以下為一個簡易的網路架構,主要展示AWS環境下的NAT Gateway,此一設計主要是讓私有網路能夠透過NAT Gateway上網,而NAT Gateway則是透過公有網路路由到外網,此一設計能使在NAT下的EC2依然能使用網路。
示意圖
建置環境
main.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
|
provider "aws" {
region = "us-west-2"
}
resource "aws_vpc" "vpc" {
cidr_block = "10.0.0.0/16"
tags = {
Name = "vpc"
}
}
resource "aws_security_group" "sg" {
name = "sg"
vpc_id = aws_vpc.vpc.id
ingress {
from_port = 22
to_port = 22
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"]
}
egress {
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
}
tags = {
Name = "sg"
}
}
resource "aws_instance" "ec2" {
ami = "ami-0747e613a2a1ff483"
instance_type = "t2.micro"
key_name = "demo-key-us-west-2"
subnet_id = aws_subnet.subnet.id
vpc_security_group_ids = [aws_security_group.sg.id]
tags = {
Name = "ec2"
}
}
resource "aws_instance" "ec2-private" {
ami = "ami-0747e613a2a1ff483"
instance_type = "t2.micro"
key_name = "demo-key-us-west-2"
subnet_id = aws_subnet.subnet-private.id
vpc_security_group_ids = [aws_security_group.sg.id]
tags = {
Name = "ec2-private"
}
}
|
internet-gateway.tf
這邊主要放與public subnet
有關的設定
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
|
resource "aws_subnet" "subnet" {
vpc_id = aws_vpc.vpc.id
cidr_block = "10.0.1.0/24"
availability_zone = "us-west-2a"
map_public_ip_on_launch = true
tags = {
Name = "subnet"
}
}
resource "aws_route_table_association" "rta" {
subnet_id = aws_subnet.subnet.id
route_table_id = aws_route_table.rt.id
}
resource "aws_route_table" "rt" {
vpc_id = aws_vpc.vpc.id
route {
cidr_block = "0.0.0.0/0"
gateway_id = aws_internet_gateway.igw.id
}
tags = {
Name = "rt"
}
}
resource "aws_internet_gateway" "igw" {
vpc_id = aws_vpc.vpc.id
tags = {
Name = "igw"
}
}
|
nat-gateway.tf
這邊主要放與private subnet
有關的設定
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
|
resource "aws_subnet" "subnet-private" {
vpc_id = aws_vpc.vpc.id
cidr_block = "10.0.2.0/24"
availability_zone = "us-west-2a"
tags = {
Name = "subnet-private"
}
}
resource "aws_route_table_association" "rta-private" {
subnet_id = aws_subnet.subnet-private.id
route_table_id = aws_route_table.rt-private.id
}
resource "aws_route_table" "rt-private" {
vpc_id = aws_vpc.vpc.id
route {
cidr_block = "0.0.0.0/0"
gateway_id = aws_nat_gateway.ngw.id
}
tags = {
Name = "rt-private"
}
}
resource "aws_nat_gateway" "ngw" {
allocation_id = aws_eip.eip.id
subnet_id = aws_subnet.subnet.id
tags = {
Name = "ngw"
}
depends_on = [aws_internet_gateway.igw]
}
resource "aws_eip" "eip" {
vpc = true
tags = {
Name = "eip"
}
}
|
測試
在public subnet
中的ec2
可正常連網
利用預設路由(也就是vpc
被建立時就被建立的路由)來透過public subnet
中的ec2
連線在private subnet
中的ec2
,經測試發現該ec2
可正常連網
透過指令traceroute
可發現路由透過NAT Gateway到public subnet
後,再利用Internet Gateway上網
後記
aws_eip
本次再建立時NAT Gateway關鍵在於要自己建立Elastic IP給NAT Gateway,沒辦法透過public subnet
的map_public_ip_on_launch
設定來自動賦予
上傳key到ec2
參考 透過terraform在aws上運行公私有網路 後記:上傳key到ec2