我想将端口 443 出站规则应用于“默认”安全组。它通过创建专用块来实现出站规则(注释掉了)。我不想创建新块,而是想通过引用第二个 SecurityGroupEgress 块下的 VPC.defaultsecuritygroup 在 WebServerSecurityGroup 资源本身中应用规则。但是,它不起作用。请您建议我如何实现这一点。
---
AWSTemplateFormatVersion: '2010-09-09'
Description: 'AWS CloudFormation Sample Template VPC_with_PublicIPs_And_DNS: Sample
template that creates a VPC with DNS and public IPs enabled. Note that you are billed
for the AWS resources that you use when you create a stack from this template.'
Parameters:
KeyPair:
Description: Name of the keypair to use for SSH access
Type: String
Name:
Description: Name of the keypair to use for SSH access
Type: String
Default: LinuxMachine
Resources:
VPC:
Type: AWS::EC2::VPC
Properties:
EnableDnsSupport: 'true'
EnableDnsHostnames: 'true'
CidrBlock: 10.0.0.0/16
PublicSubnet:
Type: AWS::EC2::Subnet
Properties:
VpcId:
Ref: VPC
CidrBlock: 10.0.0.0/24
InternetGateway:
Type: AWS::EC2::InternetGateway
VPCGatewayAttachment:
Type: AWS::EC2::VPCGatewayAttachment
Properties:
VpcId:
Ref: VPC
InternetGatewayId:
Ref: InternetGateway
PublicRouteTable:
Type: AWS::EC2::RouteTable
Properties:
VpcId:
Ref: VPC
PublicRoute:
Type: AWS::EC2::Route
DependsOn: VPCGatewayAttachment
Properties:
RouteTableId:
Ref: PublicRouteTable
DestinationCidrBlock: 0.0.0.0/0
GatewayId:
Ref: InternetGateway
PublicSubnetRouteTableAssociation:
Type: AWS::EC2::SubnetRouteTableAssociation
Properties:
SubnetId:
Ref: PublicSubnet
RouteTableId:
Ref: PublicRouteTable
PublicSubnetNetworkAclAssociation:
Type: AWS::EC2::SubnetNetworkAclAssociation
Properties:
SubnetId:
Ref: PublicSubnet
NetworkAclId:
Fn::GetAtt:
- VPC
- DefaultNetworkAcl
WebServerSecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: Enable HTTP ingress
VpcId:
Ref: VPC
# Apply outbound rules to ec2 security group
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: '80'
ToPort: '80'
CidrIp: 0.0.0.0/0
- IpProtocol: tcp
FromPort: '22'
ToPort: '22'
CidrIp: 0.0.0.0/0
SecurityGroupEgress:
- IpProtocol: tcp
FromPort: '443'
ToPort: '443'
CidrIp: 127.0.0.0/0
# WIP - Default Security group
SecurityGroupEgress:
- IpProtocol: tcp
FromPort: '443'
ToPort: '443'
CidrIp: 0.0.0.0/0
GroupId: !GetAtt VPC.DefaultSecurityGroup
# Apply outbound rules to 'Default' Security Group
# OutboundRule:
# Type: AWS::EC2::SecurityGroupEgress
# Properties:
# GroupId:
# Fn::GetAtt:
# - VPC
# - DefaultSecurityGroup
# IpProtocol: tcp
# FromPort: '443'
# ToPort: '443'
# CidrIp: 0.0.0.0/0
WebServerInstance:
Type: AWS::EC2::Instance
Properties:
InstanceType: t2.micro
ImageId: ami-09e67e426f25ce0d7
Tags:
- Key: Name
Value: !Ref Name
NetworkInterfaces:
- GroupSet:
- Ref: WebServerSecurityGroup
AssociatePublicIpAddress: 'true'
DeviceIndex: '0'
DeleteOnTermination: 'true'
SubnetId:
Ref: PublicSubnet
KeyName:
Ref: KeyPair
答案1
你不能CidrIp同时拥有两者GroupId在出口规则。一个或另一个。这有效:
---
AWSTemplateFormatVersion: '2010-09-09'
Resources:
VPC:
Type: AWS::EC2::VPC
Properties:
EnableDnsSupport: 'true'
EnableDnsHostnames: 'true'
CidrBlock: 10.0.0.0/16
WebServerSecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: Enable HTTP ingress
VpcId:
Ref: VPC
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: '80'
ToPort: '80'
CidrIp: 0.0.0.0/0
SecurityGroupEgress:
- IpProtocol: tcp
FromPort: '443'
ToPort: '443'
DestinationSecurityGroupId: !GetAtt VPC.DefaultSecurityGroup
它创建出站规则默认安全组要求:
但这真的是你想要的吗?为什么你要允许访问不存在的实例默认SG?它确实不存在,因为我们刚刚创建了 VPC……
还可以从0.0.0.0/0也不是一个好主意 -改用 SSM您根本不需要打开入站 SSH。127.0.0.0/0如果有的话应该是 /8,但实际上这不是必需的,因为本地主机流量不受安全组的控制。
希望有帮助:)