在AWS console設定private subnet的EC2 instance可透過public NAT gateway連接網際網路。
事前要求
參考「AWS VPC 設定private subnet由public NAT gateway連線網際網路」建立public subnet、private subnet及public NAT gateway等。
建立public instance
此public instance又稱bastion host(堡壘主機/跳板機),本機可透過此主機SSH連入private instance測試可透過public NAT gateway連線到網際網路。
在建立instance的[Network settings]區塊,
[VPC]選擇VPC ID;
[Subnet]選擇public subnet的ID,為有關聯到internet gateway的subnet;
[Auto-assign public IP]選擇[Enable]來配發一個動態public IP位址給此instance;
[Firewall(security groups)]選擇[Select existing security group],並在[Common security groups]選擇VPC預設的security group ID。
使用的key pair為demo-key.pem
。
建立private instance
此private instance將透過public NAT gateway連線到網際網路。
在建立instance的[Network settings]區塊,
[VPC]選擇VPC ID;
[Subnet]選擇private subnet的ID;
[Auto-assign public IP]選擇[Disable],即不需要配發public IP;
[Firewall(security groups)]選擇[Select existing security group],並在[Common security groups]選擇VPC預設的security group ID。
使用的key pair為demo-key.pem
。
到此已建立public instance及private instance如下。
設定Security Group
上面public instance與private instance使用的security group皆為所屬VPC預設的security group。
由於測試必須從本機SSH連線到public instancey然後再從public instance SSH連線到private instance,所以要在預設的security group設定允許本機IP的SSH連線的inbound rule如下。此設定主要是為了讓本機可SSH連線到public instanc。
至於public instance SSH連線到private instance不用另外設定,因為預設的security group的inbound rule允許自身security group的任何種類的連線。
測試
測試環境:
- macOS Ventura (13.0.1)
- zsh 5.8.1 (x86_64-apple-darwin22.0)
SSH連線透過public instance到private instance的方式有兩種,一是SSH agent forwarding,二是SSH ProxyCommnad。
SSH連線 - SSH agent forwarding
開啟終端機,在demo-key.pem
所在目錄輸入ssh-add -K demo-key.pem
將金鑰加到ssh-agent並存在keychain。
~/../..% ssh-add -K demo-key.pem
WARNING: The -K and -A flags are deprecated and have been replaced
by the --apple-use-keychain and --apple-load-keychain
flags, respectively. To suppress this warning, set the
environment variable APPLE_SSH_ADD_BEHAVIOR as described in
the ssh-add(1) manual page.
Identity added: demo-key.pem (demo-key.pem)
接著輸入ssh -A ec2-user@<public-ip-address-of-public-instance>
從本機SSH連線到public instance。
-A
為啟用轉發(forwarding)功能,如此public instance能透過ssh-agent金鑰連線到private instance;
<public-ip-address-of-public-instance>
為public instance的public IPv4位址,範例為3.112.237.180
。
~% ssh -A ec2-user@3.112.237.180
, #_
~\_ ####_ Amazon Linux 2023
~~ \_#####\
~~ \###|
~~ \#/ ___ https://aws.amazon.com/linux/amazon-linux-2023
~~ V~' '->
~~~ /
~~._. _/
_/ _/
_/m/'
Last login: Tue Mar 28 06:39:21 2023 from 211.20.37.118
[ec2-user@ip-10-0-0-110 ~]$
SSH連線到public instance後,輸入ssh ec2-user@<private-ip-of-private-instance>
從public instance SSH連線到private instance。
<private-ip-address-of-private-instance>
為private instance的private IPv4位址,範例為10.0.0.198
。
[ec2-user@ip-10-0-0-110 ~]$ ssh ec2-user@10.0.0.198
The authenticity of host '10.0.0.198 (10.0.0.198)' can't be established.
ED25519 key fingerprint is SHA256:Ev1OcxDARO9XMksjWcSZzRULjaYapnkWD9pdAy2Vgro.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.0.0.198' (ED25519) to the list of known hosts.
, #_
~\_ ####_ Amazon Linux 2023
~~ \_#####\
~~ \###|
~~ \#/ ___ https://aws.amazon.com/linux/amazon-linux-2023
~~ V~' '->
~~~ /
~~._. _/
_/ _/
_/m/'
[ec2-user@ip-10-0-0-198 ~]$
SSH連線 - SSH ProxyCommand
開啟終端機SSH登入public instance,輸入sudo yum install nc
安裝netcat套件,因為Amazon Linux AMI預設沒有此安裝此工具,而使用SSH ProxyCommand透過public instance跳板連線到private instance需用到netcat的命令nc
。
在demo-key.pem
所在目錄輸入ssh -i demo-key.pem -o ProxyCommand="ssh ec2-user@<public-ip-address-of-public-instance> nc %h %p" ec2-user@<private-ip-address-of-private-instance>
連線到private instance。
~% ssh -i demo-key.pem -o ProxyCommand="ssh ec2-user@3.112.237.180 nc %h %p" ec2-user@10.0.0.198
ssh -i demo-key.pem -o ProxyCommand="ssh ec2-user@3.112.237.180 nc %h %p" ec2-user@10.0.0.198
The authenticity of host '10.0.0.198 (<no hostip for proxy command>)' can't be established.
ED25519 key fingerprint is SHA256:Iwpi4fGk5T3i4BWo6kj+ASEE2tUBNtn/0+g1UruiYH4.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.0.0.209' (ED25519) to the list of known hosts.
, #_
~\_ ####_ Amazon Linux 2023
~~ \_#####\
~~ \###|
~~ \#/ ___ https://aws.amazon.com/linux/amazon-linux-2023
~~ V~' '->
~~~ /
~~._. _/
_/ _/
_/m/'
[ec2-user@ip-10-0-0-198 ~]$
網際網路連線測試
SSH連線到private instance後,輸入ping -c4 ietf.org
測試是否可對外連線到ietf.grg
。
[ec2-user@ip-10-0-0-198 ~]$ ping -c4 ietf.org
PING ietf.org (50.223.129.194) 56(84) bytes of data.
64 bytes from mail.ietf.org (50.223.129.194): icmp_seq=1 ttl=34 time=106 ms
64 bytes from mail.ietf.org (50.223.129.194): icmp_seq=2 ttl=34 time=106 ms
64 bytes from mail.ietf.org (50.223.129.194): icmp_seq=3 ttl=34 time=106 ms
64 bytes from mail.ietf.org (50.223.129.194): icmp_seq=4 ttl=34 time=106 ms
--- ietf.org ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3004ms
rtt min/avg/max/mdev = 105.519/105.670/105.992/0.189 ms
上面ping結果顯示無封包遺失代表private instance可成功連到網際網路。
沒有留言:
張貼留言