我正在尝试构建一个像这样的系统:
我无法通过 ALB 连接到私有公共实例。我多次检查了我的云信息代码,但仍然找不到问题。请帮帮我。
AWSTemplateFormatVersion: 2010-09-09
Metadata:
AWS::CloudFormation::Interface:
ParameterGroups:
- Label:
default: "system"
Parameters:
KeyNameA:
Type: AWS::EC2::KeyPair::KeyName
SSHLocation:
Type: String
MinLength: 9
MaxLength: 18
Default: 0.0.0.0/0
AllowedPattern: (\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})/(\d{1,2})
Resources:
VPC:
Type: AWS::EC2::VPC
Properties:
CidrBlock: 10.1.0.0/16
EnableDnsSupport: True
EnableDnsHostnames: True
InstanceTenancy: default
Tags:
- Key: Name
Value: !Sub ${AWS::StackName}-VPC
InternetGateway:
Type: AWS::EC2::InternetGateway
DependsOn: VPC
AttachGateway:
Type: AWS::EC2::VPCGatewayAttachment
Properties:
VpcId: !Ref VPC
InternetGatewayId: !Ref InternetGateway
PublicSubnetA:
Type: AWS::EC2::Subnet
Properties:
VpcId: !Ref VPC
CidrBlock: 10.1.10.0/24
AvailabilityZone: !Select [ 0, !GetAZs ]
MapPublicIpOnLaunch: True
Tags:
- Key: Name
Value: !Sub ${AWS::StackName}-Public-A
PublicSubnetB:
Type: AWS::EC2::Subnet
Properties:
VpcId: !Ref VPC
CidrBlock: 10.1.30.0/24
AvailabilityZone: !Select [ 1, !GetAZs ]
MapPublicIpOnLaunch: True
Tags:
- Key: Name
Value: !Sub ${AWS::StackName}-Public-B
PrivateSubnetA:
Type: AWS::EC2::Subnet
Properties:
VpcId: !Ref VPC
CidrBlock: 10.1.20.0/24
MapPublicIpOnLaunch: False
AvailabilityZone: !Select [ 0, !GetAZs ]
Tags:
- Key: Name
Value: !Sub ${AWS::StackName}-Private-A
PublicRouteTable:
Type: AWS::EC2::RouteTable
Properties:
VpcId: !Ref VPC
Tags:
- Key: Name
Value: Public
PublicRoute:
Type: AWS::EC2::Route
DependsOn: AttachGateway
Properties:
RouteTableId: !Ref PublicRouteTable
DestinationCidrBlock: 0.0.0.0/0
GatewayId: !Ref InternetGateway
PrivateRouteTable:
Type: AWS::EC2::RouteTable
Properties:
VpcId: !Ref VPC
Tags:
- Key: Name
Value: Private
PrivateRoute:
Type: AWS::EC2::Route
Properties:
RouteTableId: !Ref PrivateRouteTable
DestinationCidrBlock: 0.0.0.0/0
NatGatewayId: !Ref NATGateway
NATGateway:
Type: AWS::EC2::NatGateway
Properties:
AllocationId: !GetAtt ElasticIPAddress.AllocationId
SubnetId: !Ref PublicSubnetA
ElasticIPAddress:
Type: AWS::EC2::EIP
Properties:
Domain: VPC
PublicSubnetARouteTableAssociation:
Type: AWS::EC2::SubnetRouteTableAssociation
Properties:
SubnetId: !Ref PublicSubnetA
RouteTableId: !Ref PublicRouteTable
PublicSubnetBRouteTableAssociation:
Type: AWS::EC2::SubnetRouteTableAssociation
Properties:
SubnetId: !Ref PublicSubnetB
RouteTableId: !Ref PublicRouteTable
PrivateSubnetARouteTableAssociation:
Type: AWS::EC2::SubnetRouteTableAssociation
Properties:
SubnetId: !Ref PrivateSubnetA
RouteTableId: !Ref PrivateRouteTable
TargetGroup:
Type: AWS::ElasticLoadBalancingV2::TargetGroup
Properties:
VpcId: !Ref VPC
Name: WebInstanceTargetGroup
Protocol: HTTP
Port: 80
TargetType: instance
Targets:
- Id: !Ref WebInstance
Port: 80
ALBalancerSG:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: SG for ALBSG
GroupName: ALBSG
VpcId: !Ref VPC
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: 80
ToPort: 80
CidrIp: 0.0.0.0/0
ALB:
Type: AWS::ElasticLoadBalancingV2::LoadBalancer
Properties:
Name: PublicALB
Scheme: internet-facing
IpAddressType: ipv4
Subnets:
- !Ref PublicSubnetA
- !Ref PublicSubnetB
SecurityGroups:
- !Ref ALBalancerSG
