- 通常的
firewall(防火墙)配置
AWS上使用安全组进行网络流量的控制
创建SecurityGroup并用来配置一个ec2 server,但是首先不配置入站和出站规则。新建一个CloudFormation的堆栈。{"AWSTemplateFormatVersion": "2010-09-09","Description": " (firewall 1)","Parameters": {"KeyName": {"Description": "Key Pair name","Type": "AWS::EC2::KeyPair::KeyName","Default": "my-cli-key"},"VPC": {"Description": "Just select the one and only default VPC","Type": "AWS::EC2::VPC::Id"},"Subnet": {"Description": "Just select one of the available subnets","Type": "AWS::EC2::Subnet::Id"}},"Mappings": {"EC2RegionMap": {"ap-northeast-1": {"AmazonLinuxAMIHVMEBSBacked64bit": "ami-cbf90ecb"},"ap-southeast-1": {"AmazonLinuxAMIHVMEBSBacked64bit": "ami-68d8e93a"},"ap-southeast-2": {"AmazonLinuxAMIHVMEBSBacked64bit": "ami-fd9cecc7"},"eu-central-1": {"AmazonLinuxAMIHVMEBSBacked64bit": "ami-a8221fb5"},"eu-west-1": {"AmazonLinuxAMIHVMEBSBacked64bit": "ami-a10897d6"},"sa-east-1": {"AmazonLinuxAMIHVMEBSBacked64bit": "ami-b52890a8"},"us-east-1": {"AmazonLinuxAMIHVMEBSBacked64bit": "ami-1ecae776"},"us-west-1": {"AmazonLinuxAMIHVMEBSBacked64bit": "ami-d114f295"},"us-west-2": {"AmazonLinuxAMIHVMEBSBacked64bit": "ami-e7527ed7"}}},"Resources": {"SecurityGroup": {"Type": "AWS::EC2::SecurityGroup","Properties": {"GroupDescription": "My security group","VpcId": {"Ref": "VPC"}}},"Server": {"Type": "AWS::EC2::Instance","Properties": {"ImageId": {"Fn::FindInMap": ["EC2RegionMap", {"Ref": "AWS::Region"}, "AmazonLinuxAMIHVMEBSBacked64bit"]},"InstanceType": "t2.micro","KeyName": {"Ref": "KeyName"},"SecurityGroupIds": [{"Ref": "SecurityGroup"}],"SubnetId": {"Ref": "Subnet"}}}},"Outputs": {"PublicName": {"Value": {"Fn::GetAtt": ["Server", "PublicDnsName"]},"Description": "Public name (connect via SSH as user ec2-user)"}}
}
- 创建堆栈
ec2 server被创建
- 检查
SecurityGroup
没有创建任何入站规则。
- 对该
ip地址进行进行ping
- 对该
SecurityGroup加入ping协议{"AWSTemplateFormatVersion": "2010-09-09","Description": "(firewall 2)","Parameters": {"KeyName": {"Description": "Key Pair name","Type": "AWS::EC2::KeyPair::KeyName","Default": "my-cli-key"},"VPC": {"Description": "Just select the one and only default VPC","Type": "AWS::EC2::VPC::Id"},"Subnet": {"Description": "Just select one of the available subnets","Type": "AWS::EC2::Subnet::Id"}},"Mappings": {"EC2RegionMap": {"ap-northeast-1": {"AmazonLinuxAMIHVMEBSBacked64bit": "ami-cbf90ecb"},"ap-southeast-1": {"AmazonLinuxAMIHVMEBSBacked64bit": "ami-68d8e93a"},"ap-southeast-2": {"AmazonLinuxAMIHVMEBSBacked64bit": "ami-fd9cecc7"},"eu-central-1": {"AmazonLinuxAMIHVMEBSBacked64bit": "ami-a8221fb5"},"eu-west-1": {"AmazonLinuxAMIHVMEBSBacked64bit": "ami-a10897d6"},"sa-east-1": {"AmazonLinuxAMIHVMEBSBacked64bit": "ami-b52890a8"},"us-east-1": {"AmazonLinuxAMIHVMEBSBacked64bit": "ami-1ecae776"},"us-west-1": {"AmazonLinuxAMIHVMEBSBacked64bit": "ami-d114f295"},"us-west-2": {"AmazonLinuxAMIHVMEBSBacked64bit": "ami-e7527ed7"}}},"Resources": {"SecurityGroup": {"Type": "AWS::EC2::SecurityGroup","Properties": {"GroupDescription": "My