CloudFormation NAT 网关替换:VPC 中阻止流量

huangapple go评论86阅读模式
英文:

Cloudformation NATGateway replacement: traffic blocked from vpc

问题

我试图在我的Cloudformation Yaml脚本中将NATGateway实例替换为名为Fck-Nat的Nat实例AMI,以将费用从每月$40降低到大约$4。

我当前的VPC控制台图表
CloudFormation NAT 网关替换:VPC 中阻止流量

关键区别:

# NatGateway:
#   Type: AWS::EC2::NatGateway
#   Properties:
#     AllocationId: !GetAtt ElasticIp.AllocationId
#     SubnetId: !Ref PublicSubnet

VpcPrivateRouteTable:
  Type: AWS::EC2::RouteTable
  Properties:
    VpcId: !Ref StaticIpVpc

PrivateRoute:
  Type: AWS::EC2::Route
  DependsOn: VpcAttachment
  Properties:
    DestinationCidrBlock: 0.0.0.0/0
    RouteTableId: !Ref VpcPrivateRouteTable
    # NatGatewayId:  #!Ref NatGateway # - OLD Hook <===============
    NetworkInterfaceId: !Ref FckNatInterface # New Hook <===============替换为

PrivateSubnetRouteTableAssociation:
Type: AWS::EC2::SubnetRouteTableAssociation
Properties:
  RouteTableId: !Ref VpcPrivateRouteTable
  SubnetId: !Ref PrivateSubnet

'FckNatInterface'与文档中提到的内容相同Fck-nat部署(Cloudformation部分)

一切都没有错误部署,但Lambda函数无法访问ElasticIP或以其他方式访问外部世界,查看下面的axios响应图像,该图像显示了函数内部的响应:CloudFormation NAT 网关替换:VPC 中阻止流量

我已经检查了路由、IPv4分配,并且就我所知,体系结构没有问题。我还重新启用了NAT-Gateway,以确保没有在其他地方出错(一切都按预期工作)。因此,问题绝对是与fck-nat桥接从私有到公共的问题,但是我不是网络方面的专家,无法进一步调试。

欢迎任何建议。希望这也对其他人有所帮助。

其他信息:

  • 由于LimeLM的安全要求,我的Lambda函数需要静态IP,请告诉我是否需要额外的信息在评论中,我将根据需要进行更新

  • 请参阅这里,以获取与NATGateway而不是fck-nat的实现非常接近的变体。

  • 一个很好的通用指南,解释VPC架构点击这里

英文:

I am attempting to swap out a NATGateway instance in my Cloudformation Yaml script with a Nat instance AMI named Fck-Nat in order to reduce the (insane) cost from $40/m to around $4/m.

My current VPC Diagram from the console
CloudFormation NAT 网关替换:VPC 中阻止流量

The key difference:

 # NatGateway:
 #   Type: AWS::EC2::NatGateway
 #   Properties:
 #     AllocationId: !GetAtt ElasticIp.AllocationId
 #     SubnetId: !Ref PublicSubnet

 VpcPrivateRouteTable:
   Type: AWS::EC2::RouteTable
   Properties:
     VpcId: !Ref StaticIpVpc

 PrivateRoute:
  Type: AWS::EC2::Route
  DependsOn: VpcAttachment
  Properties:
    DestinationCidrBlock: 0.0.0.0/0
    RouteTableId: !Ref VpcPrivateRouteTable
    # NatGatewayId:  #!Ref NatGateway # - OLD Hook <===============
    NetworkInterfaceId: !Ref FckNatInterface # New Hook <===============Replaced with

PrivateSubnetRouteTableAssociation:
Type: AWS::EC2::SubnetRouteTableAssociation
Properties:
  RouteTableId: !Ref VpcPrivateRouteTable
  SubnetId: !Ref PrivateSubnet

'FckNatInterface' is the same as mentioned in the docs Fck-nat deployment (Cloudformation section)

Everything deploys without error, however the lambda function cannot access the ElasticIP or otherwise reach the outside world see image below of the axios response from inside the function: CloudFormation NAT 网关替换:VPC 中阻止流量

I have checked the routes, ipv4 allocation, and as far as I can tell, the architecture is fine. I have also re-enabled the NAT-Gateway to ensure no mistakes where made elsewhere (all worked as intended). So the issue is 100% with fck-nat bridge from private to public, but I'm not enough of an expert in network to debug further.

Any advice is welcome. Hopefully this also helps others.

Other info:

  • A staticIP is a requirement for my lambda Function due to security
    requirements of LimeLM,LimeLm Forumn link

  • Please let me know if additional information required in the
    commnents, I will update as needed

  • See Here for a fairly close varient of what my implementation is with NATGateway instead of fck-nat.