Listener:
Type: AWS::ElasticLoadBalancingV2::Listener
Properties:
LoadBalancerArn: !Ref ALB
Port: 80
Protocol: HTTP
DefaultActions:
- TargetGroupArn: !Ref TargetGroup
Type: forward
WebInstanceSecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: SG for WebInstance
GroupName: WebSG
VpcId: !Ref VPC
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: 80
ToPort: 80
CidrIp: 0.0.0.0/0
SourceSecurityGroupId: !Ref ALBalancerSG
- IpProtocol: tcp
FromPort: 22
ToPort: 22
CidrIp: !Ref SSHLocation
WebInstance:
Type: AWS::EC2::Instance
Properties:
BlockDeviceMappings:
- DeviceName: /dev/sda1
Ebs:
VolumeSize: 8
VolumeType: gp2
DisableApiTermination: false
InstanceType: !Ref InstanceTypeParameter
KeyName: !Ref KeyNameA
ImageId: ami-02b7cfebf005c915d
SecurityGroupIds:
- !Ref WebInstanceSecurityGroup
SubnetId: !Ref PrivateSubnetA
PrivateSubnetB:
Type: AWS::EC2::Subnet
Properties:
VpcId: !Ref VPC
CidrBlock: 10.1.90.0/24
AvailabilityZone: !Select [ 0, !GetAZs ]
Tags:
- Key: Name
Value: !Sub ${AWS::StackName}-Private-B
PrivateSubnetC:
Type: AWS::EC2::Subnet
Properties:
VpcId: !Ref VPC
CidrBlock: 10.1.110.0/24
AvailabilityZone: !Select [ 1, !GetAZs ]
Tags:
- Key: Name
Value: !Sub ${AWS::StackName}-Private-C
PrivateRouteTableRDS:
Type: AWS::EC2::RouteTable
Properties:
VpcId: !Ref VPC
Tags:
- Key: Name
Value: Private2
PrivateRouteRDS:
Type: AWS::EC2::Route
Properties:
RouteTableId: !Ref PrivateRouteTableRDS
DestinationCidrBlock: 0.0.0.0/0
InstanceId: !Ref WebInstance
PrivateSubnetBRouteTableAssociation:
Type: AWS::EC2::SubnetRouteTableAssociation
Properties:
SubnetId: !Ref PrivateSubnetB
RouteTableId: !Ref PrivateRouteTableRDS
PrivateSubnetCRouteTableAssociation:
Type: AWS::EC2::SubnetRouteTableAssociation
Properties:
SubnetId: !Ref PrivateSubnetC
RouteTableId: !Ref PrivateRouteTableRDS
DBSubnetGroup:
Type: AWS::RDS::DBSubnetGroup
Properties:
DBSubnetGroupDescription: DBSubnetGroup for RDS instances
SubnetIds:
- Ref: PrivateSubnetB
- Ref: PrivateSubnetC
RDSSGIngress:
Type: AWS::EC2::SecurityGroupIngress
Properties:
GroupId: !GetAtt VPC.DefaultSecurityGroup
IpProtocol: tcp
FromPort: 5432
ToPort: 5432
CidrIp: 0.0.0.0/0
DBMasterInstance:
Type: AWS::RDS::DBInstance
Properties:
DBInstanceIdentifier: DemoRDS
DBName: MyRDS
AllocatedStorage: 10
DBInstanceClass: db.t2.micro
StorageType: gp2
Engine: postgres
EngineVersion: 11.4
MasterUsername: DBUser
MasterUserPassword: DBPassword
PubliclyAccessible: False
VPCSecurityGroups:
- !GetAtt VPC.DefaultSecurityGroup
DBSubnetGroupName: !Ref DBSubnetGroup
DBReplicaInstance:
Type: AWS::RDS::DBInstance
Properties:
DBInstanceIdentifier: DemoReplica
AllocatedStorage: 10
DBInstanceClass: db.t2.micro
SourceDBInstanceIdentifier: !Ref DBMasterInstance
SourceRegion: ap-northeast-3
答案1
您的 CFN 模板存在以下几个问题:
RDS 子网具有指向 Web 实例的默认路由 - 我怀疑您是否想这样做。通常,您只需要2 个或 3 个公共子网使用 IGW 作为 0.0.0.0/0 和2 或 3 个私有子网使用 NAT GW 作为 0.0.0.0/0。您的所有实例和数据库都应位于私有子网中,而 ALB 应位于公共子网中。
当你像模板所说的那样创建 Web 实例时没有运行网络服务器因此端口 80 上没有任何监听,反过来 ALB 会认为该实例不健康。这就是您收到“502 Bad gateway”或类似信息的原因。
理想情况下,您应该在启动时通过实例 UserData 安装并启动 Web 服务器。这样,ALB 就会看到它正在运行,并开始向其发送流量。
由于 Web 实例位于私有子网中,因此您无法通过 SSH 连接到该实例。通常,您还会创建一个跳转主机在可以通过 SSH 和/或 VPN 连接的公有子网中,或者配置系统经理在 Web 实例上,您可以打开SSM 会议无需使用跳转主机即可访问它。您需要一个 EC2 角色。
这应该能给你一些入门建议。希望对你有帮助 :)