我在从位于私有子网中的 EC2 实例访问以下端点时遇到问题。
架构如下:
- 私有云平台
- 私有子网 1(0.0.0.0/0 上有一条到 Transit Gateway 的路由)
- 私有子网 2(0.0.0.0/0 上有一条到 Transit Gateway 的路由)
- 中转网关
- 两个子网的 NACL 都允许所有入口和出口端口。
terraform plan
我在尝试运行或时遇到以下问题terraform apply
2020-05-06T13:22:16.123Z [DEBUG] plugin.terraform-provider-aws_v2.60.0_x4: ---[ REQUEST POST-SIGN ]-----------------------------
2020-05-06T13:22:16.123Z [DEBUG] plugin.terraform-provider-aws_v2.60.0_x4: POST / HTTP/1.1
2020-05-06T13:22:16.123Z [DEBUG] plugin.terraform-provider-aws_v2.60.0_x4: Host: ec2.ca-central-1.amazonaws.com
2020-05-06T13:22:16.123Z [DEBUG] plugin.terraform-provider-aws_v2.60.0_x4: User-Agent: aws-sdk-go/1.30.16 (go1.13.7; linux; amd64) APN/1.0 HashiCorp/1.0 Terraform/0.1
2.24 (+https://www.terraform.io)
2020-05-06T13:22:16.123Z [DEBUG] plugin.terraform-provider-aws_v2.60.0_x4: Content-Length: 87
2020-05-06T13:22:16.123Z [DEBUG] plugin.terraform-provider-aws_v2.60.0_x4: Authorization: ............ SNIP .................
2020-05-06T13:22:16.123Z [DEBUG] plugin.terraform-provider-aws_v2.60.0_x4: Content-Type: application/x-www-form-urlencoded; charset=utf-8
2020-05-06T13:22:16.123Z [DEBUG] plugin.terraform-provider-aws_v2.60.0_x4: X-Amz-Date: 20200506T132216Z
2020-05-06T13:22:16.123Z [DEBUG] plugin.terraform-provider-aws_v2.60.0_x4: Accept-Encoding: gzip
2020-05-06T13:22:16.123Z [DEBUG] plugin.terraform-provider-aws_v2.60.0_x4:
2020-05-06T13:22:16.123Z [DEBUG] plugin.terraform-provider-aws_v2.60.0_x4: Action=DescribeAccountAttributes&AttributeName.1=supported-platforms&Version=2016-11-15
2020-05-06T13:22:16.123Z [DEBUG] plugin.terraform-provider-aws_v2.60.0_x4: -----------------------------------------------------
2020-05-06T13:22:46.124Z [DEBUG] plugin.terraform-provider-aws_v2.60.0_x4: 2020/05/06 13:22:46 [DEBUG] [aws-sdk-go] DEBUG: Send Request ec2/DescribeAccountAttributes
failed, attempt 0/25, error RequestError: send request failed
2020-05-06T13:22:46.124Z [DEBUG] plugin.terraform-provider-aws_v2.60.0_x4: caused by: Post https://ec2.ca-central-1.amazonaws.com/: dial tcp 10.0.19.205:443: i/o time
out
2020-05-06T13:22:46.166Z [DEBUG] plugin.terraform-provider-aws_v2.60.0_x4: 2020/05/06 13:22:46 [DEBUG] [aws-sdk-go] DEBUG: Retrying Request ec2/DescribeAccountAttribu
tes, attempt 1
2020-05-06T13:22:46.166Z [DEBUG] plugin.terraform-provider-aws_v2.60.0_x4: 2020/05/06 13:22:46 [DEBUG] [aws-sdk-go] DEBUG: Request ec2/DescribeAccountAttributes Detai
ls:
2020-05-06T13:22:46.166Z [DEBUG] plugin.terraform-provider-aws_v2.60.0_x4: ---[ REQUEST POST-SIGN ]-----
从 AWS CLI运行时,我遇到了完全相同的问题aws ec2 describe-instances
。超时。
笔记
- 我正在通过 AWS SSO 在联合 AWS 环境中工作。
- 我为 terraform 创建了一个 IAM 用户,因此我们不必不断刷新 SSO 令牌,所以这不是令牌过期问题。
- 我能够在 EC2 实例上从 Internet 安装工具(Docker、Git、Terraform 等)
- AMI 是
ubuntu/images/hvm-ssd/ubuntu-bionic-18.04-amd64-server-20200408 (ami-0edd51cc29813e254)
- 我能够使用列出 S3 存储桶
aws s3 ls
。 - 我使用了最新版本的 Terraform 和 AWS CLI。
有什么想法吗?
答案1
我认为您的问题是“我的私有子网中的 EC2 服务器无法访问 AWS EC2 端点”。
EC2 端点位于互联网上,而私有子网中的资源通常没有公共 IP 或到互联网的路由,因此这是预期行为。您的私有子网是否有访问互联网的路由?NAT 网关或 NAT 实例是标准选项。
您也可以使用EC2 VPC 终端节点。这些成本很小,但基本上是从您的 VPC 到跨 AWS 主干网所需资源的捷径。
但请注意,您可能需要多个端点,而且它们不是免费的。我最好的猜测(不太清楚)是它们的成本与PrivateLink端点,目前 us-east-1 的价格为 0.01 美元/小时。在我目前的项目中,我需要大约 7 个端点,使用 NAT 网关更便宜。