wordpress图片备用地址,上海seo关键字推广,wordpress自主更新,湖南常德房价aws(学习笔记第六课) AWS的虚拟私有#xff0c;共有子网以及ACL#xff0c;定义公网碉堡主机子网以及varnish反向代理 学习内容#xff1a;
AWS的虚拟私有#xff0c;共有子网以及ACL定义公网碉堡主机子网#xff0c;私有子网和共有子网以及varnish反向代理
1. AWS的虚拟…aws(学习笔记第六课) AWS的虚拟私有共有子网以及ACL定义公网碉堡主机子网以及varnish反向代理 学习内容
AWS的虚拟私有共有子网以及ACL定义公网碉堡主机子网私有子网和共有子网以及varnish反向代理
1. AWS的虚拟私有共有子网以及ACL
AWS的虚拟私有子网共有云以及ACL AWS的虚拟私有子网 用户可以在AWS上定义自己的私有子网比如数据库应用程序和apache的server可以在私有网络上构建之后通过共有网络进行访问向外提供服务。其实和C的面向对象中private的变量和方法一定不要定义成public的对终端用户公开如出一辙。能在私有云中定义不需要公开的服务都要定义要私有云中。AWS的虚拟共有云 与上面的AWS私有云对应的就是共有云共有云最终提供给用户服务对于终端客户开发网络端口共有网络的服务承上启下既可以提供服务给用公户同时能够访问私有子网的应用服务数据库服务等其他服务。 ACL(network access control list)和SecuityGroup的区别 应用的对象不同 ACL的设定对象是Subnet对于Subnet设定网络访问规则。注意默认的场合同一个VPC之间的网络都是相通的但是如果定义了ACL那么就会根据ACL的限制没有允许的网络是不通的 SecurityGroup的设定对象是ec2 server等服务而不是Subnet。 有状态state和无状态(stateless) ACL没有状态允许入站的包如果没有符合出站规则那么也不能出站。SecurityGroup有状态允许入站的包那么都会出站允许。
2. 定义公网碉堡主机子网私有子网和共有子网 整体网络拓扑(这里右边的共有子网使用varnish进行反向代理公开私有子网的apache server) 逐步创建VPC以及其他服务 创建VPC和IGW (Internet GateWay) VPC: {Type: AWS::EC2::VPC,Properties: {CidrBlock: 10.0.0.0/16,EnableDnsHostnames: true}},InternetGateway: {Type: AWS::EC2::InternetGateway,Properties: {}},VPCGatewayAttachment: {Type: AWS::EC2::VPCGatewayAttachment,Properties: {VpcId: {Ref: VPC},InternetGatewayId: {Ref: InternetGateway}}},创建堡垒机子网(共有子网) Bastion CidrBlock是10.0.1.0/24 RoutePublicSSHBastionToInternet定义堡垒机子网能够访问internet。 NetworkAclEntryInPublicSSHBastionSSH定义internet的其他主机能够访问使用22端口访问入站规则egress true。 NetworkAclEntryInPublicSSHBastionEphemeralPorts定义VPC主机能够访问使用随机端口访问入站规则egress true。 NetworkAclEntryOutPublicSSHBastionSSH定义堡垒子网的主机能够通过22端口访问其他主机出站规则egress false。 NetworkAclEntryOutPublicSSHBastionEphemeralPorts定义internet的主机能够访问使用随机端口访问出站规则egress false。 SubnetPublicSSHBastion: {Type: AWS::EC2::Subnet,Properties: {AvailabilityZone: {Fn::Select: [0, {Fn::GetAZs: }]},CidrBlock: 10.0.1.0/24,VpcId: {Ref: VPC}}},RouteTablePublicSSHBastion: {Type: AWS::EC2::RouteTable,Properties: {VpcId: {Ref: VPC}}},RouteTableAssociationPublicSSHBastion: {Type: AWS::EC2::SubnetRouteTableAssociation,Properties: {SubnetId: {Ref: SubnetPublicSSHBastion},RouteTableId: {Ref: RouteTablePublicSSHBastion}}},RoutePublicSSHBastionToInternet: {Type: AWS::EC2::Route,Properties: {RouteTableId: {Ref: RouteTablePublicSSHBastion},DestinationCidrBlock: 0.0.0.0/0,GatewayId: {Ref: InternetGateway}},DependsOn: VPCGatewayAttachment},NetworkAclPublicSSHBastion: {Type: AWS::EC2::NetworkAcl,Properties: {VpcId: {Ref: VPC}}},SubnetNetworkAclAssociationPublicSSHBastion: {Type: AWS::EC2::SubnetNetworkAclAssociation,Properties: {SubnetId: {Ref: SubnetPublicSSHBastion},NetworkAclId: {Ref: NetworkAclPublicSSHBastion}}},NetworkAclEntryInPublicSSHBastionSSH: {Type: AWS::EC2::NetworkAclEntry,Properties: {NetworkAclId: {Ref: NetworkAclPublicSSHBastion},RuleNumber: 100,Protocol: 6,PortRange: {From: 22,To: 22},RuleAction: allow,Egress: false,CidrBlock: 0.0.0.0/0}},NetworkAclEntryInPublicSSHBastionEphemeralPorts: {Type: AWS::EC2::NetworkAclEntry,Properties: {NetworkAclId: {Ref: NetworkAclPublicSSHBastion},RuleNumber: 200,Protocol: 6,PortRange: {From: 1024,To: 65535},RuleAction: allow,Egress: false,CidrBlock: 10.0.0.0/16}},NetworkAclEntryOutPublicSSHBastionSSH: {Type: AWS::EC2::NetworkAclEntry,Properties: {NetworkAclId: {Ref: NetworkAclPublicSSHBastion},RuleNumber: 100,Protocol: 6,PortRange: {From: 22,To: 22},RuleAction: allow,Egress: true,CidrBlock: 10.0.0.0/16}},NetworkAclEntryOutPublicSSHBastionEphemeralPorts: {Type: AWS::EC2::NetworkAclEntry,Properties: {NetworkAclId: {Ref: NetworkAclPublicSSHBastion},RuleNumber: 200,Protocol: 6,PortRange: {From: 1024,To: 65535},RuleAction: allow,Egress: true,CidrBlock: 0.0.0.0/0}},创建varnish子网(共有子网) varnish SubnetPublicVarnish: {Type: AWS::EC2::Subnet,Properties: {AvailabilityZone: {Fn::Select: [0, {Fn::GetAZs: }]},CidrBlock: 10.0.2.0/24,VpcId: {Ref: VPC}}},RouteTablePublicVarnish: {Type: AWS::EC2::RouteTable,Properties: {VpcId: {Ref: VPC}}},RouteTableAssociationPublicVarnish: {Type: AWS::EC2::SubnetRouteTableAssociation,Properties: {SubnetId: {Ref: SubnetPublicVarnish},RouteTableId: {Ref: RouteTablePublicVarnish}}},RoutePublicVarnishToInternet: {Type: AWS::EC2::Route,Properties: {RouteTableId: {Ref: RouteTablePublicVarnish},DestinationCidrBlock: 0.0.0.0/0,GatewayId: {Ref: InternetGateway}},DependsOn: VPCGatewayAttachment},NetworkAclPublicVarnish: {Type: AWS::EC2::NetworkAcl,Properties: {VpcId: {Ref: VPC}}},SubnetNetworkAclAssociationPublicVarnish: {Type: AWS::EC2::SubnetNetworkAclAssociation,Properties: {SubnetId: {Ref: SubnetPublicVarnish},NetworkAclId: {Ref: NetworkAclPublicVarnish}}},NetworkAclEntryInPublicVarnishSSH: {Type: AWS::EC2::NetworkAclEntry,Properties: {NetworkAclId: {Ref: NetworkAclPublicVarnish},RuleNumber: 100,Protocol: 6,PortRange: {From: 22,To: 22},RuleAction: allow,Egress: false,CidrBlock: 10.0.1.0/24}},NetworkAclEntryInPublicVarnishHTTP: {Type: AWS::EC2::NetworkAclEntry,Properties: {NetworkAclId: {Ref: NetworkAclPublicVarnish},RuleNumber: 110,Protocol: 6,PortRange: {From: 80,To: 80},RuleAction: allow,Egress: