aws(学习笔记第六课)
-
AWS的虚拟私有,共有子网以及ACL,定义公网碉堡主机子网以及varnish反向代理
学习内容:
AWS的虚拟私有,共有子网以及ACL- 定义公网碉堡主机子网,私有子网和共有子网以及
varnish反向代理
1. AWS的虚拟私有,共有子网以及ACL
AWS的虚拟私有子网,共有云以及ACLAWS的虚拟私有子网
用户可以在AWS上定义自己的私有子网,比如数据库,应用程序和apache的server,可以在私有网络上构建,之后通过共有网络,进行访问,向外提供服务。其实和C++的面向对象中,private的变量和方法,一定不要定义成public的,对终端用户公开,如出一辙。能在私有云中定义,不需要公开的服务,都要定义要私有云中。AWS的虚拟共有云
与上面的AWS私有云对应的就是共有云,共有云最终提供给用户服务,对于终端客户开发网络端口,共有网络的服务承上启下,既可以提供服务给用公户,同时能够访问私有子网的应用服务,数据库服务等其他服务。
ACL(network access control list)和SecuityGroup的区别- 应用的对象不同
ACL的设定对象是Subnet,对于Subnet设定网络访问规则。注意,默认的场合,同一个VPC之间的网络都是相通的,但是如果定义了ACL,那么就会根据ACL的限制,没有允许的网络是不通的
SecurityGroup的设定对象是ec2 server等服务,而不是Subnet。
- 有状态(
state)和无状态(stateless)ACL没有状态,允许入站的包,如果没有符合出站规则,那么也不能出站。SecurityGroup有状态,允许入站的包,那么都会出站允许。
- 应用的对象不同
2. 定义公网碉堡主机子网,私有子网和共有子网
整体网络拓扑(这里右边的共有子网使用
varnish进行反向代理,公开私有子网的apache server)
逐步创建
VPC以及其他服务创建
VPC和IGW(Internet GateWay)"VPC": { "Type": "AWS::EC2::VPC", "Properties": { "CidrBlock": "10.0.0.0/16", "EnableDnsHostnames": "true" } }, "InternetGateway": { "Type": "AWS::EC2::InternetGateway", "Properties": { } }, "VPCGatewayAttachment": { "Type": "AWS::EC2::VPCGatewayAttachment", "Properties": { "VpcId": {"Ref": "VPC"}, "InternetGatewayId": {"Ref": "InternetGateway"} } },创建堡垒机子网(共有子网)
Bastion
CidrBlock是10.0.1.0/24
RoutePublicSSHBastionToInternet定义,堡垒机子网能够访问internet。
NetworkAclEntryInPublicSSHBastionSSH,定义internet的其他主机能够访问使用22端口访问(入站规则,egress = true)。
NetworkAclEntryInPublicSSHBastionEphemeralPorts,定义VPC主机能够访问使用随机端口访问(入站规则,egress = true)。
NetworkAclEntryOutPublicSSHBastionSSH,定义堡垒子网的主机能够通过22端口访问其他主机(出站规则,egress = false)。
NetworkAclEntryOutPublicSSHBastionEphemeralPorts,定义internet的主机,能够访问使用随机端口访问(出站规则,egress = false)。"SubnetPublicSSHBastion": { "Type": "AWS::EC2::Subnet", "Properties": { "AvailabilityZone": {"Fn::Select": ["0", {"Fn::GetAZs": ""}]}, "CidrBlock": "10.0.1.0/24", "VpcId": {"Ref": "VPC"} } }, "RouteTablePublicSSHBastion": { "Type": "AWS::EC2::RouteTable", "Properties": { "VpcId": {"Ref": "VPC"} } }, "RouteTableAssociationPublicSSHBastion": { "Type": "AWS::EC2::SubnetRouteTableAssociation", "Properties": { "SubnetId": {"Ref": "SubnetPublicSSHBastion"}, "RouteTableId": {"Ref": "RouteTablePublicSSHBastion"} } }, "RoutePublicSSHBastionToInternet": { "Type": "AWS::EC2::Route", "Properties": { "RouteTableId": {"Ref": "RouteTablePublicSSHBastion"}, "DestinationCidrBlock": "0.0.0.0/0", "GatewayId": {"Ref": "InternetGateway"} }, "DependsOn": "VPCGatewayAttachment" }, "NetworkAclPublicSSHBastion": { "Type": "AWS::EC2::NetworkAcl", "Properties": { "VpcId": {"Ref": "VPC"} } }, "SubnetNetworkAclAssociationPublicSSHBastion": { "Type": "AWS::EC2::SubnetNetworkAclAssociation", "Properties": { "SubnetId": {"Ref": "SubnetPublicSSHBastion"}, "NetworkAclId": {"Ref": "NetworkAclPublicSSHBastion"} } }, "NetworkAclEntryInPublicSSHBastionSSH": { "Type": "AWS::EC2::NetworkAclEntry", "Properties