我有 2 个 AWS 实例,i-1和 i-2 .它们各自位于不同的安全组:sg-1和 sg-2 , 分别。两台机器都有弹性 IP。sg-2配置为允许来自 sg-1 的所有流量,无论端口、源 IP 或协议(protocol)如何。
当i-1试图与 i-2 交谈它的流量被阻止了。 AWS 似乎没有考虑 i-1 的事实。的流量实际上来自其弹性IP。
这是预期的吗?除了手动添加 i-1 之外,我还能做些什么来解决它?的弹性 IP 到 sg-2 ?
最佳答案
sg-2 is configured to allow all traffic from sg-1
执行此操作时,仅允许来自私有(private) IP 地址的流量。但是,当您使用 EIP 时,您明确需要允许来自该 IP 地址的流量。
阅读:https://forums.aws.amazon.com/thread.jspa?messageID=414060
从上面的链接引用:
Out of curiosity, are you perhaps connecting using a public IP address? When you use a rule with a security group as the source, it will only match when connecting over the internal network. The private IP address can change though. If you have an Elastic IP associated with the instance, the public DNS name happens to be static and will always resolve to the current private IP address when used from within the same EC2 region. That allows you to easily connect internally without worrying about any address changes.
关于amazon-web-services - AWS : security groups ignoring traffic from elastic IP,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/25923950/