网络 – 如何在Amazon Virtual Private Cloud上设置网络ACL?

我已经设立了一个亚马逊虚拟私有云(VPC).在VPC里面有2个网络,我创建了实例.为了安全起见,我想在这些网络上放置一些网络访问控制列表(网络ACL),除了机器防火墙.按照亚马逊的例子,我有一个公共网络(暴露于互联网接入)10.0.0.0/24和3个专用网络10.0.1.0/24,10.0.2.0/24,10.0.3.0/24.它们之间的流量被路由.

所以对于网络10.0.1.0/24作为ACL我把这个:

Inbound:
10.0.0.0/24 port 80 (HTTP)
10.0.0.0/24 port 22 (SSH)
10.0.2.0/24 port 3306 (MySql)
10.0.3.0/24 port 3306 (MySql)

Outbound
ALL ALL

对于网络10.0.2.0/24和10.0.3.0/24:

Inbound 
10.0.1.0/24 port 3306 (MySql)

Outbound
ALL ALL

对于公共网络10.0.0.0/24在这里我有一个暴露的负载平衡器,它将流量重定向到专用网络10.0.1.0/24,应用程序通过HTTP响应:

Inbound
0.0.0.0/0 port 80 (HTTP)
0.0.0.0/0 port 443 (HTTPS)
0.0.0.0/0 port 22 (SSH)

Outbound
ALL ALL

问题是,当我把这些规则放在一起的时候,所有的流量都冻结,应用程序不可用.发生了什么?我做错了吗?

最佳答案
更新

您的规则目前缺乏与常见问题解答What are the differences between security groups in a VPC and network ACLs in a VPC?:相关的附加和可能的相关片段

Security groups in a VPC specify which traffic is allowed to or from
an Amazon EC2 instance. Network ACLs operate at the subnet level and
evaluate traffic entering and exiting a subnet. Network ACLs can be
used to set both Allow and Deny rules. Network ACLs do not filter
traffic between instances in the same subnet. In addition, network
ACLs perform stateless filtering while security groups perform
stateful filtering
. [emphasis mine]

这在What is the difference between stateful and stateless filtering?

Stateful filtering tracks the origin of a request and can
automatically allow the reply to the request to be returned to the
originating computer. […]

Stateless filtering, on the other hand, only examines the source or
destination IP address and the destination port, ignoring whether the
traffic is a new request or a reply to a request. In the above
example, two rules would need to be implemented on the filtering
device: one rule to allow traffic inbound to the web server on tcp
port 80, and another rule to allow outbound traffic from the webserver

(tcp port range 49,152 through 65,535). [emphasis mine]

现在,您已经允许所有出站流量,所以这不适用于示例,但同样的问题也适用于其他方面.对于源自您的EC2实例的HTTP请求,您需要具有相应的入站规则,详见Network ACLs中的Ephemeral Ports中的更多详细信息:

The client that initiates the request chooses the ephemeral port
range. The range varies depending on the client’s operating system. […]

If an instance in your VPC is the client initiating a request, your
network ACL must have an inbound rule to enable traffic destined for
the ephemeral ports specific to the type of instance (Amazon Linux,
Windows Server 2008, etc.).

In practice, to cover the different types of clients that might
initiate traffic to public-facing instances in your VPC, you need to
open ephemeral ports 1024-65535. […]

因此,Appendix A: Recommended Network ACL Rules内的Recommended Rules for Scenario 2建议书针对您的方案建议以下入站规则(操作系统依赖示例):

Inbound:
0.0.0.0/0 port 49152-65535 (TCP)

要测试这个问题是否真的适用,您可以简单地包括整个临时端口范围:

Inbound:
0.0.0.0/0 port 1024-65535 (TCP)

初始答案(已过时)

For the public network 10.0.0.0/24 in here I have an exposed load
balancer, which is redirecting trafic to the private network
10.0.1.0/24, where an app is responding over http

您的设置建议您打算像往常一样在负载平衡器上终止SSL;鉴于您提高的安全性要求,您实际可能已经为后端HTTPS通信设置了Elastic Load Balancing(参见Architectural Overview) – 您似乎没有将ACL规则适用于10.0.1.0/24的入站HTTPS流量,因此作为一个失踪的情况:

Inbound:
10.0.0.0/24 port 80 (HTTP)
10.0.0.0/24 port 443 (HTTPS) // <= missing in your example currently!
10.0.0.0/24 port 22 (SSH)
10.0.2.0/24 port 3306 (MySql)
10.0.3.0/24 port 3306 (MySql)

Outbound
ALL ALL

转载注明原文:网络 – 如何在Amazon Virtual Private Cloud上设置网络ACL? - 代码日志