如何使用AWS NAT网关IP列表

huangapple go评论70阅读模式
英文:

How To Use AWS NAT Gateway IP Listing

问题

我有一个关于网络的问题,希望不难解决(云网络新手在此)。

任务

我的公司使用供应商提供的用户界面和数据存储,即“托管云解决方案”。基本上,当我们的一线员工在供应商的专有UI软件中输入数据时,数据将存储到供应商的AWS账户上的SQL Server RDBMS中。我需要按计划从他们的服务器上获取这些数据,基本上是ELT。为了访问RDBMS,我需要将一个IP地址列入白名单,并将从我们的AWS账户中执行此操作。

问题

我应该使用我们的私有子网NAT网关的私有IPv4地址作为要列入白名单的IP吗?有一个要求,即IP必须来自我们的域,所以我认为不允许使用IGW。或者NAT网关是否应该位于公共子网,因为我们正在离开自己的网络边界,试图连接到另一个AWS网络?如果NAT网关位于我们的私有子网上,是否会阻止请求发送到供应商的IP地址或阻止我们从中提取数据?

附加信息

IP白名单被视为政策的例外情况,根据政策只提供对服务器实例的RDP访问,因此请求一系列IP或反复请求要列入白名单的IP是一种麻烦,会引发问题,所以理想情况下我只会请求一个IP。

我计划使用Fargate任务定期启动Linux Debian容器(Buster)来执行ELT,但我注意到每次运行Fargate都会创建新的IP地址。我的想法是,如果将我的任务放在NAT的私有子网上,目标IP将会看到NAT网关的IP地址。

假设我已经:

  • 成功根据Microsoft的说明设置了ODBC SQL Driver 17的容器
  • 创建了语法正确的SQL Server ODBC连接字符串
  • 成功从Fargate ping通了目标IP(尽管这并没有太大用处)

还有没有更好的方法来运行需要静态IP地址的小型定期批处理作业?

我已经对AWS网络进行了研究,但由于我情况的特殊性,我不清楚前进的最佳路径。AWS文档建议Fargate任务是批处理作业的最佳解决方案,但IP地址不是静态的。不清楚任务是否位于带有NAT网关的私有子网上,如果是这样,NAT是否会将任务的IP地址转换为标准IP地址。

相关问题 https://stackoverflow.com/questions/49819722/unable-to-get-aws-nat-gateway-working-for-api-with-ip-whitelist 似乎没有解决我的问题。

英文:

I have a networking question that is hopefully not difficult to untangle (Cloud networking newbie here).

Task

My company uses a vendor for a UI interface and data storage, a 'managed cloud solution'. Basically, when our front line staff enter data in the vendor's proprietary UI software, the data is stored to a SQL Server RDBMS on the vendor's AWS Account. I need to go out and grab that data from their server on a schedule, basic ELT. To gain access to the RDBMS, I need to have an IP address whitelisted and will be doing so from our AWS account.

Questions

Would I want to use our private subnet NAT Gateway's private IPv4 address as the IP to have whitelisted? There is a requirement that the IP come from our domain so I do not think an IGW allowed. Or should the NAT Gateway sit on a public subnet since we're leaving the boundary of our own network and trying to connect to another AWS network? Does he NAT Gateway is on our private subnet, would that prevent a request going out to the vendors IP address or prevent us my task from extracting the data?

Additional Context

The IP Whitelisting is treated as an exception to policy, which is to only give out RDP to the server instance, so requesting a range of IPs or repeatedly requesting IPs to whitelist is a pain and raises questions so ideally I would only request one IP.

I'm planning to use Fargate Tasks to spin up Linux Debian Container (Buster) on a schedule to perform the ELT, but I notice that Fargate creates new IP addresses each run. My thought is that the target IP will see the NAT Gateway's IP address if I put my task on the NAT's private subnet.

Assume that I have

  • I have successfully set up my container with the ODBC SQL Driver 17 based on Microsoft's instructions
  • Created a syntactically correct ODBC connection string for SQL Server
  • I have successfully pinged the target IPs from Fargate (not that that counts for much)

Or is there a better method to run small periodic batch jobs requiring a static IP address?

I have done research on AWS networking but am unclear of the best path forward given the particulars of my situation. The AWS literature suggests that Fargate Tasks are the best solution for batch work, but that IP addresses aren't static. Unclear if the task resides on a private subnet with a Nat-Gateway, if that that NAT will translate the task's IP Address to a standard IP address.