  • A great general guide explaining VPC Architecture click Here

答案1

得分: 2

我会首先检查NAT实例上的安全组,并确保该实例启用了IP转发 net.ipv4.ip_forward=1

此外,请确保EC2实例的源/目标检查已禁用。

如果Lambda通过其域名访问资源,请确保在VPC设置中启用了"DNS解析"。

如果在将来某个时候,您选择寻找替代自定义NAT实例的解决方案,我建议您考虑查看Aviatrix Secure Egress 解决方案,它已知能够降低NAT成本,并提供FQDN过滤作为额外的优势,而无需太多手工配置。

我们有一个TCO计算器,可以帮助您了解在这里的支出差异:
https://aviatrix.com/tco-calculator/

披露:我为Aviatrix设计网络

英文:

I would start by checking the Security Groups on the NAT instance and ensuring that the instance has IP forwarding enabled net.ipv4.ip_forward=1.

Also, ensure Source/Destination Check is disabled for the EC2 instance.

If Lambda is accessing resources by their domain name, ensure that "DNS resolution" is enabled in the VPC settings.

If, at some point in the future, you choose to look into alternative solutions to custom-built NAT instances, I would recommend looking into the Aviatrix Secure Egress solution, known to reduce NAT costs and provide FQDN filtering as a bonus without too much manual plumbing.

We have a TCO calculator that can help figure out the difference in expenditure here:
https://aviatrix.com/tco-calculator/

Disclosure: I architect networks for Aviatrix

答案2

得分: 0

互联网网关必须连接到公共路由表:

PublicSubnetRouteTableAssociation:
  Type: AWS::EC2::SubnetRouteTableAssociation
  Properties:
    RouteTableId:
      !Ref VpcPublicRouteTable
    SubnetId:
      !Ref PublicSubnet

'AWS::EC2::Instance' 需要一个允许所有流量通过的 'groupset' 网络接口,而不是直接的 'network interface' 连接:

FckNatEC2Instance:
  Type: AWS::EC2::Instance
  Properties:
    Tags:
      - Key: Name
        Value: fckNatInstance
    SourceDestCheck: false
    ImageId: ami-084b3eca5402436bf
    InstanceType: t4g.nano
    NetworkInterfaces:
      - DeleteOnTermination: true
        Description: fckNatEC2Instance 网络接口
        SubnetId: !Ref PublicSubnet
        GroupSet:
          - !Ref SGAllTrafficFromVPC
        AssociatePublicIpAddress: "true"
        DeviceIndex: "0"

添加:

SGAllTrafficFromVPC:
  Type: 'AWS::EC2::SecurityGroup'
  Properties:
    GroupName: SGAllTrafficFromVPC
    GroupDescription: 来自VPC CIDR的VPN流量
    VpcId: !Ref StaticIpVpc
    SecurityGroupIngress:
      - IpProtocol: '-1'
        CidrIp: !Ref VpcCidrBlock
        Description: 来自VPC CIDR的所有流量

Bonus:
还可以添加用于调试的 SSH 支持:

EC2SecurityGroup:
  Type: AWS::EC2::SecurityGroup
  Properties:
    VpcId: !Ref StaticIpVpc
    GroupDescription: 访问SSH访问
    SecurityGroupIngress:
      - CidrIp : 10.0.0.0/24
        IpProtocol: tcp
        FromPort: 22
        ToPort: 22
    Tags:
      - Key: Name
        Value: EC2SecurityGroup
英文:

Finally worked out an answer! :

1)
The Internet gateway has to be connected to the public route table:

PublicSubnetRouteTableAssociation:
  Type: AWS::EC2::SubnetRouteTableAssociation
  Properties:
    RouteTableId:
      !Ref VpcPublicRouteTable
    SubnetId:
      !Ref PublicSubnet

2)
The 'AWS::EC2::Instance' requires a network interface with a 'groupset' that allows all traffic through, rather than a direct 'network interface' connection

FckNatEC2Instance:
Type: AWS::EC2::Instance
Properties:
  Tags:
  - Key: Name
    Value: fckNatInstance
  SourceDestCheck: false
  ImageId: ami-084b3eca5402436bf
  InstanceType: t4g.nano
  NetworkInterfaces:
  # - NetworkInterfaceId: !Ref FckNatInterface OLD
  # NEW:
  - DeleteOnTermination: true
    Description: fckNatEC2Instance network interface
    SubnetId: !Ref PublicSubnet
    GroupSet: 
      - !Ref SGAllTrafficFromVPC 
    AssociatePublicIpAddress: "true"
    DeviceIndex: "0"

Add:

SGAllTrafficFromVPC:
Type: 'AWS::EC2::SecurityGroup'
Properties:
  GroupName: SGAllTrafficFromVPC
  GroupDescription: VPN Traffic from VPC CIDR
  VpcId: !Ref StaticIpVpc
  SecurityGroupIngress:
    - IpProtocol: '-1'
      CidrIp: !Ref VpcCidrBlock
      Description: All Traffic from VPC CIDR

Bonus:
it also helps to add ssh support for debugging:

EC2SecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
  VpcId: !Ref StaticIpVpc
  GroupDescription: Access ssh access to
  SecurityGroupIngress:
  - CidrIp : 10.0.0.0/24
    IpProtocol: tcp
    FromPort: 22
    ToPort: 22
  Tags:
  - Key: Name
    Value: EC2SecurityGroup

huangapple
  • 本文由 发表于 2023年6月29日 21:33:48
  • 转载请务必保留本文链接:https://go.coder-hub.com/76581555.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定