使用 AWS re:Post 即表示您同意 AWS re:Post 使用條款
AWS re:Postre:Post

CDK: Moving Bastion Host to Isolated Network

0

Hello,

I have the following VPC created with CDK:

this.vpc = new Vpc(this, 'vpc', {
  cidr: '10.0.0.0/21',
  natGateways: 0,
  subnetConfiguration: [
    {
      subnetType: SubnetType.PUBLIC,
      cidrMask: 24,
    },
    {
      subnetType: SubnetType.PRIVATE_ISOLATED,
      cidrMask: 28,
    },
  ],
});

The RDS instance is created in the private isolated subnet. When I create a Bastion to access RDS as follows:

const bastionSecurityGroup = new SecurityGroup(this, 'bastion-host-security-group', {
  vpc: props.vpc,
  allowAllOutbound: true,
});

new BastionHostLinux(this, 'bastion-host', {
  vpc: props.vpc,
  subnetSelection: props.vpc.selectSubnets({ subnetType: SubnetType.PUBLIC }),
  securityGroup: bastionSecurityGroup,
});

this.dbSecurityGroup.addIngressRule(bastionSecurityGroup, Port.tcp(5432), 'Allow Access from Bastion', true);

I'm able to access it via SSM normally from my machine. However, if I omit the subnetSelection property and the Bastion is placed in the private isolated network, it is no longer accessible.

I'm unable to get my head around what I need to do be able to access it without placing it in the public subnet. I understand that I may do so by adding a VPC Interface Endpoint, but I don't see how to do that in CDK above.

主題
網路與內容交付開發人員工具管理與治理
標籤
Amazon VPC開發人員工具AWS CloudFormationAWS Systems Manager
語言
English
NetbizUp
已提問 2 年前檢視次數 697 次
1 個回答
0

In order for an EC2 instance to register with Systems Manager, it requires connectivity to the Systems Manager endpoints. This can either be over the public internet via an Internet Gateway, NAT Gateway, proxy server, etc. Alternatively, you can create VPC endpoints for Systems Manager to keep the traffic within the VPC.

If you do not have VPC endpoints created and the instance is placed in a private subnet, the instance will not have a route to the endpoints for registration and management with Systems Manager.

Here is the CDK documentation for InterfaceVpcEndpoints: https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.InterfaceVpcEndpoint.html

If you create the VPC endpoints, then you no longer need the public subnet as the instance can communicate directly with the VPC endpoints for Systems Manager.

AWS
Erik_W
已回答 2 年前

您尚未登入。 登入 去張貼答案。

一個好的回答可以清楚地回答問題並提供建設性的意見回饋,同時有助於提問者的專業成長。

回答問題指南

相關內容