false,CidrBlock: 0.0.0.0/0}},NetworkAclEntryInPublicVarnishEphemeralPorts: {Type: AWS::EC2::NetworkAclEntry,Properties: {NetworkAclId: {Ref: NetworkAclPublicVarnish},RuleNumber: 200,Protocol: 6,PortRange: {From: 1024,To: 65535},RuleAction: allow,Egress: false,CidrBlock: 0.0.0.0/0}},NetworkAclEntryOutPublicVarnishHTTP: {Type: AWS::EC2::NetworkAclEntry,Properties: {NetworkAclId: {Ref: NetworkAclPublicVarnish},RuleNumber: 100,Protocol: 6,PortRange: {From: 80,To: 80},RuleAction: allow,Egress: true,CidrBlock: 0.0.0.0/0}},NetworkAclEntryOutPublicVarnishHTTPS: {Type: AWS::EC2::NetworkAclEntry,Properties: {NetworkAclId: {Ref: NetworkAclPublicVarnish},RuleNumber: 110,Protocol: 6,PortRange: {From: 443,To: 443},RuleAction: allow,Egress: true,CidrBlock: 0.0.0.0/0}},NetworkAclEntryOutPublicVarnishEphemeralPorts: {Type: AWS::EC2::NetworkAclEntry,Properties: {NetworkAclId: {Ref: NetworkAclPublicVarnish},RuleNumber: 200,Protocol: 6,PortRange: {From: 1024,To: 65535},RuleAction: allow,Egress: true,CidrBlock: 0.0.0.0/0}},创建私有子网 SubnetPrivateApache: {Type: AWS::EC2::Subnet,Properties: {AvailabilityZone: {Fn::Select: [0, {Fn::GetAZs: }]},CidrBlock: 10.0.3.0/24,VpcId: {Ref: VPC}}},RouteTablePrivateApache: {Type: AWS::EC2::RouteTable,Properties: {VpcId: {Ref: VPC}}},RouteTableAssociationPrivateApache: {Type: AWS::EC2::SubnetRouteTableAssociation,Properties: {SubnetId: {Ref: SubnetPrivateApache},RouteTableId: {Ref: RouteTablePrivateApache}}},RoutePrivateApacheToInternet: {Type: AWS::EC2::Route,Properties: {RouteTableId: {Ref: RouteTablePrivateApache},DestinationCidrBlock: 0.0.0.0/0,InstanceId: {Ref: NatServer}}},NetworkAclPrivateApache: {Type: AWS::EC2::NetworkAcl,Properties: {VpcId: {Ref: VPC}}},SubnetNetworkAclAssociationPrivateApache: {Type: AWS::EC2::SubnetNetworkAclAssociation,Properties: {SubnetId: {Ref: SubnetPrivateApache},NetworkAclId: {Ref: NetworkAclPrivateApache}}},NetworkAclEntryInPrivateApacheSSH: {Type: AWS::EC2::NetworkAclEntry,Properties: {NetworkAclId: {Ref: NetworkAclPrivateApache},RuleNumber: 100,Protocol: 6,PortRange: {From: 22,To: 22},RuleAction: allow,Egress: false,CidrBlock: 10.0.1.0/24}},NetworkAclEntryInPrivateApacheHTTP: {Type: AWS::EC2::NetworkAclEntry,Properties: {NetworkAclId: {Ref: NetworkAclPrivateApache},RuleNumber: 110,Protocol: 6,PortRange: {From: 80,To: 80},RuleAction: allow,Egress: false,CidrBlock: 10.0.2.0/24}},NetworkAclEntryInPrivateApacheEphemeralPorts: {Type: AWS::EC2::NetworkAclEntry,Properties: {NetworkAclId: {Ref: NetworkAclPrivateApache},RuleNumber: 