security group","VpcId": {"Ref": "VPC"}}},"AllowInboundICMP": {"Type": "AWS::EC2::SecurityGroupIngress","Properties": {"GroupId": {"Ref": "SecurityGroup"},"IpProtocol": "icmp","FromPort": "-1","ToPort": "-1","CidrIp": "0.0.0.0/0"}},"Server": {"Type": "AWS::EC2::Instance","Properties": {"ImageId": {"Fn::FindInMap": ["EC2RegionMap", {"Ref": "AWS::Region"}, "AmazonLinuxAMIHVMEBSBacked64bit"]},"InstanceType": "t2.micro","KeyName": {"Ref": "KeyName"},"SecurityGroupIds": [{"Ref": "SecurityGroup"}],"SubnetId": {"Ref": "Subnet"}}}},"Outputs": {"PublicName": {"Value": {"Fn::GetAtt": ["Server", "PublicDnsName"]},"Description": "Public name (connect via SSH as user ec2-user)"}}
}
- 使用上面
CloudFormation代码更新stack
stack更新结束
*
- 重新
ping该ec2 server
可以看出入站规则已经生效。
- 检查
ssh的22端口
- 继续更新
CloudFormation,对SecurityGroup配置开放22端口{"AWSTemplateFormatVersion": "2010-09-09","Description": " (firewall 3)","Parameters": {"KeyName": {"Description": "Key Pair name","Type": "AWS::EC2::KeyPair::KeyName","Default": "my-cli-key"},"VPC": {"Description": "Just select the one and only default VPC","Type": "AWS::EC2::VPC::Id"},"Subnet": {"Description": "Just select one of the available subnets","Type": "AWS::EC2::Subnet::Id"}},"Mappings": {"EC2RegionMap": {"ap-northeast-1": {"AmazonLinuxAMIHVMEBSBacked64bit": "ami-cbf90ecb"},"ap-southeast-1": {"AmazonLinuxAMIHVMEBSBacked64bit": "ami-68d8e93a"},"ap-southeast-2": {"AmazonLinuxAMIHVMEBSBacked64bit": "ami-fd9cecc7"},"eu-central-1": {"AmazonLinuxAMIHVMEBSBacked64bit": "ami-a8221fb5"},"eu-west-1": {"AmazonLinuxAMIHVMEBSBacked64bit": "ami-a10897d6"},"sa-east-1": {"AmazonLinuxAMIHVMEBSBacked64bit": "ami-b52890a8"},"us-east-1": {"AmazonLinuxAMIHVMEBSBacked64bit": "ami-1ecae776"},"us-west-1": {"AmazonLinuxAMIHVMEBSBacked64bit": "ami-d114f295"},"us-west-2": {"AmazonLinuxAMIHVMEBSBacked64bit": "ami-e7527ed7"}}},"Resources": {"SecurityGroup": {"Type": "AWS::EC2::SecurityGroup","Properties": {"GroupDescription": "My security group","VpcId": {"Ref": "VPC"}}},"AllowInboundICMP": {"Type": "AWS::EC2::SecurityGroupIngress","Properties": {"GroupId": {"Ref": "SecurityGroup"},"IpProtocol": "icmp","FromPort": "-1","ToPort": "-1","CidrIp": "0.0.0.0/0"}},"AllowInboundSSH": {"Type": "AWS::EC2::SecurityGroupIngress","Properties": {"GroupId": {"Ref": "SecurityGroup"},"IpProtocol": "tcp","FromPort": "22","ToPort": "22","CidrIp": "0.0.0.0/0"}},"Server": {"Type": "AWS::EC2::Instance","Properties": {"ImageId": {"Fn::FindInMap": ["EC2RegionMap", {"Ref": "AWS::Region"}, "AmazonLinuxAMIHVMEBSBacked64bit"]},"InstanceType": "t2.micro","KeyName": {"Ref": "KeyName"},"SecurityGroupIds": [{"Ref": "SecurityGroup"}],"SubnetId": {"Ref": "Subnet"}}}},"Outputs": {"PublicName": {"Value": {"Fn::GetAtt": ["Server", "PublicDnsName"]},"Description": "Public name (connect via SSH as user ec2-user)"}}
}
ping这个ec2 server
