Featured image of post 透過Terraform在AWS上運行NAT Gateway

透過Terraform在AWS上運行NAT Gateway

Terraform AWS NAT Gateway

以下為一個簡易的網路架構,主要展示AWS環境下的NAT Gateway,此一設計主要是讓私有網路能夠透過NAT Gateway上網,而NAT Gateway則是透過公有網路路由到外網,此一設計能使在NAT下的EC2依然能使用網路。

示意圖

建置環境

main.tf

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
provider "aws" {
  region = "us-west-2"
}

resource "aws_vpc" "vpc" {
  cidr_block = "10.0.0.0/16"
  tags = {
    Name = "vpc"
  }
}

resource "aws_security_group" "sg" {
  name   = "sg"
  vpc_id = aws_vpc.vpc.id
  ingress {
    from_port   = 22
    to_port     = 22
    protocol    = "tcp"
    cidr_blocks = ["0.0.0.0/0"]
  }
  egress {
    from_port   = 0
    to_port     = 0
    protocol    = "-1"
    cidr_blocks = ["0.0.0.0/0"]
  }
  tags = {
    Name = "sg"
  }
}

resource "aws_instance" "ec2" {
  ami                    = "ami-0747e613a2a1ff483"
  instance_type          = "t2.micro"
  key_name               = "demo-key-us-west-2"
  subnet_id              = aws_subnet.subnet.id
  vpc_security_group_ids = [aws_security_group.sg.id]
  tags = {
    Name = "ec2"
  }
}

resource "aws_instance" "ec2-private" {
  ami                    = "ami-0747e613a2a1ff483"
  instance_type          = "t2.micro"
  key_name               = "demo-key-us-west-2"
  subnet_id              = aws_subnet.subnet-private.id
  vpc_security_group_ids = [aws_security_group.sg.id]
  tags = {
    Name = "ec2-private"
  }
}

internet-gateway.tf

這邊主要放與public subnet有關的設定

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
resource "aws_subnet" "subnet" {
  vpc_id                  = aws_vpc.vpc.id
  cidr_block              = "10.0.1.0/24"
  availability_zone       = "us-west-2a"
  map_public_ip_on_launch = true

  tags = {
    Name = "subnet"
  }
}

resource "aws_route_table_association" "rta" {
  subnet_id      = aws_subnet.subnet.id
  route_table_id = aws_route_table.rt.id
}

resource "aws_route_table" "rt" {
  vpc_id = aws_vpc.vpc.id
  route {
    cidr_block = "0.0.0.0/0"
    gateway_id = aws_internet_gateway.igw.id
  }
  tags = {
    Name = "rt"
  }
}

resource "aws_internet_gateway" "igw" {
  vpc_id = aws_vpc.vpc.id

  tags = {
    Name = "igw"
  }
}

nat-gateway.tf

這邊主要放與private subnet有關的設定

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
resource "aws_subnet" "subnet-private" {
  vpc_id            = aws_vpc.vpc.id
  cidr_block        = "10.0.2.0/24"
  availability_zone = "us-west-2a"

  tags = {
    Name = "subnet-private"
  }
}

resource "aws_route_table_association" "rta-private" {
  subnet_id      = aws_subnet.subnet-private.id
  route_table_id = aws_route_table.rt-private.id
}

resource "aws_route_table" "rt-private" {
  vpc_id = aws_vpc.vpc.id
  route {
    cidr_block = "0.0.0.0/0"
    gateway_id = aws_nat_gateway.ngw.id
  }
  tags = {
    Name = "rt-private"
  }
}

resource "aws_nat_gateway" "ngw" {
  allocation_id = aws_eip.eip.id
  subnet_id     = aws_subnet.subnet.id

  tags = {
    Name = "ngw"
  }

  depends_on = [aws_internet_gateway.igw]
}

resource "aws_eip" "eip" {
  vpc = true

  tags = {
    Name = "eip"
  }
}

測試

public subnet中的ec2可正常連網

利用預設路由(也就是vpc被建立時就被建立的路由)來透過public subnet中的ec2連線在private subnet中的ec2,經測試發現該ec2可正常連網

透過指令traceroute可發現路由透過NAT Gateway到public subnet後,再利用Internet Gateway上網

後記

aws_eip

本次再建立時NAT Gateway關鍵在於要自己建立Elastic IP給NAT Gateway,沒辦法透過public subnetmap_public_ip_on_launch設定來自動賦予

上傳key到ec2

參考 透過terraform在aws上運行公私有網路 後記:上傳key到ec2

comments powered by Disqus
Built with Hugo
Theme Stack designed by Jimmy