由于超时,无法从 EC2 实例连接到 SQS
Cannot connect to SQS from EC2 instance due to time out
我看到的错误是:无法执行 http 请求:连接到 sqs.us-east-1.amazonaws.com:443
org.apache.http.conn.ConnectTimeoutException: Connect to sqs.us-east-1.amazonaws.com:443 [sqs.us-east-1.amazonaws.com/54.239.27.172] failed: connect timed out
at org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:151)
at org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:359)
at sun.reflect.GeneratedMethodAccessor19.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at com.amazonaws.http.conn.ClientConnectionManagerFactory$Handler.invoke(ClientConnectionManagerFactory.java:76)
at com.amazonaws.http.conn.$Proxy54.connect(Unknown Source)
at org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:381)
at org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:237)
at org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:185)
at org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:185)
at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:83)
at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:56)
at com.amazonaws.http.apache.client.impl.SdkHttpClient.execute(SdkHttpClient.java:72)
at com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeOneRequest(AmazonHttpClient.java:1181)
at com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeHelper(AmazonHttpClient.java:1030)
... 21 common frames omitted
我的安全组的出站规则是:
所有流量 10.0.0.0/8
我无法更改出站规则以允许所有互联网 - 这是一个限制。
知道我们该怎么做吗?
Amazon SQS 是一项基于 Internet 的服务。要连接到 Amazon SQS Endpoint (sqs.us-east-1.amazonaws.com),Amazon EC2 实例需要访问 Internet。
您的 Amazon EC2 实例位于私有子网中,这意味着它无法直接访问 Internet。因此,您需要:
- VPC Public 子网中的 NAT Instance or a NAT Gateway
- 与私有子网关联的路由 Table,将 Internet 绑定的流量路由到 NAT 实例或 NAT 网关
正如 John 所说,AWS API 是 public 个端点(例外情况是 VPC Endpoints,它们是 VPC 私有端点,目前仅适用于 S3 和 DynamoDB)。从私有子网,您需要 NAT 才能访问这些 public 端点。
但是,为了限制从您的实例访问仅 AWS 服务,您需要配置安全组的出口规则。
亚马逊为其端点发布 IP 范围,还允许您订阅更改通知:
Whenever there is a change to the AWS IP address ranges, we send notifications to subscribers of the AmazonIpSpaceChanged topic. The payload contains information in the following format:
{
"create-time":"yyyy-mm-ddThh:mm:ss+00:00",
"synctoken":"0123456789",
"md5":"6a45316e8bc9463c9e926d5d37836d33",
"url":"https://ip-ranges.amazonaws.com/ip-ranges.json"
}
您从 https://ip-ranges.amazonaws.com/ip-ranges.json 得到的是 json 描述 AWS 服务及其 IP 范围。
{
"syncToken": "0123456789",
"createDate": "yyyy-mm-dd-hh-mm-ss",
"prefixes": [
{
"ip_prefix": "cidr",
"region": "region",
"service": "subset"
}
],
"ipv6_prefixes": [
{
"ipv6_prefix": "cidr",
"region": "region",
"service": "subset"
}
]
}
为了限制出口流量,请按照 AWS 文档中的这些说明向您的 SG 添加规则:
To allow an instance to access only AWS services, create a security group with rules that allow outbound traffic to the CIDR blocks in the AMAZON list, minus the CIDR blocks that are also in the EC2 list.
有关当前详细信息和 IP 范围 json 格式,请参阅 "Implementing Egress Control" in Amazon's general documentation
部分
此处更新。现在 VPC Endpoints 支持大多数 AWS 服务的终端节点
我看到的错误是:无法执行 http 请求:连接到 sqs.us-east-1.amazonaws.com:443
org.apache.http.conn.ConnectTimeoutException: Connect to sqs.us-east-1.amazonaws.com:443 [sqs.us-east-1.amazonaws.com/54.239.27.172] failed: connect timed out
at org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:151)
at org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:359)
at sun.reflect.GeneratedMethodAccessor19.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at com.amazonaws.http.conn.ClientConnectionManagerFactory$Handler.invoke(ClientConnectionManagerFactory.java:76)
at com.amazonaws.http.conn.$Proxy54.connect(Unknown Source)
at org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:381)
at org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:237)
at org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:185)
at org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:185)
at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:83)
at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:56)
at com.amazonaws.http.apache.client.impl.SdkHttpClient.execute(SdkHttpClient.java:72)
at com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeOneRequest(AmazonHttpClient.java:1181)
at com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeHelper(AmazonHttpClient.java:1030)
... 21 common frames omitted
我的安全组的出站规则是: 所有流量 10.0.0.0/8
我无法更改出站规则以允许所有互联网 - 这是一个限制。
知道我们该怎么做吗?
Amazon SQS 是一项基于 Internet 的服务。要连接到 Amazon SQS Endpoint (sqs.us-east-1.amazonaws.com),Amazon EC2 实例需要访问 Internet。
您的 Amazon EC2 实例位于私有子网中,这意味着它无法直接访问 Internet。因此,您需要:
- VPC Public 子网中的 NAT Instance or a NAT Gateway
- 与私有子网关联的路由 Table,将 Internet 绑定的流量路由到 NAT 实例或 NAT 网关
正如 John 所说,AWS API 是 public 个端点(例外情况是 VPC Endpoints,它们是 VPC 私有端点,目前仅适用于 S3 和 DynamoDB)。从私有子网,您需要 NAT 才能访问这些 public 端点。
但是,为了限制从您的实例访问仅 AWS 服务,您需要配置安全组的出口规则。
亚马逊为其端点发布 IP 范围,还允许您订阅更改通知:
Whenever there is a change to the AWS IP address ranges, we send notifications to subscribers of the AmazonIpSpaceChanged topic. The payload contains information in the following format:
{
"create-time":"yyyy-mm-ddThh:mm:ss+00:00",
"synctoken":"0123456789",
"md5":"6a45316e8bc9463c9e926d5d37836d33",
"url":"https://ip-ranges.amazonaws.com/ip-ranges.json"
}
您从 https://ip-ranges.amazonaws.com/ip-ranges.json 得到的是 json 描述 AWS 服务及其 IP 范围。
{
"syncToken": "0123456789",
"createDate": "yyyy-mm-dd-hh-mm-ss",
"prefixes": [
{
"ip_prefix": "cidr",
"region": "region",
"service": "subset"
}
],
"ipv6_prefixes": [
{
"ipv6_prefix": "cidr",
"region": "region",
"service": "subset"
}
]
}
为了限制出口流量,请按照 AWS 文档中的这些说明向您的 SG 添加规则:
To allow an instance to access only AWS services, create a security group with rules that allow outbound traffic to the CIDR blocks in the AMAZON list, minus the CIDR blocks that are also in the EC2 list.
有关当前详细信息和 IP 范围 json 格式,请参阅 "Implementing Egress Control" in Amazon's general documentation
部分此处更新。现在 VPC Endpoints 支持大多数 AWS 服务的终端节点