无法连接到 VPC 中的 MariaDB RDS 实例

【问题标题】:Can't Connect to MariaDB RDS instance in VPC无法连接到 VPC 中的 MariaDB RDS 实例
【发布时间】:2018-05-11 02:31:52
【问题描述】:

我构建了一个 VPC,其中包含一些 AWS 资源。如果我在 VPC 中,我可以访问 Internet,并且 VPC 内的资源可以相互通信。例如,我有一个 Lambda 函数,它可以与 Internet 通信,也可以访问 VPC 内的 RDS 实例。但是,当我尝试从本地计算机连接到 RDS 实例时,问题就出现了。

我已尝试更新 VPCSecurityGroup 以允许所有传入流量,但仍无法正常工作。唯一可行的方法是,如果我将所有路由表切换为使用 IGW 而不是 NAT,但如果不是这种情况,我更愿意。此外,我什至不确定是否允许这样做,因为我很确定 lambda 函数必须存在于私有子网中。

vpc.yml

AWSTemplateFormatVersion: 2010-09-09
Description: VPC Stack
Resources:
  Vpc:
    Type: 'AWS::EC2::VPC'
    Properties:
      CidrBlock: 10.0.0.0/16
      EnableDnsSupport: true
      EnableDnsHostnames: true
      InstanceTenancy: default    
  InternetGateway:
    Type: 'AWS::EC2::InternetGateway'
  VpcGatewayAttachment:
    Type: 'AWS::EC2::VPCGatewayAttachment'
    Properties:
      VpcId: !Ref Vpc
      InternetGatewayId: !Ref InternetGateway
  ElasticIP:
    Type: 'AWS::EC2::EIP'
    Properties:
      Domain: vpc
  NatGateway:
    Type: 'AWS::EC2::NatGateway'
    DependsOn:
      - VpcGatewayAttachment
    Properties:
      AllocationId: !GetAtt 
        - ElasticIP
        - AllocationId
      SubnetId: !Ref SubnetAPublic
  SubnetAPublic:
    Type: 'AWS::EC2::Subnet'
    Properties:
      AvailabilityZone: !Select 
        - '0'
        - !GetAZs ''
      CidrBlock: 10.0.0.0/19
      MapPublicIpOnLaunch: true
      VpcId: !Ref Vpc
  SubnetBPublic:
    Type: 'AWS::EC2::Subnet'
    Properties:
      AvailabilityZone: !Select 
        - '1'
        - !GetAZs ''
      CidrBlock: 10.0.32.0/19
      MapPublicIpOnLaunch: true
      VpcId: !Ref Vpc
  SubnetAPrivate:
    Type: 'AWS::EC2::Subnet'
    Properties:
      AvailabilityZone: !Select 
        - '0'
        - !GetAZs ''
      CidrBlock: 10.0.64.0/19
      VpcId: !Ref Vpc
  SubnetBPrivate:
    Type: 'AWS::EC2::Subnet'
    Properties:
      AvailabilityZone: !Select 
        - '1'
        - !GetAZs ''
      CidrBlock: 10.0.96.0/19
      VpcId: !Ref Vpc
  RouteTableAPublic:
    Type: 'AWS::EC2::RouteTable'
    Properties:
      VpcId: !Ref Vpc
  RouteTableBPublic:
    Type: 'AWS::EC2::RouteTable'
    Properties:
      VpcId: !Ref Vpc
  RouteTableAPrivate:
    Type: 'AWS::EC2::RouteTable'
    Properties:
      VpcId: !Ref Vpc
  RouteTableBPrivate:
    Type: 'AWS::EC2::RouteTable'
    Properties:
      VpcId: !Ref Vpc
  RouteTableAssociationAPublic:
    Type: 'AWS::EC2::SubnetRouteTableAssociation'
    Properties:
      SubnetId: !Ref SubnetAPublic
      RouteTableId: !Ref RouteTableAPublic
  RouteTableAssociationBPublic:
    Type: 'AWS::EC2::SubnetRouteTableAssociation'
    Properties:
      SubnetId: !Ref SubnetBPublic
      RouteTableId: !Ref RouteTableBPublic
  RouteTableAssociationAPrivate:
    Type: 'AWS::EC2::SubnetRouteTableAssociation'
    Properties:
      SubnetId: !Ref SubnetAPrivate
      RouteTableId: !Ref RouteTableAPrivate
  RouteTableAssociationBPrivate:
    Type: 'AWS::EC2::SubnetRouteTableAssociation'
    Properties:
      SubnetId: !Ref SubnetBPrivate
      RouteTableId: !Ref RouteTableBPrivate
  RouteTableAPrivateInternetRoute:
    Type: 'AWS::EC2::Route'
    DependsOn:
      - VpcGatewayAttachment
    Properties:
      RouteTableId: !Ref RouteTableAPrivate
      DestinationCidrBlock: 0.0.0.0/0
      NatGatewayId: !Ref NatGateway
  RouteTableBPrivateInternetRoute:
    Type: 'AWS::EC2::Route'
    DependsOn:
      - VpcGatewayAttachment
    Properties:
      RouteTableId: !Ref RouteTableBPrivate
