AdSense

網頁

2023/3/28

AWS VPC 設定private subnet EC2 instance由public NAT gateway連線網際網路

在AWS console設定private subnet的EC2 instance可透過public NAT gateway連接網際網路。



事前要求

參考「AWS VPC 設定private subnet由public NAT gateway連線網際網路」建立public subnet、private subnet及public NAT gateway等。


建立public instance

此public instance又稱bastion host(堡壘主機/跳板機),本機可透過此主機SSH連入private instance測試可透過public NAT gateway連線到網際網路。


在建立instance的[Network settings]區塊,
[VPC]選擇VPC ID;
[Subnet]選擇public subnet的ID,為有關聯到internet gateway的subnet;
[Auto-assign public IP]選擇[Enable]來配發一個動態public IP位址給此instance;
[Firewall(security groups)]選擇[Select existing security group],並在[Common security groups]選擇VPC預設的security group ID。



使用的key pair為demo-key.pem


建立private instance

此private instance將透過public NAT gateway連線到網際網路。

在建立instance的[Network settings]區塊,
[VPC]選擇VPC ID;
[Subnet]選擇private subnet的ID;
[Auto-assign public IP]選擇[Disable],即不需要配發public IP;
[Firewall(security groups)]選擇[Select existing security group],並在[Common security groups]選擇VPC預設的security group ID。



使用的key pair為demo-key.pem


到此已建立public instance及private instance如下。




設定Security Group

上面public instance與private instance使用的security group皆為所屬VPC預設的security group。

由於測試必須從本機SSH連線到public instancey然後再從public instance SSH連線到private instance,所以要在預設的security group設定允許本機IP的SSH連線的inbound rule如下。此設定主要是為了讓本機可SSH連線到public instanc。


至於public instance SSH連線到private instance不用另外設定,因為預設的security group的inbound rule允許自身security group的任何種類的連線。


測試

測試環境:

  • macOS Ventura (13.0.1)
  • zsh 5.8.1 (x86_64-apple-darwin22.0)

SSH連線透過public instance到private instance的方式有兩種,一是SSH agent forwarding,二是SSH ProxyCommnad。


SSH連線 - SSH agent forwarding

開啟終端機,在demo-key.pem所在目錄輸入ssh-add -K demo-key.pem將金鑰加到ssh-agent並存在keychain。

~/../..% ssh-add -K demo-key.pem
WARNING: The -K and -A flags are deprecated and have been replaced
         by the --apple-use-keychain and --apple-load-keychain
         flags, respectively.  To suppress this warning, set the
         environment variable APPLE_SSH_ADD_BEHAVIOR as described in
         the ssh-add(1) manual page.
Identity added: demo-key.pem (demo-key.pem)

接著輸入ssh -A ec2-user@<public-ip-address-of-public-instance>從本機SSH連線到public instance。
-A為啟用轉發(forwarding)功能,如此public instance能透過ssh-agent金鑰連線到private instance;
<public-ip-address-of-public-instance>為public instance的public IPv4位址,範例為3.112.237.180

~% ssh -A ec2-user@3.112.237.180
   ,     #_
   ~\_  ####_        Amazon Linux 2023
  ~~  \_#####\
  ~~     \###|
  ~~       \#/ ___   https://aws.amazon.com/linux/amazon-linux-2023
   ~~       V~' '->
    ~~~         /
      ~~._.   _/
         _/ _/
       _/m/'
Last login: Tue Mar 28 06:39:21 2023 from 211.20.37.118
[ec2-user@ip-10-0-0-110 ~]$

SSH連線到public instance後,輸入ssh ec2-user@<private-ip-of-private-instance>從public instance SSH連線到private instance。
<private-ip-address-of-private-instance>為private instance的private IPv4位址,範例為10.0.0.198

[ec2-user@ip-10-0-0-110 ~]$ ssh ec2-user@10.0.0.198
The authenticity of host '10.0.0.198 (10.0.0.198)' can't be established.
ED25519 key fingerprint is SHA256:Ev1OcxDARO9XMksjWcSZzRULjaYapnkWD9pdAy2Vgro.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.0.0.198' (ED25519) to the list of known hosts.
   ,     #_
   ~\_  ####_        Amazon Linux 2023
  ~~  \_#####\
  ~~     \###|
  ~~       \#/ ___   https://aws.amazon.com/linux/amazon-linux-2023
   ~~       V~' '->
    ~~~         /
      ~~._.   _/
         _/ _/
       _/m/'
[ec2-user@ip-10-0-0-198 ~]$


SSH連線 - SSH ProxyCommand

開啟終端機SSH登入public instance,輸入sudo yum install nc安裝netcat套件,因為Amazon Linux AMI預設沒有此安裝此工具,而使用SSH ProxyCommand透過public instance跳板連線到private instance需用到netcat的命令nc

demo-key.pem所在目錄輸入ssh -i demo-key.pem -o ProxyCommand="ssh ec2-user@<public-ip-address-of-public-instance> nc %h %p" ec2-user@<private-ip-address-of-private-instance>連線到private instance。

~% ssh -i demo-key.pem -o ProxyCommand="ssh ec2-user@3.112.237.180 nc %h %p" ec2-user@10.0.0.198
ssh -i demo-key.pem -o ProxyCommand="ssh ec2-user@3.112.237.180 nc %h %p" ec2-user@10.0.0.198
The authenticity of host '10.0.0.198 (<no hostip for proxy command>)' can't be established.
ED25519 key fingerprint is SHA256:Iwpi4fGk5T3i4BWo6kj+ASEE2tUBNtn/0+g1UruiYH4.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.0.0.209' (ED25519) to the list of known hosts.
   ,     #_
   ~\_  ####_        Amazon Linux 2023
  ~~  \_#####\
  ~~     \###|
  ~~       \#/ ___   https://aws.amazon.com/linux/amazon-linux-2023
   ~~       V~' '->
    ~~~         /
      ~~._.   _/
         _/ _/
       _/m/'
[ec2-user@ip-10-0-0-198 ~]$

網際網路連線測試

SSH連線到private instance後,輸入ping -c4 ietf.org測試是否可對外連線到ietf.grg

[ec2-user@ip-10-0-0-198 ~]$ ping -c4 ietf.org
PING ietf.org (50.223.129.194) 56(84) bytes of data.
64 bytes from mail.ietf.org (50.223.129.194): icmp_seq=1 ttl=34 time=106 ms
64 bytes from mail.ietf.org (50.223.129.194): icmp_seq=2 ttl=34 time=106 ms
64 bytes from mail.ietf.org (50.223.129.194): icmp_seq=3 ttl=34 time=106 ms
64 bytes from mail.ietf.org (50.223.129.194): icmp_seq=4 ttl=34 time=106 ms

--- ietf.org ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3004ms
rtt min/avg/max/mdev = 105.519/105.670/105.992/0.189 ms

上面ping結果顯示無封包遺失代表private instance可成功連到網際網路。





沒有留言:

AdSense