在 AWS Cloudformation 中创建可公开访问的 RDS 实例
Creating a publicly accessible RDS instance in AWS Cloudformation
我完全放弃了这个。我一直在尝试使用 CloudFormation 创建一个可公开访问的 RDS 实例。我希望能够通过 mysql 客户端连接到我的实例。当我部署此堆栈时,它说该实例可在 RDS 控制台中公开访问,但我无法通过 RDS 控制台中提供的端点连接。我猜我用 VPC 片段弄乱了 up/missed 东西。他是我的 stack.yaml 档案:
Resources:
Vpc:
Type: AWS::EC2::VPC
Properties:
CidrBlock: 10.0.0.0/16
EnableDnsHostnames: true
Tags:
- Key: Name
Value: 'VPC created by cf'
InternetGateway:
Type: AWS::EC2::InternetGateway
Properties:
Tags:
- Key: Name
Value: Created By CF
VPCGatewayAttachment:
Type: AWS::EC2::VPCGatewayAttachment
Properties:
VpcId: !Ref Vpc
InternetGatewayId: !Ref InternetGateway
DataSourceSecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: Open database for access
VpcId: !Ref Vpc
DSSGIngressRule:
Type: AWS::EC2::SecurityGroupIngress
Properties:
FromPort: "3306"
ToPort: "3306"
GroupId: !Ref DataSourceSecurityGroup
IpProtocol: tcp
SourceSecurityGroupId: !Ref DataSourceSecurityGroup
PublicSubnet1:
Type: AWS::EC2::Subnet
Properties:
AvailabilityZone: us-east-1a
CidrBlock: 10.0.0.0/20
MapPublicIpOnLaunch: true
VpcId: !Ref Vpc
PublicSubnet2:
Type: AWS::EC2::Subnet
Properties:
AvailabilityZone: us-east-1b
CidrBlock: 10.0.16.0/20
MapPublicIpOnLaunch: true
VpcId: !Ref Vpc
RouteTable:
Type: AWS::EC2::RouteTable
Properties:
VpcId: !Ref Vpc
Tags:
- Key: Name
Value: 'RouteTable created by CF'
RouteTable1Association:
Type: AWS::EC2::SubnetRouteTableAssociation
Properties:
SubnetId: !Ref PublicSubnet1
RouteTableId: !Ref RouteTable
RouteTable2Association:
Type: AWS::EC2::SubnetRouteTableAssociation
Properties:
SubnetId: !Ref PublicSubnet2
RouteTableId: !Ref RouteTable
InternetRouteRule:
Type: AWS::EC2::Route
DependsOn: VPCGatewayAttachment
Properties:
RouteTableId: !Ref RouteTable
DestinationCidrBlock: 0.0.0.0/0
GatewayId: !Ref InternetGateway
DataSourceSubtNetGroup:
Type: AWS::RDS::DBSubnetGroup
Properties:
DBSubnetGroupDescription: Created by CF
SubnetIds:
- !Ref PublicSubnet1
- !Ref PublicSubnet2
DataSource:
Type: AWS::RDS::DBInstance
Properties:
AllocatedStorage: '5'
DBInstanceClass: db.m1.small
DBName: MyDb
DBSubnetGroupName: !Ref DataSourceSubtNetGroup
Engine: MySQL
MasterUsername: AdminUser
MasterUserPassword: AdminPassword
PubliclyAccessible: true
VPCSecurityGroups:
- !Ref DataSourceSecurityGroup
DeletionPolicy: Snapshot
谢谢
您的 DataSourceSecurityGroup 安全组当前配置为:
- 允许端口 3306 上来自安全组的入站连接 DataSourceSecurityGroup
也就是说,它将允许来自本身是 DataSourceSecurityGroup 安全组成员的任何 Amazon EC2 实例的入站连接。
如果您想允许从 Internet 上的任何地方进行访问,请更改您的模板以允许从 0.0.0.0/0:
进行入站访问
DSSGIngressRule:
Type: AWS::EC2::SecurityGroupIngress
Properties:
FromPort: "3306"
ToPort: "3306"
GroupId: !Ref DataSourceSecurityGroup
IpProtocol: tcp
CidrIp: 0.0.0.0/0