": { "NetworkAclId": {"Ref": "NetworkAclPublicSSHBastion"}, "RuleNumber": "100", "Protocol": "6", "PortRange": { "From": "22", "To": "22" }, "RuleAction": "allow", "Egress": "false", "CidrBlock": "0.0.0.0/0" } }, "NetworkAclEntryInPublicSSHBastionEphemeralPorts": { "Type": "AWS::EC2::NetworkAclEntry", "Properties": { "NetworkAclId": {"Ref": "NetworkAclPublicSSHBastion"}, "RuleNumber": "200", "Protocol": "6", "PortRange": { "From": "1024", "To": "65535" }, "RuleAction": "allow", "Egress": "false", "CidrBlock": "10.0.0.0/16" } }, "NetworkAclEntryOutPublicSSHBastionSSH": { "Type": "AWS::EC2::NetworkAclEntry", "Properties": { "NetworkAclId": {"Ref": "NetworkAclPublicSSHBastion"}, "RuleNumber": "100", "Protocol": "6", "PortRange": { "From": "22", "To": "22" }, "RuleAction": "allow", "Egress": "true", "CidrBlock": "10.0.0.0/16" } }, "NetworkAclEntryOutPublicSSHBastionEphemeralPorts": { "Type": "AWS::EC2::NetworkAclEntry", "Properties": { "NetworkAclId": {"Ref": "NetworkAclPublicSSHBastion"}, "RuleNumber": "200", "Protocol": "6", "PortRange": { "From": "1024", "To": "65535" }, "RuleAction": "allow", "Egress": "true", "CidrBlock": "0.0.0.0/0" } },创建varnish子网(共有子网)
varnish"SubnetPublicVarnish": { "Type": "AWS::EC2::Subnet", "Properties": { "AvailabilityZone": {"Fn::Select": ["0", {"Fn::GetAZs": ""}]}, "CidrBlock": "10.0.2.0/24", "VpcId": {"Ref": "VPC"} } }, "RouteTablePublicVarnish": { "Type": "AWS::EC2::RouteTable", "Properties": { "VpcId": {"Ref": "VPC"} } }, "RouteTableAssociationPublicVarnish": { "Type": "AWS::EC2::SubnetRouteTableAssociation", "Properties": { "SubnetId": {"Ref": "SubnetPublicVarnish"}, "RouteTableId": {"Ref": "RouteTablePublicVarnish"} } }, "RoutePublicVarnishToInternet": { "Type": "AWS::EC2::Route", "Properties": { "RouteTableId": {"Ref": "RouteTablePublicVarnish"}, "DestinationCidrBlock": "0.0.0.0/0", "GatewayId": {"Ref": "InternetGateway"} }, "DependsOn": "VPCGatewayAttachment" }, "NetworkAclPublicVarnish": { "Type": "AWS::EC2::NetworkAcl", "Properties": { "VpcId": {"Ref": "VPC"} } }, "SubnetNetworkAclAssociationPublicVarnish": { "Type": "AWS::EC2::SubnetNetworkAclAssociation", "Properties": { "SubnetId": {"Ref": "SubnetPublicVarnish"}, "NetworkAclId": {"Ref": "NetworkAclPublicVarnish"} } }, "NetworkAclEntryInPublicVarnishSSH": { "Type": "AWS::EC2::NetworkAclEntry", "Properties": { "NetworkAclId": {"Ref": "NetworkAclPublicVarnish"}, "RuleNumber": "100", "Protocol": "6", "PortRange": { "From": "22", "To": "22" }, "RuleAction": "allow", "Egress": "false", "CidrBlock": "10.0.1.0/24" } }, "NetworkAclEntryInPublicVarnishHTTP": { "Type": "AWS::EC2::NetworkAclEntry", "Properties": { "NetworkAclId": {"Ref": "NetworkAclPublicVarnish"}, "RuleNumber": "110", "Protocol": "6", "PortRange": { "From": "80", "To": "80" }, "RuleAction": "allow", "Egress": "false", "CidrBlock": "0.0.0.0/0" } }, "NetworkAclEntryInPublicVarnishEphemeralPorts": { "Type": "AWS::EC2::NetworkAclEntry", "Properties": { "NetworkAclId": {"Ref": "NetworkAclPublicVarnish"}, "RuleNumber": "200", "Protocol": "6", "PortRange": { "From": "1024", "To": "65535" }, "RuleAction": "allow", "Egress": "false", "CidrBlock": "0.0.0.0/0" } }, "NetworkAclEntryOutPublicVarnishHTTP": { "Type": "AWS::EC2::NetworkAclEntry", "Properties": { "NetworkAclId": {"Ref": "NetworkAclPublicVarnish"}, "RuleNumber": "100", "Protocol": "6", "PortRange": { "From": "80", "To": "80" }, "RuleAction": "allow", "Egress": "true", "CidrBlock": "0.0.0.0/0" } }, "NetworkAclEntryOutPublicVarnishHTTPS": { "Type": "AWS::EC2::NetworkAclEntry", "Properties": { "NetworkAclId": {"Ref": "NetworkAclPublicVarnish"}, "RuleNumber": "110", "Protocol": "6", "PortRange": { "From": "443", "To": "443" }, "RuleAction": "allow", "Egress": "true", "CidrBlock": "0.0.0.0/0" } }, "NetworkAclEntryOutPublicVarnishEphemeralPorts": { "Type": "AWS::EC2::NetworkAclEntry", "Properties": { "NetworkAclId": {"Ref": "NetworkAclPublicVarnish"}, "RuleNumber": "200", "Protocol": "6", "PortRange": { "From": "1024", "To": "65535" }, "RuleAction": "allow", "Egress": "true", "CidrBlock": "0.0.0.0/0" } },创建私有子网
"SubnetPrivateApache": { "Type": "AWS::EC2::Subnet", "Properties": { "AvailabilityZone": {"Fn::Select": ["0", {"Fn::GetAZs": ""}]}, "CidrBlock": "10.0.3.0/24", "VpcId": {"Ref": "VPC"} } }, "RouteTablePrivateApache": { "Type": "AWS::EC2::RouteTable", "Properties": { "VpcId": {"Ref": "VPC"} } }, "RouteTableAssociationPrivateApache": { "Type": "AWS::EC2::SubnetRouteTableAssociation", "Properties": { "SubnetId": {"Ref": "SubnetPrivateApache"}, "RouteTableId": {"Ref": "RouteTablePrivateApache"} } }, "RoutePrivateApacheToInternet": { "Type": "AWS::EC2::Route", "Properties": { "RouteTableId": {"Ref": "RouteTablePrivateApache"}, "DestinationCidrBlock": "0.0.0.0/0", "InstanceId": {"Ref": "NatServer"} } }, "NetworkAclPrivateApache": { "Type": "AWS::EC2::NetworkAcl", "Properties": { "VpcId": {"Ref": "VPC"} } }, "SubnetNetworkAclAssociationPrivateApache": { "Type": "AWS::EC2::SubnetNetworkAclAssociation", "Properties": { "SubnetId": {"Ref": "SubnetPrivateApache"}, "NetworkAclId": {"Ref": "NetworkAclPrivateApache"} } }, "NetworkAclEntryInPrivateApacheSSH": { "Type": "AWS::EC2::NetworkAclEntry", "Properties": { "NetworkAclId": {"Ref": "NetworkAclPrivateApache"}, "RuleNumber": "100", "Protocol": "6", "PortRange": { "From": "22", "To": "22" }, "RuleAction": "allow", "Egress": "false", "CidrBlock": "10.0.1.0/24" } }, "NetworkAclEntryInPrivateApacheHTTP": { "Type": "AWS::EC2::NetworkAclEntry", "Properties": { "NetworkAclId": {"Ref": "NetworkAclPrivateApache"}, "RuleNumber": "110", "Protocol": "6", "PortRange": { "From": "80", "To": "80" }, "RuleAction": "allow", "Egress": "false", "CidrBlock": "10.0.2.0/24" } }, "NetworkAclEntryInPrivateApacheEphemeralPorts": { "Type": "AWS::EC2::NetworkAclEntry", "Properties": { "NetworkAclId": {"Ref": "NetworkAclPrivateApache"}, "RuleNumber": "200", "Protocol": "6", "PortRange": { "From": "1024", "To": "65535" }, "RuleAction": "allow", "Egress": "false", "CidrBlock": "0.0.0.0/0" } }, "NetworkAclEntryOutPrivateApacheHTTP": { "Type": "AWS::EC2::NetworkAclEntry", "Properties": { "NetworkAclId": {"Ref": "NetworkAclPrivateApache"}, "RuleNumber": "100", "Protocol": "6", "PortRange": { "From": "80", "To": "80" }, "RuleAction": "allow", "Egress": "true", "CidrBlock": "0.0.0.0/0" } }, "NetworkAclEntryOutPrivateApacheHTTPS": { "Type": "AWS::EC2::NetworkAclEntry", "Properties": { "NetworkAclId": {"Ref": "NetworkAclPrivateApache"}, "RuleNumber": "110", "Protocol": "6", "PortRange": { "From": "443", "To": "443" }, "RuleAction": "allow", "Egress": "true", "CidrBlock": "0.0.0.0/0" } }, "NetworkAclEntryOutPrivateApacheEphemeralPorts": { "Type": "AWS::EC2::NetworkAclEntry", "Properties": { "NetworkAclId": {"Ref": "NetworkAclPrivateApache"}, "RuleNumber": "200", "Protocol": "6", "PortRange": { "From": "1024", "To": "65535" }, "RuleAction": "allow", "Egress": "true", "CidrBlock": "10.0.0.0/16" } },创建整体的
AWS的stack{ "AWSTemplateFormatVersion": "2010-09-09", "Description": "(VPC)", "Parameters": { "KeyName": { "Description": "Key Pair name", "Type": "AWS::EC2::KeyPair::KeyName", "Default": "my-cli-key" } }, "Mappings": { "EC2RegionMap": { "ap-northeast-1": {"AmazonLinuxAMIHVMEBSBacked64bit": "ami-cbf90ecb", "AmazonLinuxNATAMIHVMEBSBacked64bit": "ami-03cf3903"}, "ap-southeast-1": {"AmazonLinuxAMIHVMEBSBacked64bit": "ami-68d8e93a", "AmazonLinuxNATAMIHVMEBSBacked64bit": "ami-b49dace6"}, "ap-southeast-2": {"AmazonLinuxAMIHVMEBSBacked64bit": "ami-fd9cecc7", "AmazonLinuxNATAMIHVMEBSBacked64bit": "ami-e7ee9edd"}, "eu-central-1": {"AmazonLinuxAMIHVMEBSBacked64bit": "ami-a8221fb5", "AmazonLinuxNATAMIHVMEBSBacked64bit": "ami-46073a5b"}, "eu-west-1": {"AmazonLinuxAMIHVMEBSBacked64bit": "ami-a10897d6", "AmazonLinuxNATAMIHVMEBSBacked64bit": "ami-6975eb1e"}, "sa-east-1": {"AmazonLinuxAMIHVMEBSBacked64bit": "ami-b52890a8", "AmazonLinuxNATAMIHVMEBSBacked64bit": "ami-fbfa41e6"}, "us-east-1": {"AmazonLinuxAMIHVMEBSBacked64bit": "ami-1ecae776", "AmazonLinuxNATAMIHVMEBSBacked64bit": "ami-303b1458"}, "us-west-1": {"AmazonLinuxAMIHVMEBSBacked64bit": "ami-d114f295", "AmazonLinuxNATAMIHVMEBSBacked64bit": "ami-7da94839"}, "us-west-2": {"AmazonLinuxAMIHVMEBSBacked64bit": "ami-e7527ed7", "AmazonLinuxNATAMIHVMEBSBacked64bit": "ami-69ae8259"} } }, "Resources": { "SecurityGroup": { "Type": "AWS::EC2::SecurityGroup", "Properties": { "GroupDescription": "My security group", "VpcId": {"Ref": "VPC"} } }, "SecurityGroupIngress": { "Type": "AWS::EC2::SecurityGroupIngress", "Properties":{ "IpProtocol": "-1", "FromPort": "-1", "ToPort": "-1", "CidrIp": "0.0.0.0/0", "GroupId": {"Ref": "SecurityGroup"} } }, "SecurityGroupEgress": { "Type": "AWS::EC2::SecurityGroupEgress", "Properties":{ "IpProtocol": "-1", "FromPort": "-1", "ToPort": "-1", "CidrIp": "0.0.0.0/0", "GroupId": {"Ref": "SecurityGroup"} } }, "VPC": { "Type": "AWS::EC2::VPC", "Properties": { "CidrBlock": "10.0.0.0/16", "EnableDnsHostnames": "true" } }, "InternetGateway": { "Type": "AWS::EC2::InternetGateway", "Properties": { } }, "VPCGatewayAttachment": { "Type": "AWS::EC2::VPCGatewayAttachment", "Properties": { "VpcId": {"Ref": "VPC"}, "InternetGatewayId": {"Ref": "InternetGateway"} } }, "SubnetPublicSSHBastion": { "Type": "AWS::EC2::Subnet", "Properties": { "AvailabilityZone": {"Fn::Select": ["0", {"Fn::GetAZs": ""}]}, "CidrBlock": "10.0.1.0/24", "VpcId": {"Ref": "VPC"} } }, "RouteTablePublicSSHBastion": { "Type": "AWS::EC2::RouteTable", "Properties": { "VpcId": {"Ref": "VPC"} } }, "RouteTableAssociationPublicSSHBastion": { "Type": "AWS::EC2::SubnetRouteTableAssociation", "Properties": { "SubnetId": {"Ref": "SubnetPublicSSHBastion"}, "RouteTableId": {"Ref": "RouteTablePublicSSHBastion"} } }, "RoutePublicSSHBastionToInternet": { "Type": "AWS::EC2::Route", "Properties": { "RouteTableId": {"Ref": "RouteTablePublicSSHBastion"}, "DestinationCidrBlock": "0.0.0.0/0", "GatewayId": {"Ref": "InternetGateway"} }, "DependsOn": "VPCGatewayAttachment" }, "NetworkAclPublicSSHBastion": { "Type": "AWS::EC2::NetworkAcl", "Properties": { "VpcId": {"Ref": "VPC"} } }, "SubnetNetworkAclAssociationPublicSSHBastion": { "Type": "AWS::EC2::SubnetNetworkAclAssociation", "Properties": { "SubnetId": {"Ref": "SubnetPublicSSHBastion"}, "NetworkAclId": {"Ref": "NetworkAclPublicSSHBastion"} } }, "NetworkAclEntryInPublicSSHBastionSSH": { "Type": "AWS::EC2::NetworkAclEntry", "Properties": { "NetworkAclId": {"Ref": "NetworkAclPublicSSHBastion"}, "RuleNumber": "100", "Protocol": "6", "PortRange": { "From": "22", "To": "22" }, "RuleAction": "allow", "Egress": "false", "CidrBlock": "0.0.0.0/0" } }, "NetworkAclEntryInPublicSSHBastionEphemeralPorts": { "Type": "AWS::EC2::NetworkAclEntry", "Properties": { "NetworkAclId": {"Ref": "NetworkAclPublicSSHBastion"}, "RuleNumber": "200", "Protocol": "6", "PortRange": { "From": "1024", "To": "65535" }, "RuleAction": "allow", "Egress": "false", "CidrBlock": "10.0.0.0/16" } }, "NetworkAclEntryOutPublicSSHBastionSSH": { "Type": "AWS::EC2::NetworkAclEntry", "Properties": { "NetworkAclId": {"Ref": "NetworkAclPublicSSHBastion"}, "RuleNumber": "100", "Protocol": "6", "PortRange": { "From": "22", "To": "22" }, "RuleAction": "allow", "Egress": "true", "CidrBlock": "10.0.0.0/16" } }, "NetworkAclEntryOutPublicSSHBastionEphemeralPorts": { "Type": "AWS::EC2::NetworkAclEntry", "Properties": { "NetworkAclId": {"Ref": "NetworkAclPublicSSHBastion"}, "RuleNumber": "200", "Protocol": "6", "PortRange