我已经建立了一个 Amazon Virtual Private Cloud (VPC)。在 VPC 内部,我有 2 个在其中创建实例的网络。出于安全原因,我想在这些网络上放置一些网络访问控制列表(网络 ACL),除了机器防火墙。按照亚马逊示例,我有一个公共(public)网络(暴露于互联网访问)10.0.0.0/24 和 3 个私有(private)网络 10.0.1.0/24、10.0.2.0/24、10.0.3.0/24。它们之间的流量被路由。
因此,对于作为 ACL 的网络 10.0.1.0/24,我将其设为:
Inbound:
10.0.0.0/24 port 80 (HTTP)
10.0.0.0/24 port 22 (SSH)
10.0.2.0/24 port 3306 (MySql)
10.0.3.0/24 port 3306 (MySql)
Outbound
ALL ALL
对于网络 10.0.2.0/24 和 10.0.3.0/24:
Inbound
10.0.1.0/24 port 3306 (MySql)
Outbound
ALL ALL
对于此处的公共(public)网络 10.0.0.0/24,我有一个公开的负载均衡器,它将流量重定向到专用网络 10.0.1.0/24,其中应用程序通过 HTTP 进行响应:
Inbound
0.0.0.0/0 port 80 (HTTP)
0.0.0.0/0 port 443 (HTTPS)
0.0.0.0/0 port 22 (SSH)
Outbound
ALL ALL
问题是,当我将这些规则付诸实现时,所有流量都会卡住,并且该应用程序不可用。发生了什么?难道我做错了什么?
最佳答案
更新
您的规则目前缺少与常见问题解答 What are the differences between security groups in a VPC and network ACLs in a VPC?: 相关的额外且可能相关的片段。
Security groups in a VPC specify which traffic is allowed to or from an Amazon EC2 instance. Network ACLs operate at the subnet level and evaluate traffic entering and exiting a subnet. Network ACLs can be used to set both Allow and Deny rules. Network ACLs do not filter traffic between instances in the same subnet. In addition, network ACLs perform stateless filtering while security groups perform stateful filtering. [emphasis mine]
这将在 What is the difference between stateful and stateless filtering? 中进一步解决:
Stateful filtering tracks the origin of a request and can automatically allow the reply to the request to be returned to the originating computer. [...]
Stateless filtering, on the other hand, only examines the source or destination IP address and the destination port, ignoring whether the traffic is a new request or a reply to a request. In the above example, two rules would need to be implemented on the filtering device: one rule to allow traffic inbound to the web server on tcp port 80, and another rule to allow outbound traffic from the webserver (tcp port range 49,152 through 65,535). [emphasis mine]
现在,您已经允许所有出站流量,因此这不适用于示例,但同样的问题也适用于其他方式,例如对于源自您的 EC2 实例的 HTTP 请求,您需要有一个相应的入站规则,如概述,请参阅 Ephemeral Ports 部分。在 Network ACLs 内有关这方面的更多详细信息:
The client that initiates the request chooses the ephemeral port range. The range varies depending on the client's operating system. [...]
If an instance in your VPC is the client initiating a request, your network ACL must have an inbound rule to enable traffic destined for the ephemeral ports specific to the type of instance (Amazon Linux, Windows Server 2008, etc.).
In practice, to cover the different types of clients that might initiate traffic to public-facing instances in your VPC, you need to open ephemeral ports 1024-65535. [...]
解决方案
因此,Recommended Rules for Scenario 2 部分在 Appendix A: Recommended Network ACL Rules 内为您的方案建议以下入站规则(取决于操作系统的示例):
Inbound:
0.0.0.0/0 port 49152-65535 (TCP)
要测试此问题是否真的适用,您可以简单地包括整个临时端口范围:
Inbound:
0.0.0.0/0 port 1024-65535 (TCP)
初始答案(已过时)
For the public network 10.0.0.0/24 in here I have an exposed load balancer, which is redirecting trafic to the private network 10.0.1.0/24, where an app is responding over http
您的设置表明您打算像往常一样终止负载均衡器上的 SSL;考虑到您增加的安全要求,您实际上可能已经设置了 Elastic Load Balancing对于后端 HTTPS 通信(请参阅 Architectural Overview ) - 您似乎没有将入站 HTTPS 流量容纳到 10.0.1.0/24 的 ACL 规则,因此在以下情况下将缺少该规则:
Inbound:
10.0.0.0/24 port 80 (HTTP)
10.0.0.0/24 port 443 (HTTPS) // <= missing in your example currently!
10.0.0.0/24 port 22 (SSH)
10.0.2.0/24 port 3306 (MySql)
10.0.3.0/24 port 3306 (MySql)
Outbound
ALL ALL
关于networking - 如何在 Amazon Virtual Private Cloud 上设置网络 ACL?,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/10596456/