我有两个 VPC:
还有几个子网:
RDS 位于 VPC A 的 Private A、Private B、Peer A 中。
EC2 在 VPC B 的 Peer A 中。
我想从 EC2 连接到 RDS 实例。
我创建了一个对等互连:
resource "aws_vpc_peering_connection" "a_to_b" {
vpc_id = aws_vpc.a.id
peer_vpc_id = aws_vpc.b.id
auto_accept = true
accepter {
allow_remote_vpc_dns_resolution = true
}
requester {
allow_remote_vpc_dns_resolution = true
}
}
resource "aws_vpc_peering_connection_accepter" "a_to_b" {
vpc_peering_connection_id = aws_vpc_peering_connection.a_to_b.id
auto_accept = true
}
我也有整个 CIDR block 的路由表,如下所示:resource "aws_route_table" "a_peer" {
vpc_id = aws_vpc.a.id
}
resource "aws_route_table_association" "a_peer" {
route_table_id = aws_route_table.a_peer.id
subnet_id = aws_subnet.a_peer.id
}
resource "aws_route" "a_peer_b" {
route_table_id = aws_route_table.a_peer.id
destination_cidr_block = aws_subnet.b_peer.cidr_block
vpc_peering_connection_id = aws_vpc_peering_connection.a_to_b.id
}
resource "aws_route_table" "b_peer" {
vpc_id = aws_vpc.b.id
}
resource "aws_route_table_association" "b_peer" {
route_table_id = aws_route_table.b_peer.id
subnet_id = aws_subnet.b_peer.id
}
resource "aws_route" "b_peer_a" {
route_table_id = aws_route_table.b_peer.id
destination_cidr_block = aws_subnet.a_peer.cidr_block
vpc_peering_connection_id = aws_vpc_peering_connection.a_to_b.id
}
我还从 ingress
创建了安全组和 egress
在 RDS 实例上到 EC2 安全组。当我通过 SSH 连接到 EC2 时,我可以获得 DNS:
$ nslookup rds.xxxxxxxxxxx.eu-west-2.rds.amazonaws.com
Server: 192.16.0.2
Address: 192.16.0.2#53
Non-authoritative answer:
Name: rds.xxxxxxxxxxx.eu-west-2.rds.amazonaws.com
Address: 10.16.192.135
但是,curl
无法连接:$ curl rds.xxxxxxxxxxx.eu-west-2.rds.amazonaws.com:5432
预期的响应是:$ curl rds.xxxxxxxxxxx.eu-west-2.rds.amazonaws.com:5432
curl: (52) Empty reply from server
VPC 对等是“事件的”,并且路由表与 Terraform 匹配。我怎样才能得到这个连接?
最佳答案
我自己做了一些测试,我很确定问题是由您的 引起的。路线 ,假设您的 VPC 中的所有其他内容都是正确的,因为未显示 VPC 和子网定义。
具体来说,您写道“RDS 在私有(private) A、私有(private) B、VPC A 的对等点 A 中”。这意味着 RDS master 可能在 任何这些子网 .您无法控制它,因为它由 RDS 来选择要使用的子网。创建 RDS 时,您只能通过选择 AZ 来部分控制它。随后,您的对等路由表应涵盖所有这三个子网。最简单的方法是使用 VPC CIDR 范围:
# Route from instance in VPC B to any subnet in VPC A which
# hosts your RDS in all its subnets
resource "aws_route" "b_peer_a" {
route_table_id = aws_route_table.b_peer.id
destination_cidr_block = aws_vpc.a.cidr_block
vpc_peering_connection_id = aws_vpc_peering_connection.a_to_b.id
}
那你还需要有一个 VPC A 中的路由表 与所有子网的对等连接相关联:resource "aws_route_table" "a_peer" {
vpc_id = aws_vpc.a.id
}
resource "aws_route_table_association" "a_peer" {
route_table_id = aws_route_table.a_peer.id
subnet_id = aws_subnet.a_peer.id
}
resource "aws_route_table_association" "a_private1" {
route_table_id = aws_route_table.a_peer.id
subnet_id = aws_subnet.a_private1.id
}
resource "aws_route_table_association" "a_private2" {
route_table_id = aws_route_table.a_peer.id
subnet_id = aws_subnet.a_private2.id
}
resource "aws_route" "a_peer_b" {
route_table_id = aws_route_table.a_peer.id
destination_cidr_block = aws_subnet.b_peer.cidr_block
vpc_peering_connection_id = aws_vpc_peering_connection.a_to_b.id
}
关于amazon-web-services - 无法通过 VPC 对等连接到另一个 VPC 中的 RDS,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/65975035/