28
4
Say I have a vpc with network 10.130.0.0/16.
假设我有一个网络为10.130.0.0/16的私有网络。
Is there anyway to isolate subnets within this /16 so that they cannot be routed between one another?
是否有办法隔离此/16中的子网,以便它们不能在彼此之间进行路由?
say I have 10.130.1.0/24 and 10.130.2.0/24 and I don't want them to talk to each other- is this possible?
假设我有10.130.1.0/24和10.130.2.0/24,我不希望它们相互通信-这可能吗?
I see the entire network as "local" when creating these subnets - would I need to move them out of the vpc to have isolation?
在创建这些子网时,我认为整个网络都是本地的-我需要将它们移出私有网络才能进行隔离吗?
The answer you accepted is not network isolation, it's network firewalling.
您接受的答案不是网络隔离,而是网络防火墙。
You do not need to move them out of the VPC for isolation. Instead, you can achieve this isolation using the VPC's built-in security features like NACLs and Security Groups.
您不需要将它们移出私有网络进行隔离。相反,您可以使用私有网络的内置安全功能(如NACL和安全组)来实现这种隔离。
In AWS, subnets within the same VPC can communicate with each other by default. This is because the main route table of a VPC typically has an entry that allows all subnets in the VPC to communicate with each other. Specifically, you might see a route with a destination of 10.130.0.0/16 (your VPC's CIDR block) and a target of "local", which means all traffic within the VPC is locally routable.
在AWS中,默认情况下,同一VPC内的子网可以相互通信。这是因为私有网络的主路由表通常有一个条目,允许私有网络中的所有子网相互通信。具体来说,您可能会看到一个目的地址为10.130.0.0/16(您的私有网络的CIDR块)、目标地址为本地的路由,即私有网络内的所有流量都是本地可路由的。
However, if you want to prevent two subnets from communicating with each other, you can do so using Network Access Control Lists (NACLs) or Security Groups (SGs). Here's how you can do it:
但是,如果要阻止两个子网相互通信,可以使用网络访问控制列表(NACL)或安全组(SG)来实现。以下是你如何做到这一点:
Using NACLs:
个人中心
文章发布
退出10.130.1.0/24:10.130.2.0/24.10.130.2.0/24.10.130.2.0/24, do the opposite:10.130.1.0/24.10.130.1.0/24.Using Security Groups:
10.130.1.0/24:10.130.2.0/24.10.130.2.0/24:10.130.1.0/24.If both methods are used together, remember that NACLs are applied first, and then Security Groups. So, traffic would have to pass both to be allowed.
如果同时使用这两种方法,请记住首先应用NACL,然后应用安全组。因此,流量必须同时通过两者才能被允许。
Yes, you can use Network ACLs to block traffic between subnets.
可以,您可以使用网络ACL来阻止子网之间的流量。
Yes, you can isolate subnets by preventing them to be routable to each other.
可以,您可以通过阻止它们彼此可路由来隔离它们。
All subnets created within the VPC are by default associated with the default main route table. You can, however, create custom route tables and you can associate them to the subnets as required.
默认情况下,私有网络内创建的所有子网都与默认主路由表关联。但是,您可以创建自定义路由表,并根据需要将它们与子网相关联。
From the documentation:
从文档中:
Your VPC has an implicit router, and you use route tables to control where network traffic is directed. Each subnet in your VPC must be associated with a route table, which controls the routing for the subnet (subnet route table). You can explicitly associate a subnet with a particular route table. Otherwise, the subnet is implicitly associated with the main route table. A subnet can only be associated with one route table at a time, but you can associate multiple subnets with the same subnet route table.
Thank you sir- this is what I ended up going with. I appreciate it
谢谢你,先生--这就是我最终选择的。我很感激
You can't use security groups for subnets...
您不能将安全组用于...
would you prefer this method over acl?
与ACL相比,您是否更喜欢此方法?
@boog yes. ACL isn't really network isolation, it's essentially firewalling
@Boog是的。ACL并不是真正的网络隔离,它本质上是防火墙
I am not sure this works. When you create a new route table, it always creates one or more routes for your VPC CIDR ranges to local. And I don't think you can edit these ranges in the route table. You could change the target to something that would then block the traffic, but that's a hack.
我不确定这是否奏效。当您创建新路由表时,它始终会为您的VPC CIDR范围创建一条或多条到本地的路由。而且我不认为您可以在路由表中编辑这些范围。您可以将目标更改为随后会阻止流量的内容,但这是一种黑客攻击。
@mimo yes the target can be changed. it's not a hack, it's known as a black hole and it's a fairly common pattern
@MIMO是的,目标是可以改变的。它不是黑客,它被称为黑洞,这是一种相当常见的模式
28
4
0
我是一名优秀的程序员,十分优秀!