": { "From": "1024", "To": "65535" }, "RuleAction": "allow", "Egress": "true", "CidrBlock": "0.0.0.0/0" } }, "SubnetPublicVarnish": { "Type": "AWS::EC2::Subnet", "Properties": { "AvailabilityZone": {"Fn::Select": ["0", {"Fn::GetAZs": ""}]}, "CidrBlock": "10.0.2.0/24", "VpcId": {"Ref": "VPC"} } }, "RouteTablePublicVarnish": { "Type": "AWS::EC2::RouteTable", "Properties": { "VpcId": {"Ref": "VPC"} } }, "RouteTableAssociationPublicVarnish": { "Type": "AWS::EC2::SubnetRouteTableAssociation", "Properties": { "SubnetId": {"Ref": "SubnetPublicVarnish"}, "RouteTableId": {"Ref": "RouteTablePublicVarnish"} } }, "RoutePublicVarnishToInternet": { "Type": "AWS::EC2::Route", "Properties": { "RouteTableId": {"Ref": "RouteTablePublicVarnish"}, "DestinationCidrBlock": "0.0.0.0/0", "GatewayId": {"Ref": "InternetGateway"} }, "DependsOn": "VPCGatewayAttachment" }, "NetworkAclPublicVarnish": { "Type": "AWS::EC2::NetworkAcl", "Properties": { "VpcId": {"Ref": "VPC"} } }, "SubnetNetworkAclAssociationPublicVarnish": { "Type": "AWS::EC2::SubnetNetworkAclAssociation", "Properties": { "SubnetId": {"Ref": "SubnetPublicVarnish"}, "NetworkAclId": {"Ref": "NetworkAclPublicVarnish"} } }, "NetworkAclEntryInPublicVarnishSSH": { "Type": "AWS::EC2::NetworkAclEntry", "Properties": { "NetworkAclId": {"Ref": "NetworkAclPublicVarnish"}, "RuleNumber": "100", "Protocol": "6", "PortRange": { "From": "22", "To": "22" }, "RuleAction": "allow", "Egress": "false", "CidrBlock": "10.0.1.0/24" } }, "NetworkAclEntryInPublicVarnishHTTP": { "Type": "AWS::EC2::NetworkAclEntry", "Properties": { "NetworkAclId": {"Ref": "NetworkAclPublicVarnish"}, "RuleNumber": "110", "Protocol": "6", "PortRange": { "From": "80", "To": "80" }, "RuleAction": "allow", "Egress": "false", "CidrBlock": "0.0.0.0/0" } }, "NetworkAclEntryInPublicVarnishEphemeralPorts": { "Type": "AWS::EC2::NetworkAclEntry", "Properties": { "NetworkAclId": {"Ref": "NetworkAclPublicVarnish"}, "RuleNumber": "200", "Protocol": "6", "PortRange": { "From": "1024", "To": "65535" }, "RuleAction": "allow", "Egress": "false", "CidrBlock": "0.0.0.0/0" } }, "NetworkAclEntryOutPublicVarnishHTTP": { "Type": "AWS::EC2::NetworkAclEntry", "Properties": { "NetworkAclId": {"Ref": "NetworkAclPublicVarnish"}, "RuleNumber": "100", "Protocol": "6", "PortRange": { "From": "80", "To": "80" }, "RuleAction": "allow", "Egress": "true", "CidrBlock": "0.0.0.0/0" } }, "NetworkAclEntryOutPublicVarnishHTTPS": { "Type": "AWS::EC2::NetworkAclEntry", "Properties": { "NetworkAclId": {"Ref": "NetworkAclPublicVarnish"}, "RuleNumber": "110", "Protocol": "6", "PortRange": { "From": "443", "To": "443" }, "RuleAction": "allow", "Egress": "true", "CidrBlock": "0.0.0.0/0" } }, "NetworkAclEntryOutPublicVarnishEphemeralPorts": { "Type": "AWS::EC2::NetworkAclEntry", "Properties": { "NetworkAclId": {"Ref": "NetworkAclPublicVarnish"}, "RuleNumber": "200", "Protocol": "6", "PortRange": { "From": "1024", "To": "65535" }, "RuleAction": "allow", "Egress": "true", "CidrBlock": "0.0.0.0/0" } }, "SubnetPrivateApache": { "Type": "AWS::EC2::Subnet", "Properties": { "AvailabilityZone": {"Fn::Select": ["0", {"Fn::GetAZs": ""}]}, "CidrBlock": "10.0.3.0/24", "VpcId": {"Ref": "VPC"} } }, "RouteTablePrivateApache": { "Type": "AWS::EC2::RouteTable", "Properties": { "VpcId": {"Ref": "VPC"} } }, "RouteTableAssociationPrivateApache": { "Type": "AWS::EC2::SubnetRouteTableAssociation", "Properties": { "SubnetId": {"Ref": "SubnetPrivateApache"}, "RouteTableId": {"Ref": "RouteTablePrivateApache"} } }, "NetworkAclPrivateApache": { "Type": "AWS::EC2::NetworkAcl", "Properties": { "VpcId": {"Ref": "VPC"} } }, "SubnetNetworkAclAssociationPrivateApache": { "Type": "AWS::EC2::SubnetNetworkAclAssociation", "Properties": { "SubnetId": {"Ref": "SubnetPrivateApache"}, "NetworkAclId": {"Ref": "NetworkAclPrivateApache"} } }, "NetworkAclEntryInPrivateApacheSSH": { "Type": "AWS::EC2::NetworkAclEntry", "Properties": { "NetworkAclId": {"Ref": "NetworkAclPrivateApache"}, "RuleNumber": "100", "Protocol": "6", "PortRange": { "From": "22", "To": "22" }, "RuleAction": "allow", "Egress": "false", "CidrBlock": "10.0.1.0/24" } }, "NetworkAclEntryInPrivateApacheHTTP": { "Type": "AWS::EC2::NetworkAclEntry", "Properties": { "NetworkAclId": {"Ref": "NetworkAclPrivateApache"}, "RuleNumber": "110", "Protocol": "6", "PortRange": { "From": "80", "To": "80" }, "RuleAction": "allow", "Egress": "false", "CidrBlock": "10.0.2.0/24" } }, "NetworkAclEntryInPrivateApacheEphemeralPorts": { "Type": "AWS::EC2::NetworkAclEntry", "Properties": { "NetworkAclId": {"Ref": "NetworkAclPrivateApache"}, "RuleNumber": "200", "Protocol": "6", "PortRange": { "From": "1024", "To": "65535" }, "RuleAction": "allow", "Egress": "false", "CidrBlock": "0.0.0.0/0" } }, "NetworkAclEntryOutPrivateApacheHTTP": { "Type": "AWS::EC2::NetworkAclEntry", "Properties": { "NetworkAclId": {"Ref": "NetworkAclPrivateApache"}, "RuleNumber": "100", "Protocol": "6", "PortRange": { "From": "80", "To": "80" }, "RuleAction": "allow", "Egress": "true", "CidrBlock": "0.0.0.0/0" } }, "NetworkAclEntryOutPrivateApacheHTTPS": { "Type": "AWS::EC2::NetworkAclEntry", "Properties": { "NetworkAclId": {"Ref": "NetworkAclPrivateApache"}, "RuleNumber": "110", "Protocol": "6", "PortRange": { "From": "443", "To": "443" }, "RuleAction": "allow", "Egress": "true", "CidrBlock": "0.0.0.0/0" } }, "NetworkAclEntryOutPrivateApacheEphemeralPorts": { "Type": "AWS::EC2::NetworkAclEntry", "Properties": { "NetworkAclId": {"Ref": "NetworkAclPrivateApache"}, "RuleNumber": "200", "Protocol": "6", "PortRange": { "From": "1024", "To": "65535" }, "RuleAction": "allow", "Egress": "true", "CidrBlock": "10.0.0.0/16" } }, "BastionHost": { "Type": "AWS::EC2::Instance", "Properties": { "ImageId": {"Fn::FindInMap": ["EC2RegionMap", {"Ref": "AWS::Region"}, "AmazonLinuxAMIHVMEBSBacked64bit"]}, "InstanceType": "t2.micro", "KeyName": {"Ref": "KeyName"}, "NetworkInterfaces": [{ "AssociatePublicIpAddress": "true", "DeleteOnTermination": "true", "SubnetId": {"Ref": "SubnetPublicSSHBastion"}, "DeviceIndex": "0", "GroupSet": [{"Ref": "SecurityGroup"}] }] }, "DependsOn": "VPCGatewayAttachment" }, "VarnishServer": { "Type": "AWS::EC2::Instance", "Properties": { "ImageId": {"Fn::FindInMap": ["EC2RegionMap", {"Ref": "AWS::Region"}, "AmazonLinuxAMIHVMEBSBacked64bit"]}, "InstanceType": "t2.micro", "KeyName": {"Ref": "KeyName"}, "NetworkInterfaces": [{ "AssociatePublicIpAddress": "true", "DeleteOnTermination": "true", "SubnetId": {"Ref": "SubnetPublicVarnish"}, "DeviceIndex": "0", "GroupSet": [{"Ref": "SecurityGroup"}] }], "UserData": {"Fn::Base64": {"Fn::Join": ["", [ "#!/bin/bash -ex\n", "yum -y install varnish-3.0.7\n", "cat > /etc/varnish/default.vcl << EOF\n", "backend default {\n", " .host = \"", {"Fn::GetAtt": ["ApacheServer", "PrivateIp"]} ,"\";\n", " .port = \"80\";\n", "}\n", "EOF\n", "sed -i.bak \"s/^VARNISH_LISTEN_PORT=.*/VARNISH_LISTEN_PORT=80/\" /etc/sysconfig/varnish\n", "service varnish start\n", "/opt/aws/bin/cfn-signal --stack ", {"Ref": "AWS::StackName"}, " --resource VarnishServer --region ", {"Ref": "AWS::Region"}, "\n" ]]}} }, "CreationPolicy": { "ResourceSignal": { "Timeout": "PT5M" } }, "DependsOn": "VPCGatewayAttachment" }, "ApacheServer": { "Type": "AWS::EC2::Instance", "Properties": { "ImageId": {"Fn::FindInMap": ["EC2RegionMap", {"Ref": "AWS::Region"}, "AmazonLinuxAMIHVMEBSBacked64bit"]}, "InstanceType": "t2.micro", "KeyName": {"Ref": "KeyName"}, "NetworkInterfaces": [{ "AssociatePublicIpAddress": "false", "DeleteOnTermination": "true", "SubnetId": {"Ref": "SubnetPrivateApache"}, "DeviceIndex": "0", "GroupSet": [{"Ref": "SecurityGroup"}] }], "UserData": {"Fn::Base64": {"Fn::Join": ["", [ "#!/bin/bash -ex\n", "yum -y install httpd\n", "service httpd start\n", "/opt/aws/bin/cfn-signal --stack ", {"Ref": "AWS::StackName"}, " --resource ApacheServer --region ", {"Ref": "AWS::Region"}, "\n" ]]}} } } }, "Outputs": { "BastionHostPublicName": { "Value": {"Fn::GetAtt": ["BastionHost", "PublicDnsName"]}, "Description": "connect via SSH as user ec2-user" }, "VarnishServerPublicName": { "Value": {"Fn::GetAtt": ["VarnishServer", "PublicDnsName"]}, "Description": "handles HTTP requests" }, "VarnishServerPrivateIp": { "Value": {"Fn::GetAtt": ["VarnishServer", "PrivateIp"]}, "Description": "connect via SSH from bastion host" }, "ApacheServerPrivateIp": { "Value": {"Fn::GetAtt": ["ApacheServer", "PrivateIp"]}, "Description": "connect via SSH from bastion host" } } }测试创建结果
- 执行结果
- 通过堡垒机
SSH访问apache server(私有子网) - 通过堡varnish反向代理
HTTP访问apache server(私有子网)
注意,这里创建的bastin堡垒机有些ssh连接错误,正在调试。。。
- 执行结果