【发布时间】:2021-02-04 10:47:38
【问题描述】:
我希望看到这一点的每个人都做得很好。
我仍在学习使用 Terraform 和 AWS 的技巧。
我创建了一个包含 4 个子网的 VPC。 1 个子网是公共的,另外 3 个是私有的。我的公共子网(堡垒机/服务器)中目前有 1 个 EC2 实例。我还为此实例创建了一个安全组,并创建了一个 NACL 规则,它允许我通过 ssh 仅从我的 IP 连接到此实例。出于某种原因,当我尝试 ssh 到此实例时,我的终端挂起,我看到以下消息:
OpenSSH_8.2p1 Ubuntu-4ubuntu0.1,OpenSSL 1.1.1f 2020 年 3 月 31 日
debug1:读取配置数据 /etc/ssh/ssh_config
debug1:/etc/ssh/ssh_config 第 19 行:包含 /etc/ssh/ssh_config.d/*.conf 没有匹配的文件
debug1:/etc/ssh/ssh_config 第 21 行:为 * 应用选项
debug1:连接到 'instance_public_ip [instance_public_ip] 端口 22
然后它告诉我连接超时。
我更改了规则以允许来自所有 IP(即 0.0.0.0/0)的 ssh 连接,但仍然遇到同样的问题。基础设施的terraform代码如下:
# Elastic IP for bastion server
resource "aws_eip" "bastion_eip" {
instance = aws_instance.Bastion.id
vpc = true
}
# EIP association for bastion server
resource "aws_eip_association" "eip_assoc" {
instance_id = aws_instance.Bastion.id
allocation_id = aws_eip.bastion_eip.id
}
# Create internet gateway
resource "aws_internet_gateway" "main-gateway" {
vpc_id = aws_vpc.main-vpc.id
tags = {
Name = "main"
}
}
# Create route table for public subnet
resource "aws_route_table" "public-route-table" {
vpc_id = aws_vpc.main-vpc.id
route {
cidr_block = "0.0.0.0/0"
gateway_id = aws_internet_gateway.main-gateway.id
}
tags = {
Name = "public-route-table"
}
}
# Create subnet 4
resource "aws_subnet" "subnet-4" {
vpc_id = aws_vpc.main-vpc.id
cidr_block = "10.0.4.0/24"
availability_zone = "eu-west-2a"
tags = {
Name = "subnet-public"
}
}
# Associate subnet 4 with public route table
resource "aws_route_table_association" "subnet-4" {
subnet_id = aws_subnet.subnet-4.id
route_table_id = aws_route_table.public-route-table.id
}
# Create bastion server security group (subnet 4)
resource "aws_security_group" "bastion-sg" {
name = "bastion-sg"
description = "Allow web traffic from specific IPs"
vpc_id = aws_vpc.main-vpc.id
# SSH Traffic
ingress {
description = "SSH"
from_port = 22
to_port = 22
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"] #allow web traffic.
}
egress {
from_port = 22
to_port = 22
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"]
}
tags = {
Name = "allow_access_bastion_server"
}
}
# Create NACL for public subnet with Prod server & bastion server
resource "aws_network_acl" "public_nacl" {
vpc_id = aws_vpc.main-vpc.id
subnet_ids = [aws_subnet.subnet-4.id]
# Allow inbound http traffic from internet
ingress {
protocol = "tcp"
rule_no = 100
action = "allow"
cidr_block = "0.0.0.0/0"
from_port = 80
to_port = 80
}
# Allow outbound http traffic to internet
egress {
protocol = "tcp"
rule_no = 100
action = "allow"
cidr_block = "0.0.0.0/0"
from_port = 80
to_port = 80
}
# Allow inbound SSH traffic from specific IP
ingress {
protocol = "tcp"
rule_no = 103
action = "allow"
cidr_block = "0.0.0.0/0"
from_port = 22
to_port = 22
}
# Allow outbound SSH traffic from specific IP
egress {
protocol = "tcp"
rule_no = 103
action = "allow"
cidr_block = "0.0.0.0/0"
from_port = 22
to_port = 22
}
tags = {
Name = "public NACL"
}
}
# Create bastion box
resource "aws_instance" "Bastion" {
ami = var.ami-id
instance_type = var.instance-type
key_name = "aws_key_name"
vpc_security_group_ids = ["security_group_id"]
subnet_id = "subnet_id"
tags = {
Name = "Bastion Server"
}
}
我已经看了一段时间了,但我真的看不出我哪里出错了。我的安全组或 IGW 或路由表有问题吗?如果您认为需要任何其他信息,请告诉我:) 并提前感谢您的帮助
【问题讨论】:
-
嗨,马克感谢您的回复。安全组和 NACL 设置在代码中。如果有帮助,它们是倒数第三个和倒数第二个区块
-
几乎可以肯定是 NACL,因为您没有打开任何临时端口。 NACL 可能很难正确使用,通常应避免使用安全组,除非您确实需要它们。我建议现在完全删除 NACL,至少可以缩小问题的范围。
-
感谢您的建议。我们想要 NACL 作为额外的安全层,但我们可以不用它们。
标签: amazon-web-services amazon-ec2 ssh terraform