我进行了此更改,测试了您的模板,它运行良好。
供将来参考:您可以通过创建堆栈然后在管理控制台中检查安全组来调试此类内容。
我完全放弃了这个。我一直在尝试使用 CloudFormation 创建一个可公开访问的 RDS 实例。我希望能够通过 mysql 客户端连接到我的实例。当我部署此堆栈时,它说该实例可在 RDS 控制台中公开访问,但我无法通过 RDS 控制台中提供的端点连接。我猜我用 VPC 片段弄乱了 up/missed 东西。他是我的 stack.yaml 档案:
Resources:
Vpc:
Type: AWS::EC2::VPC
Properties:
CidrBlock: 10.0.0.0/16
EnableDnsHostnames: true
Tags:
- Key: Name
Value: 'VPC created by cf'
InternetGateway:
Type: AWS::EC2::InternetGateway
Properties:
Tags:
- Key: Name
Value: Created By CF
VPCGatewayAttachment:
Type: AWS::EC2::VPCGatewayAttachment
Properties:
VpcId: !Ref Vpc
InternetGatewayId: !Ref InternetGateway
DataSourceSecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: Open database for access
VpcId: !Ref Vpc
DSSGIngressRule:
Type: AWS::EC2::SecurityGroupIngress
Properties:
FromPort: "3306"
ToPort: "3306"
GroupId: !Ref DataSourceSecurityGroup
IpProtocol: tcp
SourceSecurityGroupId: !Ref DataSourceSecurityGroup
PublicSubnet1:
Type: AWS::EC2::Subnet
Properties:
AvailabilityZone: us-east-1a
CidrBlock: 10.0.0.0/20
MapPublicIpOnLaunch: true
VpcId: !Ref Vpc
PublicSubnet2:
Type: AWS::EC2::Subnet
Properties:
AvailabilityZone: us-east-1b
CidrBlock: 10.0.16.0/20
MapPublicIpOnLaunch: true
VpcId: !Ref Vpc
RouteTable:
Type: AWS::EC2::RouteTable
Properties:
VpcId: !Ref Vpc
Tags:
- Key: Name
Value: 'RouteTable created by CF'
RouteTable1Association:
Type: AWS::EC2::SubnetRouteTableAssociation
Properties:
SubnetId: !Ref PublicSubnet1
RouteTableId: !Ref RouteTable
RouteTable2Association:
Type: AWS::EC2::SubnetRouteTableAssociation
Properties:
SubnetId: !Ref PublicSubnet2
RouteTableId: !Ref RouteTable
InternetRouteRule:
Type: AWS::EC2::Route
DependsOn: VPCGatewayAttachment
Properties:
RouteTableId: !Ref RouteTable
DestinationCidrBlock: 0.0.0.0/0
GatewayId: !Ref InternetGateway
DataSourceSubtNetGroup:
Type: AWS::RDS::DBSubnetGroup
Properties:
DBSubnetGroupDescription: Created by CF
SubnetIds:
- !Ref PublicSubnet1
- !Ref PublicSubnet2
DataSource:
Type: AWS::RDS::DBInstance
Properties:
AllocatedStorage: '5'
DBInstanceClass: db.m1.small
DBName: MyDb
DBSubnetGroupName: !Ref DataSourceSubtNetGroup
Engine: MySQL
MasterUsername: AdminUser
MasterUserPassword: AdminPassword
PubliclyAccessible: true
VPCSecurityGroups:
- !Ref DataSourceSecurityGroup
DeletionPolicy: Snapshot
谢谢
您的 DataSourceSecurityGroup 安全组当前配置为:
- 允许端口 3306 上来自安全组的入站连接 DataSourceSecurityGroup
也就是说,它将允许来自本身是 DataSourceSecurityGroup 安全组成员的任何 Amazon EC2 实例的入站连接。
如果您想允许从 Internet 上的任何地方进行访问,请更改您的模板以允许从 0.0.0.0/0:
DSSGIngressRule:
Type: AWS::EC2::SecurityGroupIngress
Properties:
FromPort: "3306"
ToPort: "3306"
GroupId: !Ref DataSourceSecurityGroup
IpProtocol: tcp
CidrIp: 0.0.0.0/0
我进行了此更改,测试了您的模板,它运行良好。
供将来参考:您可以通过创建堆栈然后在管理控制台中检查安全组来调试此类内容。