助,您需要扩展您的TF文件,同时显示任何安全组/ NACL等,因为我不认为路由是一个问题(除了私有子网中缺少出站Web访问)除非您的堡垒框也充当NAT网关) - ydaetskcoR

答案:

这是一个可能对您有帮助的片段。这是未经测试的,但是从我的一个terraform文件中提取,我在私有子网中配置VM。我知道这适用于一个私有子网,我试图像你原来的问题一样在这里实现两个。

我跳过我的NAT实例来使用Terraform命中和配置私有子网盒。如果您的安全组设置正确,它确实有效。我花了一些实验。 

/* VPC creation */
resource "aws_vpc" "vpc_poc" {
  cidr_block = "10.200.0.0/16"
}

/* Internet gateway for the public subnets */
resource "aws_internet_gateway" "gateway" {
  vpc_id = "${aws_vpc.vpc_poc.id}"
}

/* DMZ subnet - public */
resource "aws_subnet" "dmz" {
    vpc_id = "${aws_vpc.vpc_poc.id}"
    cidr_block = "10.200.1.0/24"
    /* may help to be explicit here */
    map_public_ip_on_launch = true
    /* this is recommended in the docs */
    depends_on = ["aws_internet_gateway.gateway"]
}

resource "aws_route_table" "dmz" {
    vpc_id = "${aws_vpc.vpc_poc.id}"
    route {
        cidr_block = "0.0.0.0/0"
        gateway_id = "${aws_internet_gateway.gateway.id}"
    }
}

resource "aws_route_table_association" "dmz" {
    subnet_id = "${aws_subnet.dmz.id}"
    route_table_id = "${aws_route_table.dmz.id}"
}

/* Web subnet - public */
resource "aws_subnet" "web" {
    vpc_id = "${aws_vpc.vpc_poc.id}"
    cidr_block = "10.200.2.0/24"
    map_public_ip_on_launch = true
    depends_on = ["aws_internet_gateway.gateway"]
}

resource "aws_route_table" "web" {
    vpc_id = "${aws_vpc.vpc_poc.id}"
    route {
        cidr_block = "0.0.0.0/0"
        /* your public web subnet needs access to the gateway */
        /* this was set to bastion before so you had a circular arg */
        gateway_id = "${aws_internet_gateway.gateway.id}"
    }
}

resource "aws_route_table_association" "web" {
    subnet_id = "${aws_subnet.web.id}"
    route_table_id = "${aws_route_table.web.id}"
}

/* App subnet - private */
resource "aws_subnet" "app" {
    vpc_id = "${aws_vpc.vpc_poc.id}"
    cidr_block = "10.200.3.0/24"
}

/* Create route for DMZ Bastion */
resource "aws_route_table" "app" {
    vpc_id = "${aws_vpc.vpc_poc.id}"
    route {
        cidr_block = "0.0.0.0/0"
        /* this send traffic to the bastion to pass off */
        instance_id = "${aws_instance.nat_dmz.id}"
    }
}

/* Create route for App Bastion */
resource "aws_route_table" "app" {
    vpc_id = "${aws_vpc.vpc_poc.id}"
    route {
        cidr_block = "0.0.0.0/0"
        /* this send traffic to the bastion to pass off */
        instance_id = "${aws_instance.nat_web.id}"
    }
}

resource "aws_route_table_association" "app" {
    subnet_id = "${aws_subnet.app.id}"
    route_table_id = "${aws_route_table.app.id}"
}

/* Default security group */
resource "aws_security_group" "default" {
  name = "default-sg"
  description = "Default security group that allows inbound and outbound traffic from all instances in the VPC"
  vpc_id = "${aws_vpc.vpc_poc.id}"

  ingress {
    from_port   = "0"
    to_port     = "0"
    protocol    = "-1"
    self        = true
  }

  egress {
    from_port   = "0"
    to_port     = "0"
    protocol    = "-1"
    self        = true
  }
}

