在同一个VPC中,我使用CDK创建了一个EC2,一个PostgreSQL。我将EC2设置为公共,将PostgreSQL设置为私有,并允许所有IP访问PostgreSQL默认端口,一切都准备好了,但无法从EC2使用psql telnet到PostgreSQL,有人知道问题所在,我是不是遗漏了什么?
Vpc vpc = new Vpc(this,"RDS-VPC",
VpcProps.builder()
.natGateways(1).maxAzs(2).build());
SecurityGroup ec2SG = new SecurityGroup(this,"EC2-SG", SecurityGroupProps.builder().vpc(vpc).allowAllOutbound(true).build());
ec2SG.addIngressRule(Peer.ipv4("xxx.xxx.xxx.xxx/32"),Port.tcp(22),"The specified IP can be accessed");
SecurityGroup rdsSg = new SecurityGroup(this,"RDS-SG", SecurityGroupProps.builder().vpc(vpc).allowAllOutbound(true).build());
rdsSg.addIngressRule(Peer.anyIpv4(),Port.tcp(5432),"allow public ssh access");
List<SecurityGroup> securityGroups = new ArrayList<>();
securityGroups.add(rdsSg);
Instance Ec2Instace = new Instance(this,"ec2", InstanceProps.builder().vpc(vpc)
.instanceType(InstanceType.of(InstanceClass.T3,InstanceSize.MEDIUM))
.machineImage(MachineImage.latestAmazonLinux(AmazonLinuxImageProps.builder().generation(AmazonLinuxGeneration.AMAZON_LINUX_2).build()))
.securityGroup(ec2SG)
.vpcSubnets(SubnetSelection.builder().subnetType(SubnetType.PUBLIC).build())
.keyName("keyname")
.build());
Credentials credentials = Credentials.fromPassword("xxx", new SecretValue("xxxx"));
SubnetGroup subnetGroup = new SubnetGroup(this,"postgresql", SubnetGroupProps.builder().vpcSubnets(SubnetSelection.builder().subnetType(SubnetType.PRIVATE_WITH_NAT).build()).build());
DatabaseInstance databaseInstance = new DatabaseInstance(this,"postgresql",DatabaseInstanceProps.builder()
.vpc(vpc)
.deleteAutomatedBackups(true)
.instanceType(InstanceType.of(InstanceClass.T3,InstanceSize.MICRO))
.allocatedStorage(10)
.credentials(credentials)
.databaseName("xxxx")
.securityGroups(securityGroups)
.subnetGroup(subnetGroup)
.publiclyAccessible(true)
.engine(DatabaseInstanceEngine.postgres(PostgresInstanceEngineProps.builder().version(PostgresEngineVersion.VER_13).build()))
.build());
1条答案
按热度按时间63lcw9qa1#
将Eggress规则添加到0.0.0.0/0 CIDR的EC2安全组,以便EC2可以将流量发送到RDS并从Internet下载更新。
很高兴拥有:
1.将RDS的入口规则的anyIpv4替换为EC2安全组。您可以引用安全组,而不是IP CIDR。
1.将Eggress规则添加到0.0.0.0/0 CIDR的RDS安全组中,以便RDS可以从Internet下载更新。
这应该足够了。此外,您也没有显式配置路由表。也许这对你的案子来说不是必需的。