Related question https://stackoverflow.com/questions/49819722/unable-to-get-aws-nat-gateway-working-for-api-with-ip-whitelist does not seem to address my question.

答案1

得分: 0

> Would I want to use our private subnet NAT Gateway's private IPv4 address as the IP to have whitelisted?

你想要使用我们的私有子网NAT网关的私有IPv4地址作为需要加入白名单的IP吗?

A NAT Gateway has to sit in a public subnet. It has to have a direct route to an Internet Gateway. Private subnets would have a route in their route table to the NAT Gateway. You would never give out a NAT Gateway's private IP address, because any private IP address would only make sense from within your VPC. It is the public IP address you would give out.

NAT网关必须位于公共子网中。它必须有直接路由到Internet网关的路径。私有子网的路由表中将有一条路由指向NAT网关。您永远不会提供NAT网关的私有IP地址,因为任何私有IP地址只在您的VPC内部有意义。您要提供的是公共IP地址。

When you create your NAT Gateway, you would assign an Elastic IP address to it. This Elastic IP address is the public IP address that all traffic that goes through the NAT Gateway will have. The Elastic IP address is the address you would ask your third-party vendor to whitelist.

创建NAT网关时,您将为其分配一个Elastic IP地址。这个Elastic IP地址是所有通过NAT网关的流量将拥有的公共IP地址。您会要求第三方供应商将Elastic IP地址加入白名单。

> There is a requirement that the IP come from our domain so I do not think an IGW allowed.

有一个要求,即IP地址必须来自我们的域名,所以我认为不允许使用Internet网关(IGW)。

This requirement doesn't make much sense, but if you need to have a DNS record on your domain that verifies you control this IP address, as part of the validation process, then after you have created the NAT Gateway with an Elastic IP address, you could create an A record in your DNS host that points to the Elastic IP address.

这个要求没有太多意义,但如果您需要在您的域名上有一个DNS记录来验证您控制这个IP地址作为验证过程的一部分,那么在创建了具有Elastic IP地址的NAT网关之后,您可以在您的DNS主机上创建一个指向Elastic IP地址的A记录。

> My thought is that the target IP will see the NAT Gateway's IP address if I put my task on the NAT's private subnet.

我的想法是,如果我将任务放在NAT的私有子网上,目标IP将会看到NAT网关的IP地址。

Yes, exactly! You have to have the "Assign Public IP" setting in your Fargate task set to false, and you have to deploy your Fargate task into a private subnet. That private subnet has to have a route in the route table to the NAT Gateway. Then any outgoing network requests in your Fargate task will be routed through the NAT Gateway, and use the NAT Gateway's public IP address.

是的,完全正确!您必须将Fargate任务中的“分配公共IP”设置为false,并将Fargate任务部署到私有子网中。该私有子网必须在路由表中有一条路由指向NAT网关。然后,您的Fargate任务中的任何出站网络请求都将通过NAT网关进行路由,并使用NAT网关的公共IP地址。

英文:

> Would I want to use our private subnet NAT Gateway's private IPv4 address as the IP to have whitelisted?

A NAT Gateway has to sit in a public subnet. It has to have a direct route to an Internet Gateway. Private subnets would have a route in their route table to the NAT Gateway. You would never give out a NAT Gateway's private IP address, because any private IP address would only make sense from within your VPC. It is the public IP address you would give out.

When you create your NAT Gateway, you would assign an Elastic IP address to it. This Elastic IP address is the public IP address that all traffic that goes through the NAT Gateway will have. The Elastic IP address is the address you would ask your third-party vendor to whitelist.

> There is a requirement that the IP come from our domain so I do not think an IGW allowed.

This requirement doesn't make much sense, but if you need to have a DNS record on your domain that verifies you control this IP address, as part of the validation process, then after you have created the NAT Gateway with an Elastic IP address, you could create an A record in your DNS host that points to the Elastic IP address.

> My thought is that the target IP will see the NAT Gateway's IP address if I put my task on the NAT's private subnet.

Yes, exactly! You have to have the "Assign Public IP" setting in your Fargate task set to false, and you have to deploy your Fargate task into a private subnet. That private subnet has to have a route in the route table to the NAT Gateway. Then any outgoing network requests in your Fargate task will be routed through the NAT Gateway, and use the NAT Gateway's public IP address.

huangapple
  • 本文由 发表于 2023年6月8日 17:40:14
  • 转载请务必保留本文链接:https://go.coder-hub.com/76430529.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定