      DestinationCidrBlock: 0.0.0.0/0
      NatGatewayId: !Ref NatGateway
  RouteTableAPublicInternetRoute:
    Type: 'AWS::EC2::Route'
    Properties:
      RouteTableId: !Ref RouteTableAPublic
      DestinationCidrBlock: 0.0.0.0/0
      GatewayId: !Ref InternetGateway
  RouteTableBPublicInternetRoute:
    Type: 'AWS::EC2::Route'
    Properties:
      RouteTableId: !Ref RouteTableBPublic
      DestinationCidrBlock: 0.0.0.0/0
      GatewayId: !Ref InternetGateway
  NetworkAclPublic:
    Type: 'AWS::EC2::NetworkAcl'
    Properties:
      VpcId: !Ref Vpc
  NetworkAclPrivate:
    Type: 'AWS::EC2::NetworkAcl'
    Properties:
      VpcId: !Ref Vpc
  SubnetNetworkAclAssociationAPublic:
    Type: 'AWS::EC2::SubnetNetworkAclAssociation'
    Properties:
      SubnetId: !Ref SubnetAPublic
      NetworkAclId: !Ref NetworkAclPublic
  SubnetNetworkAclAssociationBPublic:
    Type: 'AWS::EC2::SubnetNetworkAclAssociation'
    Properties:
      SubnetId: !Ref SubnetBPublic
      NetworkAclId: !Ref NetworkAclPublic
  SubnetNetworkAclAssociationAPrivate:
    Type: 'AWS::EC2::SubnetNetworkAclAssociation'
    Properties:
      SubnetId: !Ref SubnetAPrivate
      NetworkAclId: !Ref NetworkAclPrivate
  SubnetNetworkAclAssociationBPrivate:
    Type: 'AWS::EC2::SubnetNetworkAclAssociation'
    Properties:
      SubnetId: !Ref SubnetBPrivate
      NetworkAclId: !Ref NetworkAclPrivate
  NetworkAclEntryInPublicAllowAll:
    Type: 'AWS::EC2::NetworkAclEntry'
    Properties:
      NetworkAclId: !Ref NetworkAclPublic
      RuleNumber: 99
      Protocol: -1
      RuleAction: allow
      Egress: false
      CidrBlock: 0.0.0.0/0
  NetworkAclEntryOutPublicAllowAll:
    Type: 'AWS::EC2::NetworkAclEntry'
    Properties:
      NetworkAclId: !Ref NetworkAclPublic
      RuleNumber: 99
      Protocol: -1
      RuleAction: allow
      Egress: true
      CidrBlock: 0.0.0.0/0
  NetworkAclEntryInPrivateAllowVpc:
    Type: 'AWS::EC2::NetworkAclEntry'
    Properties:
      NetworkAclId: !Ref NetworkAclPrivate
      RuleNumber: 99
      Protocol: -1
      RuleAction: allow
      Egress: false
      CidrBlock: 0.0.0.0/0
  NetworkAclEntryOutPrivateAllowVpc:
    Type: 'AWS::EC2::NetworkAclEntry'
    Properties:
      NetworkAclId: !Ref NetworkAclPrivate
      RuleNumber: 99
      Protocol: -1
      RuleAction: allow
      Egress: true
      CidrBlock: 0.0.0.0/0
  LambdaSecurityGroup:
    Type: 'AWS::EC2::SecurityGroup'
    Properties:
      GroupDescription: Lambdas security group
      SecurityGroupEgress:
        - CidrIp: 0.0.0.0/0
          IpProtocol: '-1'
      SecurityGroupIngress:
        - CidrIp: 0.0.0.0/0
          IpProtocol: '-1'
      VpcId: !Ref Vpc
Outputs:
  VpcId:
    Description: VPC ID
    Value: !Ref Vpc
    Export:
      Name: !Sub "Portal-VpcId"
  SubnetAPrivate:
    Description: Subnet A Private
    Value: !Ref SubnetAPrivate
    Export:
      Name: !Sub "SubnetAPrivate"
  SubnetBPrivate:
    Description: Subnet B Private
    Value: !Ref SubnetBPrivate
    Export:
      Name: !Sub "SubnetBPrivate"     
  SubnetAPublic:
    Description: Subnet A Public
    Value: !Ref SubnetAPublic
    Export:
      Name: !Sub "SubnetAPublic"
  SubnetBPublic:
    Description: Subnet B Public
    Value: !Ref SubnetBPublic
    Export:
      Name: !Sub "SubnetBPublic"  
  LambdaSecurityGroup:
    Description: Access to Lambda functions
    Value: !Ref LambdaSecurityGroup
    Export:
      Name: !Sub "LambdaSecurityGroup"