200,Protocol: 6,PortRange: {From: 1024,To: 65535},RuleAction: allow,Egress: false,CidrBlock: 0.0.0.0/0}},NetworkAclEntryOutPrivateApacheHTTP: {Type: AWS::EC2::NetworkAclEntry,Properties: {NetworkAclId: {Ref: NetworkAclPrivateApache},RuleNumber: 100,Protocol: 6,PortRange: {From: 80,To: 80},RuleAction: allow,Egress: true,CidrBlock: 0.0.0.0/0}},NetworkAclEntryOutPrivateApacheHTTPS: {Type: AWS::EC2::NetworkAclEntry,Properties: {NetworkAclId: {Ref: NetworkAclPrivateApache},RuleNumber: 110,Protocol: 6,PortRange: {From: 443,To: 443},RuleAction: allow,Egress: true,CidrBlock: 0.0.0.0/0}},NetworkAclEntryOutPrivateApacheEphemeralPorts: {Type: AWS::EC2::NetworkAclEntry,Properties: {NetworkAclId: {Ref: NetworkAclPrivateApache},RuleNumber: 200,Protocol: 6,PortRange: {From: 1024,To: 65535},RuleAction: allow,Egress: true,CidrBlock: 10.0.0.0/16}},创建整体的AWS的stack {AWSTemplateFormatVersion: 2010-09-09,Description: (VPC),Parameters: {KeyName: {Description: Key Pair name,Type: AWS::EC2::KeyPair::KeyName,Default: my-cli-key}},Mappings: {EC2RegionMap: {ap-northeast-1: {AmazonLinuxAMIHVMEBSBacked64bit: ami-03f584e50b2d32776, AmazonLinuxNATAMIHVMEBSBacked64bit: ami-03cf3903},ap-southeast-1: {AmazonLinuxAMIHVMEBSBacked64bit: ami-68d8e93a, AmazonLinuxNATAMIHVMEBSBacked64bit: ami-b49dace6},ap-southeast-2: {AmazonLinuxAMIHVMEBSBacked64bit: ami-fd9cecc7, AmazonLinuxNATAMIHVMEBSBacked64bit: ami-e7ee9edd},eu-central-1: {AmazonLinuxAMIHVMEBSBacked64bit: ami-a8221fb5, AmazonLinuxNATAMIHVMEBSBacked64bit: ami-46073a5b},eu-west-1: {AmazonLinuxAMIHVMEBSBacked64bit: ami-a10897d6, AmazonLinuxNATAMIHVMEBSBacked64bit: ami-6975eb1e},sa-east-1: {AmazonLinuxAMIHVMEBSBacked64bit: ami-b52890a8, AmazonLinuxNATAMIHVMEBSBacked64bit: ami-fbfa41e6},us-east-1: {AmazonLinuxAMIHVMEBSBacked64bit: ami-1ecae776, AmazonLinuxNATAMIHVMEBSBacked64bit: ami-303b1458},us-west-1: {AmazonLinuxAMIHVMEBSBacked64bit: ami-d114f295, AmazonLinuxNATAMIHVMEBSBacked64bit: ami-7da94839},us-west-2: {AmazonLinuxAMIHVMEBSBacked64bit: ami-e7527ed7, AmazonLinuxNATAMIHVMEBSBacked64bit: ami-69ae8259}}},Resources: {SecurityGroup: {Type: AWS::EC2::SecurityGroup,Properties: {GroupDescription: My security group,VpcId: {Ref: VPC}}},SecurityGroupIngress: {Type: AWS::EC2::SecurityGroupIngress,Properties:{IpProtocol: -1,FromPort: -1,ToPort: -1,CidrIp: 0.0.0.0/0,GroupId: {Ref: SecurityGroup}}},SecurityGroupEgress: {Type: AWS::EC2::SecurityGroupEgress,Properties:{IpProtocol: -1,FromPort: -1,ToPort: -1,CidrIp: 0.0.0.0/0,GroupId: {Ref: SecurityGroup}}},VPC: {Type: AWS::EC2::VPC,Properties: {CidrBlock: 10.0.0.0/16,EnableDnsHostnames: true}},InternetGateway: {Type: AWS::EC2::InternetGateway,Properties: {}},VPCGatewayAttachment: {Type: AWS::EC2::VPCGatewayAttachment,Properties: {VpcId: {Ref: VPC},InternetGatewayId: {Ref: InternetGateway}}},SubnetPublicSSHBastion: {Type: AWS::EC2::Subnet,Properties: {AvailabilityZone: {Fn::Select: [0, {Fn::GetAZs: }]},CidrBlock: 10.0.1.0/24,VpcId: {Ref: VPC}}},RouteTablePublicSSHBastion: {Type: AWS::EC2::RouteTable,Properties: {VpcId: {Ref: VPC}}},RouteTableAssociationPublicSSHBastion: {Type: AWS::EC2::SubnetRouteTableAssociation,Properties: {SubnetId: {Ref: SubnetPublicSSHBastion},RouteTableId: {Ref: RouteTablePublicSSHBastion}}},RoutePublicSSHBastionToInternet: {Type: AWS::EC2::Route,Properties: {RouteTableId: {Ref: RouteTablePublicSSHBastion},DestinationCidrBlock: 0.0.0.0/0,GatewayId: {Ref: InternetGateway}},DependsOn: VPCGatewayAttachment},NetworkAclPublicSSHBastion: {Type: AWS::EC2::NetworkAcl,Properties: {VpcId: {Ref: VPC}}},SubnetNetworkAclAssociationPublicSSHBastion: {Type: AWS::EC2::SubnetNetworkAclAssociation,Properties: {SubnetId: {Ref: SubnetPublicSSHBastion},NetworkAclId: {Ref: NetworkAclPublicSSHBastion}}},NetworkAclEntryInPublicSSHBastionSSH: {Type: AWS::EC2::NetworkAclEntry,Properties: {NetworkAclId: {Ref: NetworkAclPublicSSHBastion},RuleNumber: 100,Protocol: 6,PortRange: {From: 22,To: 22},RuleAction: allow,Egress: false,CidrBlock: 0.0.0.0/0}},NetworkAclEntryInPublicSSHBastionEphemeralPorts: {Type: AWS::EC2::NetworkAclEntry,Properties: {NetworkAclId: {Ref: NetworkAclPublicSSHBastion},RuleNumber: 200,Protocol: 6,PortRange: {From: 1024,To: 65535},RuleAction: allow,Egress: false,CidrBlock: 10.0.0.0/16}},NetworkAclEntryOutPublicSSHBastionSSH: {Type: AWS::EC2::NetworkAclEntry,Properties: {NetworkAclId: {Ref: NetworkAclPublicSSHBastion},RuleNumber: 100,Protocol: 6,PortRange: {From: 22,To: 22},RuleAction: allow,Egress: true,CidrBlock: 10.0.0.0/16}},NetworkAclEntryOutPublicSSHBastionEphemeralPorts: {Type: AWS::EC2::NetworkAclEntry,Properties: {NetworkAclId: {Ref: NetworkAclPublicSSHBastion},RuleNumber: 200,Protocol: 6,PortRange: {From: 1024,To: 65535},RuleAction: allow,Egress: true,CidrBlock: 0.0.0.0/0}},SubnetPublicVarnish: {Type: AWS::EC2::Subnet,Properties: {AvailabilityZone: {Fn::Select: [0, {Fn::GetAZs: }]},CidrBlock: 10.0.2.0/24,VpcId: {Ref: VPC}}},RouteTablePublicVarnish: {Type: AWS::EC2::RouteTable,Properties: {VpcId: {Ref: VPC}}},RouteTableAssociationPublicVarnish: {Type: AWS::EC2::SubnetRouteTableAssociation,Properties: {SubnetId: {Ref: SubnetPublicVarnish},RouteTableId: {Ref: RouteTablePublicVarnish}}},RoutePublicVarnishToInternet: {Type: AWS::EC2::Route,Properties: {RouteTableId: {Ref: RouteTablePublicVarnish},DestinationCidrBlock: 0.0.0.0/0,GatewayId: {Ref: InternetGateway}},DependsOn: VPCGatewayAttachment},NetworkAclPublicVarnish: {Type: AWS::EC2::NetworkAcl,Properties: {VpcId: {Ref: VPC}}},SubnetNetworkAclAssociationPublicVarnish: {Type: AWS::EC2::SubnetNetworkAclAssociation,Properties: {SubnetId: {Ref: SubnetPublicVarnish},NetworkAclId: {Ref: NetworkAclPublicVarnish}}},NetworkAclEntryInPublicVarnishSSH: {Type: AWS::EC2::NetworkAclEntry,Properties: {NetworkAclId: {Ref: NetworkAclPublicVarnish},RuleNumber: 100,Protocol: 6,PortRange: {From: 22,To: 22},RuleAction: allow,Egress: false,CidrBlock: 10.0.1.0/24}},NetworkAclEntryInPublicVarnishHTTP: {Type: AWS::EC2::NetworkAclEntry,Properties: {NetworkAclId: {Ref: NetworkAclPublicVarnish},RuleNumber: 110,Protocol: 6,PortRange: {From: 80,To: 80},RuleAction: allow,Egress: false,CidrBlock: 0.0.0.0/0}},NetworkAclEntryInPublicVarnishEphemeralPorts: {Type: AWS::EC2::NetworkAclEntry,Properties: {NetworkAclId: {Ref: NetworkAclPublicVarnish},RuleNumber: 200,Protocol: 6,PortRange: {From: 1024,To: 65535},RuleAction: allow,Egress: false,CidrBlock: 0.0.0.0/0}},NetworkAclEntryOutPublicVarnishHTTP: {Type: AWS::EC2::NetworkAclEntry,Properties: {NetworkAclId: {Ref: NetworkAclPublicVarnish},RuleNumber: 100,Protocol: 6,PortRange: {From: 80,To: 80},RuleAction: allow,Egress: true,CidrBlock: 0.0.0.0/0}},NetworkAclEntryOutPublicVarnishHTTPS: {Type: AWS::EC2::NetworkAclEntry,Properties: {NetworkAclId: {Ref: NetworkAclPublicVarnish},RuleNumber: 110,Protocol: 6,PortRange: {From: 443,To: 443},RuleAction: allow,Egress: true,CidrBlock: 0.0.0.0/0}},NetworkAclEntryOutPublicVarnishEphemeralPorts: {Type: AWS::EC2::NetworkAclEntry,Properties: {NetworkAclId: {Ref: NetworkAclPublicVarnish},RuleNumber: 200,Protocol: 6,PortRange: {From: 1024,To: 65535},RuleAction: allow,Egress: true,CidrBlock: 0.0.0.0/0}},SubnetPrivateApache: {Type: AWS::EC2::Subnet,Properties: {AvailabilityZone: {Fn::Select: [0, {Fn::GetAZs: }]},CidrBlock: 10.0.3.0/24,VpcId: {Ref: VPC}}},RouteTablePrivateApache: {Type: AWS::EC2::RouteTable,Properties: {VpcId: {Ref: VPC}}},RouteTableAssociationPrivateApache: {Type: AWS::EC2::SubnetRouteTableAssociation,Properties: {SubnetId: {Ref: SubnetPrivateApache},RouteTableId: {Ref: RouteTablePrivateApache}}},NetworkAclPrivateApache: {Type: AWS::EC2::NetworkAcl,Properties: {VpcId: {Ref: VPC}}},SubnetNetworkAclAssociationPrivateApache: {Type: AWS::EC2::SubnetNetworkAclAssociation,Properties: {SubnetId: {Ref: SubnetPrivateApache},NetworkAclId: {Ref: NetworkAclPrivateApache}}},NetworkAclEntryInPrivateApacheSSH: {Type: AWS::EC2::NetworkAclEntry,Properties: {NetworkAclId: {Ref: NetworkAclPrivateApache},RuleNumber: 100,Protocol: 6,PortRange: {From: 22,To: 22},RuleAction: allow,Egress: false,CidrBlock: 10.0.1.0/24}},NetworkAclEntryInPrivateApacheHTTP: {Type: AWS::EC2::NetworkAclEntry,Properties: {NetworkAclId: {Ref: NetworkAclPrivateApache},RuleNumber: 110,Protocol: 6,PortRange: {From: 80,To: 80},RuleAction: allow,Egress: false,CidrBlock: 10.0.2.0/24}},NetworkAclEntryInPrivateApacheEphemeralPorts: {Type: AWS::EC2::NetworkAclEntry,Properties: {NetworkAclId: {Ref: NetworkAclPrivateApache},RuleNumber: 200,Protocol: 6,PortRange: {From: 1024,To: 65535},RuleAction: allow,Egress: false,CidrBlock: 0.0.0.0/0}},NetworkAclEntryOutPrivateApacheHTTP: {Type: AWS::EC2::NetworkAclEntry,Properties: {NetworkAclId: {Ref: NetworkAclPrivateApache},RuleNumber: 100,Protocol: 6,PortRange: {From: 80,To: 80},RuleAction: allow,Egress: true,CidrBlock: 0.0.0.0/0}},NetworkAclEntryOutPrivateApacheHTTPS: {Type: AWS::EC2::NetworkAclEntry,Properties: {NetworkAclId: {Ref: NetworkAclPrivateApache},RuleNumber: 110,Protocol: 6,PortRange: {From: 443,To: 443},RuleAction: allow,Egress: true,CidrBlock: 0.0.0.0/0}},NetworkAclEntryOutPrivateApacheEphemeralPorts: {Type: AWS::EC2::NetworkAclEntry,Properties: {NetworkAclId: {Ref: NetworkAclPrivateApache},RuleNumber: 200,Protocol: 6,PortRange: {From: 1024,To: 65535},RuleAction: allow,Egress: true,CidrBlock: 10.0.0.0/16}},BastionHost: {Type: AWS::EC2::Instance,Properties: {ImageId: {Fn::FindInMap: [EC2RegionMap, {Ref: AWS::Region}, AmazonLinuxAMIHVMEBSBacked64bit]},InstanceType: t2.micro,KeyName: {Ref: KeyName},NetworkInterfaces: [{AssociatePublicIpAddress: true,DeleteOnTermination: true,SubnetId: {Ref: SubnetPublicSSHBastion},DeviceIndex: 0,GroupSet: [{Ref: SecurityGroup}]}]},DependsOn: VPCGatewayAttachment},VarnishServer: {Type: AWS::EC2::Instance,Properties: {ImageId: {Fn::FindInMap: [EC2RegionMap, {Ref: AWS::Region}, AmazonLinuxAMIHVMEBSBacked64bit]},InstanceType: t2.micro,KeyName: {Ref: KeyName},NetworkInterfaces: [{AssociatePublicIpAddress: true,DeleteOnTermination: true,SubnetId: {Ref: SubnetPublicVarnish},DeviceIndex: 0,GroupSet: [{Ref: SecurityGroup}]}],UserData: {Fn::Base64: {Fn::Join: [, [#!