/* Security group for the nat server */
resource "aws_security_group" "nat" {
  name        = "nat-sg"
  description = "Security group for nat instances that allows SSH and VPN traffic from internet. Also allows outbound HTTP[S]"
  vpc_id      = "${aws_vpc.vpc_poc.id}"

  ingress {
    from_port   = 80
    to_port     = 80
    protocol    = "tcp"
    /* this your private subnet cidr */
    cidr_blocks = ["10.200.3.0/24"]
  }
  ingress {
    from_port   = 443
    to_port     = 443
    protocol    = "tcp"
    /* this is your private subnet cidr */
    cidr_blocks = ["10.200.3.0/24"]
  }
  ingress {
    from_port   = 22
    to_port     = 22
    protocol    = "tcp"
    cidr_blocks = ["0.0.0.0/0"]
  }
  ingress {
    from_port   = -1
    to_port     = -1
    protocol    = "icmp"
    cidr_blocks = ["0.0.0.0/0"]
  }

  egress {
    from_port   = 80
    to_port     = 80
    protocol    = "tcp"
    cidr_blocks = ["0.0.0.0/0"]
  }
  egress {
    from_port   = 443
    to_port     = 443
    protocol    = "tcp"
    cidr_blocks = ["0.0.0.0/0"]
  }
  egress {
    from_port   = 22
    to_port     = 22
    protocol    = "tcp"
    /* this is the vpc cidr block */
    cidr_blocks = ["10.200.0.0/16"]
  }
  egress {
    from_port   = -1
    to_port     = -1
    protocol    = "icmp"
    cidr_blocks = ["0.0.0.0/0"]
  }
}

/* Security group for the web */
resource "aws_security_group" "web" {
  name = "web-sg"
  description = "Security group for web that allows web traffic from internet"
  vpc_id = "${aws_vpc.vpc_poc.id}"

  ingress {
    from_port = 80
    to_port   = 80
    protocol  = "tcp"
    cidr_blocks = ["0.0.0.0/0"]
  }

  ingress {
    from_port = 443
    to_port   = 443
    protocol  = "tcp"
    cidr_blocks = ["0.0.0.0/0"]
  }
}

/* Install deploy key for use with all of our provisioners */
resource "aws_key_pair" "deployer" {
  key_name   = "deployer-key"
  public_key = "${file("~/.ssh/id_rsa")}"
}

/* Setup NAT in DMZ subnet */
resource "aws_instance" "nat_dmz" {
  ami               = "ami-67a54423"
  availability_zone = "us-west-1a"
  instance_type     = "m1.small"
  key_name          = "${aws_key_pair.deployer.id}"
  /* Notice we are assigning the security group here */
  security_groups   = ["${aws_security_group.nat.id}"]

  /* this puts the instance in your public subnet, but translate to the private one */
  subnet_id         = "${aws_subnet.dmz.id}"

  /* this is really important for nat instance */
  source_dest_check = false
  associate_public_ip_address = true
}

/* Give NAT EIP In DMZ */
resource "aws_eip" "nat_dmz" {
  instance  = "${aws_instance.nat_dmz.id}"
  vpc       = true
}

/* Setup NAT in Web subnet */
resource "aws_instance" "nat_web" {
  ami               = "ami-67a54423"
  availability_zone = "us-west-1a"
  instance_type     = "m1.small"
  key_name          = "${aws_key_pair.deployer.id}"
  /* Notice we are assigning the security group here */
  security_groups   = ["${aws_security_group.nat.id}"]

  /* this puts the instance in your publi
        

            
热门问题

                                                                                                不使用eval / new函数的JavaScript模板库
                        当涉及内部类时,Java继承如何工作
                        .NET Windows服务的奇怪问题
                        在.ipa或.app下查找App ID
                        快速入门XSLT参考[关闭]
                        如何找出Android应用程序中未使用的资源
                        Ruby中并发的同步方法[重复]
                        将std :: chrono :: system_clock :: time_point转换为struct timeval并返回
                        Google Drive API V3(javascript)更新文件内容
                        Bootstrap 3.0  - 将元素推到底部
                        受密码保护的.NET ClickOnce部署?
                        如何用postgresql安装wordpress
                        coq Set或Type如何成为命题
                        硒滚动元素进入(中心)视图
                        在Spring Transaction JUnit测试中自动装配Hibernate会话的正确方法
                        Git的Dockerfile策略
                        如何在FOS_PICKFOLDER中使用IFileDialog,同时仍在对话框中显示文件名
                        在Firefox扩展中复制Google Chrome浏览器操作弹出效果
                        CakePHP找到MAX
                        芹菜 - 完成任务的召唤功能
                        从使用fmemopen创建的流中读取宽字符
                        .NET是否为每个程序集创建一个字符串实习池?
                        DefaultModelBinder不绑定嵌套模型
                        Navigator.MediaDevices.getUserMedia()使用了哪些相机通信标准?
                        选择命名空间名称时应该知道什么?
                        cout 
                        Swagger Codegen CLI Java客户端 - 如何正确使用它
                        一个很好的哈希函数用于采访整数,字符串?
                        Maven 3 ciManagement配置的目的是什么?
                        如何通过语言文化获取代码页?
licensed under cc by-sa 3.0 with attribution.
隐私政策 往来