rds.yml

DBSubnetGroup:
    Type: 'AWS::RDS::DBSubnetGroup'
    Properties:
      DBSubnetGroupDescription: Subnets available for the RDS DB Instance
      SubnetIds: 
        - !Ref SubnetAPublic
        - !Ref SubnetBPublic
  VPCSecurityGroup:
    Type: 'AWS::EC2::SecurityGroup'
    Properties:
      GroupDescription: Security group for RDS DB Instance.
      VpcId: !Ref VpcId
      SecurityGroupIngress: 
        - 
          IpProtocol: "tcp"
          FromPort: "3306"
          ToPort: "3306"
          CidrIp: "[my IP]"
        - 
          IpProtocol: "tcp"
          FromPort: "3306"
          ToPort: "3306"
          CidrIp: "10.0.64.0/19"
        - 
          IpProtocol: "tcp"
          FromPort: "3306"
          ToPort: "3306"
          CidrIp: "10.0.96.0/19"
  DBInstance:
    Type: 'AWS::RDS::DBInstance'
    Properties:
      DBName: !Join
        - ''
        - - portal
          - !Ref Environment
      AllocatedStorage: !Ref DBAllocatedStorage
      DBInstanceClass: !Ref DBClass
      Engine: MariaDB
      EngineVersion: '10.1.23'
      MasterUsername: !Ref DBUsername
      MasterUserPassword: !Ref DBPassword
      DBSubnetGroupName: !Ref DBSubnetGroup
      StorageEncrypted: true
      PubliclyAccessible: true
      VPCSecurityGroups:
        - !Ref VPCSecurityGroup
  DatabaseDnsRecord:
    Type: AWS::Route53::RecordSet
    Properties:
      HostedZoneName: !Join 
        - ''
        - - !Ref HostedZoneName
          - .
      Name: !Join
      - ''
      - - portal
        - !Ref Environment
        - 'db'
        - .
        - !Ref HostedZoneName
        - .
      Type: CNAME
      TTL: '60'
      ResourceRecords: 
        - !GetAtt 
          - DBInstance
          - Endpoint.Address
    DependsOn: DBInstance

【问题讨论】:

    标签: amazon-web-services aws-lambda amazon-rds amazon-cloudformation amazon-vpc


    【解决方案1】:

    你的问题是这样的

    似乎唯一可行的是,如果我切换所有路线 使用 IGW 而不是 NAT 的表

    您的实例位于无法从公共 Internet(您的家用 PC)访问的私有子网中。您有三个(或更多)解决方案:

    1) 将您的实例移至公有子网。不推荐。

    2) 将您的私有子网转换为公共子网(从 NAT 切换到 IGW)。不推荐。

    3) 创建一个从您的家庭网络到位于您的公共子网中的新 EC2 实例的 VPN,该实例将您的流量路由到私有子网中的实例。 推荐

    OpenVPN 是一个非常酷的解决方案。你可以自己构建它,或者只是从亚马逊市场免费启动一个 OpenVPN 实例(我认为免费仅限于 2 个用户)。 OpenVPN Access Server

    OpenVPN 访问服务器运行时,EC2 实例会产生费用。我所做的是在我不需要时关闭该实例,并在我使用存储在批处理文件中的 AWS CLI 命令时启动它。

    【讨论】:

      猜你喜欢
      • 2019-01-02
      • 1970-01-01
      • 1970-01-01
      • 2018-10-20
      • 1970-01-01
      • 1970-01-01
      • 2015-11-05
      • 2013-05-26
      • 2021-11-10
      相关资源
      最近更新 更多
      热门标签
      Java Python linux javascript Mysql C# Docker 算法 前端 SpringBoot Redis Vue spring 设计模式 .net core .net kubernetes c++ 数据库 数据结构 大数据 js 机器学习 微服务 Android Go 程序员 面试 JVM ASP.net core 云原生 人工智能 后端 PHP git CSS golang k8s Nginx Django mybatis 深度学习 多线程 React 架构 devops 爬虫 云计算 Spring Boot LeetCode