我有两个vpc:
- VPC<<ul>
- RDS实例/gh>
- EC2实例
也有几个子网:
- VPC
- 私人 私人B
- 同行
- VPC B
- 私人 私人B
- 同行
RDS在VPC A的私有A、私有B、对端A中。
EC2在VPC b的Peer A中
我想从EC2连接到RDS实例。
我已经创建了对等:
resource "aws_vpc_peering_connection" "a_to_b" {
vpc_id = aws_vpc.a.id
peer_vpc_id = aws_vpc.b.id
auto_accept = true
accepter {
allow_remote_vpc_dns_resolution = true
}
requester {
allow_remote_vpc_dns_resolution = true
}
}
resource "aws_vpc_peering_connection_accepter" "a_to_b" {
vpc_peering_connection_id = aws_vpc_peering_connection.a_to_b.id
auto_accept = true
}
我也有整个CIDR块的路由表,如下所示:
resource "aws_route_table" "a_peer" {
vpc_id = aws_vpc.a.id
}
resource "aws_route_table_association" "a_peer" {
route_table_id = aws_route_table.a_peer.id
subnet_id = aws_subnet.a_peer.id
}
resource "aws_route" "a_peer_b" {
route_table_id = aws_route_table.a_peer.id
destination_cidr_block = aws_subnet.b_peer.cidr_block
vpc_peering_connection_id = aws_vpc_peering_connection.a_to_b.id
}
resource "aws_route_table" "b_peer" {
vpc_id = aws_vpc.b.id
}
resource "aws_route_table_association" "b_peer" {
route_table_id = aws_route_table.b_peer.id
subnet_id = aws_subnet.b_peer.id
}
resource "aws_route" "b_peer_a" {
route_table_id = aws_route_table.b_peer.id
destination_cidr_block = aws_subnet.a_peer.cidr_block
vpc_peering_connection_id = aws_vpc_peering_connection.a_to_b.id
}
我还创建了从RDS实例上的ingress
和egress
到EC2安全组的安全组。
当我SSH到EC2时,我可以得到DNS:
$ nslookup rds.xxxxxxxxxxx.eu-west-2.rds.amazonaws.com
Server: 192.16.0.2
Address: 192.16.0.2#53
Non-authoritative answer:
Name: rds.xxxxxxxxxxx.eu-west-2.rds.amazonaws.com
Address: 10.16.192.135
但是curl
不能连接:
$ curl rds.xxxxxxxxxxx.eu-west-2.rds.amazonaws.com:5432
预期的响应是:
$ curl rds.xxxxxxxxxxx.eu-west-2.rds.amazonaws.com:5432
curl: (52) Empty reply from server
VPC对等连接状态为"活跃";和路由表匹配Terraform。
我怎么能得到这个连接?
我自己做了一些测试,我很确定这个问题是由你的路由引起的,假设VPC中其他所有内容都正确,因为VPC和子网定义未显示。
具体来说,您写了"RDS位于VPC A的Private A, Private B, Peer A"中。这意味着RDS主机可能位于中的任何一个子网中。. 您无法控制它,因为由RDS来选择使用哪个子网。在创建RDS时,您只能通过选择可用分区来部分控制它。随后,对等路由表应该覆盖所有这三个子网。最简单的方法是使用VPC CIDR范围:
# Route from instance in VPC B to any subnet in VPC A which
# hosts your RDS in all its subnets
resource "aws_route" "b_peer_a" {
route_table_id = aws_route_table.b_peer.id
destination_cidr_block = aws_vpc.a.cidr_block
vpc_peering_connection_id = aws_vpc_peering_connection.a_to_b.id
}
那么你还需要在VPC a中有一个路由表与所有子网的对等连接相关联:
resource "aws_route_table" "a_peer" {
vpc_id = aws_vpc.a.id
}
resource "aws_route_table_association" "a_peer" {
route_table_id = aws_route_table.a_peer.id
subnet_id = aws_subnet.a_peer.id
}
resource "aws_route_table_association" "a_private1" {
route_table_id = aws_route_table.a_peer.id
subnet_id = aws_subnet.a_private1.id
}
resource "aws_route_table_association" "a_private2" {
route_table_id = aws_route_table.a_peer.id
subnet_id = aws_subnet.a_private2.id
}
resource "aws_route" "a_peer_b" {
route_table_id = aws_route_table.a_peer.id
destination_cidr_block = aws_subnet.b_peer.cidr_block
vpc_peering_connection_id = aws_vpc_peering_connection.a_to_b.id
}