/bin/bash -ex\n,yum -y install varnish-3.0.7\n,cat /etc/varnish/default.vcl EOF\n,backend default {\n, .host \, {Fn::GetAtt: [ApacheServer, PrivateIp]} ,\;\n, .port \80\;\n,}\n,EOF\n,sed -i.bak \s/^VARNISH_LISTEN_PORT.*/VARNISH_LISTEN_PORT80/\ /etc/sysconfig/varnish\n,service varnish start\n,/opt/aws/bin/cfn-signal --stack , {Ref: AWS::StackName}, --resource VarnishServer --region , {Ref: AWS::Region}, \n]]}}},DependsOn: VPCGatewayAttachment},ApacheServer: {Type: AWS::EC2::Instance,Properties: {ImageId: {Fn::FindInMap: [EC2RegionMap, {Ref: AWS::Region}, AmazonLinuxAMIHVMEBSBacked64bit]},InstanceType: t2.micro,KeyName: {Ref: KeyName},NetworkInterfaces: [{AssociatePublicIpAddress: false,DeleteOnTermination: true,SubnetId: {Ref: SubnetPrivateApache},DeviceIndex: 0,GroupSet: [{Ref: SecurityGroup}]}],UserData: {Fn::Base64: {Fn::Join: [, [#!/bin/bash -ex\n,yum -y install httpd\n,service httpd start\n,/opt/aws/bin/cfn-signal --stack , {Ref: AWS::StackName}, --resource ApacheServer --region , {Ref: AWS::Region}, \n]]}}}}},Outputs: {BastionHostPublicName: {Value: {Fn::GetAtt: [BastionHost, PublicDnsName]},Description: connect via SSH as user ec2-user},VarnishServerPublicName: {Value: {Fn::GetAtt: [VarnishServer, PublicDnsName]},Description: handles HTTP requests},VarnishServerPrivateIp: {Value: {Fn::GetAtt: [VarnishServer, PrivateIp]},Description: connect via SSH from bastion host},ApacheServerPrivateIp: {Value: {Fn::GetAtt: [ApacheServer, PrivateIp]},Description: connect via SSH from bastion host}}
}测试创建结果 执行结果 一点注意 不要认为连接ec2 server使用的用户就是ec2-user有的AMI使用的是ubuntu用户 最好在ec2 server的连接画面进行确认。 通过堡垒机SSH访问apache server(私有子网) ssh -A ubuntuec2-13-230-4-241.ap-northeast-1.compute.amazonaws.com通过AgentForward模式进行访问堡垒机。 ssh 10.0.3.198直接就可以访问私有子网的apache主机。 DellDESKTOP-DHMQMJG MINGW64 /
$ eval ssh-agent
Agent pid 2195DellDESKTOP-DHMQMJG MINGW64 /
$ ssh-add ~/.ssh/my-cli-key.pem
Identity added: /c/Users/Dell/.ssh/my-cli-key.pem (/c/Users/Dell/.ssh/my-cli-key.pem)DellDESKTOP-DHMQMJG MINGW64 /
$ ssh -A ubuntuec2-13-230-4-241.ap-northeast-1.compute.amazonaws.com
Welcome to Ubuntu 24.04.1 LTS (GNU/Linux 6.8.0-1016-aws x86_64)ubuntuip-10-0-1-169:~$ ssh 10.0.3.198
Welcome to Ubuntu 24.04.1 LTS (GNU/Linux 6.8.0-1016-aws x86_64)通过堡varnish反向代理HTTP访问apache server(私有子网) ubuntuip-10-0-1-169:~$ ssh ec2-52-195-182-135.ap-northeast-1.compute.amazonaws.com
The authenticity of host ec2-52-195-182-135.ap-northeast-1.compute.amazonaws.com (10.0.2.170) cant be established.
ED25519 key fingerprint is SHA256:r4A9nVkEUhL1ovBuKc90hnYZUNilz/xxFKlPYj0kyOQ.
