标签:10 vpc 记录 self 文档 ec2 allow sg name
#sudo npm install -g aws-cdk
#echo '{"app": "python3 vpc.py"}' > cdk.json
#vi vpc.py
#pip install aws-cdk.aws-ec2
from aws_cdk import (
aws_ec2 as ec2,
aws_iam as iam,
core,
)
class Vpc(core.Stack):
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
super().__init__(scope, id, *kwargs)
vpc = ec2.Vpc(self, "vpc",
#两个可用区
max_azs=2,
#CIDR地址池
cidr="10.10.0.0/16",
#创建2个公网子网,两个私网子网,两个隔离子网
subnet_configuration=[ec2.SubnetConfiguration(
subnet_type=ec2.SubnetType.PUBLIC,
name="Public",
cidr_mask=24
), ec2.SubnetConfiguration(
subnet_type=ec2.SubnetType.PRIVATE,
name="Private",
cidr_mask=24
), ec2.SubnetConfiguration(
subnet_type=ec2.SubnetType.ISOLATED,
name="DB",
cidr_mask=24
)
],
#两个nat网关
nat_gateways=2,
)
#创建alb安全组
sgalb = ec2.SecurityGroup(self,"sg_alb",
#选择vpc
vpc =vpc ,
#自定义安全组名称
security_group_name = "sg_alb",
#默认关闭所有出站流量
allow_all_outbound = True
)
#alb接收所有地址的80端口访问
sgalb.connections.allow_from_any_ipv4(ec2.Port.tcp(80))
#创建堡垒机安全组
sgbastion = ec2.SecurityGroup(self, "sg_bastion",
vpc = vpc,
security_group_name = "sg_bastion" ,
allow_all_outbound = True
)
#堡垒机接受所有ip地址的22端口访问
sgbastion.connections.allow_from_any_ipv4(ec2.Port.tcp(22))
#创建ec2安全组
sgecc = ec2.SecurityGroup(self,"sg_ec2",
vpc = vpc ,
security_group_name = "sg_ec2",
allow_all_outbound = True
)
#安全组接收alb的7777端口流量
sgecc.connections.allow_from(sgalb,ec2.Port.tcp(80))
#安全组接收堡垒机22端口访问
sgecc.connections.allow_from(sgbastion,ec2.Port.tcp(22))
#创建rds安全组
sgrds = ec2.SecurityGroup(self,"sg_rds",
vpc = vpc ,
security_group_name = "sg_rds" ,
allow_all_outbound = True
)
#rds接收ec2 3306端口访问
sgrds.connections.allow_from(sgecc,ec2.Port.tcp(3306))
#rds接收堡垒机3306端口访问
sgrds.connections.allow_from(sgbastion,ec2.Port.tcp(3306))
#efs安全组
sgnfs = ec2.SecurityGroup(self,"sg_efs",
vpc = vpc ,
security_group_name = "sg_efs" ,
allow_all_outbound = True
)
sgnfs.connections.allow_from(sgecc,ec2.Port.tcp(2049))
sgnfs.connections.allow_from(sgbastion,ec2.Port.tcp(2049))
#Memcached安全组 要接收ec2 11211 流量
sgMche = ec2.SecurityGroup(self,"sg_ElastiCache",
vpc = vpc,
security_group_name = "sg_ElastiCache",
allow_all_outbound = True
)
sgMche.connections.allow_from(sgecc,ec2.Port.tcp(11211))
sgMche.connections.allow_from(sgbastion,ec2.Port.tcp(11211))
key_name="bastionkey"
#iam.CfnInstanceProfile(self,'iam',roles='arn:aws:iam::946651172288:instance-profile/Work-Role')
role = iam.Role.from_role_arn(self,"ecs",role_arn='arn:aws:iam::946651172288:role/EC2InstanceRole')
bastion = ec2.Instance(self,"myBastion",
vpc = vpc,
instance_name = "myBastionHostLinux",
machine_image = ec2.MachineImage.latest_amazon_linux(
generation = ec2.AmazonLinuxGeneration.AMAZON_LINUX_2),
vpc_subnets = ec2.SubnetSelection(subnet_type=ec2.SubnetType.PUBLIC),
key_name = key_name,
role=role,
security_group = sgbastion,
instance_type=ec2.InstanceType(instance_type_identifier="t2.micro")
)
core.CfnOutput(self,"Outpur_bastion",
value=bastion.instance_public_ip)
#输出配置
core.CfnOutput(self, "Output_vpc",
value=vpc.vpc_id)
app = core.App()
Vpc(app, "Vpc")
app.synth()
标签:10,vpc,记录,self,文档,ec2,allow,sg,name 来源: https://blog.csdn.net/m0_62196150/article/details/120689803
本站声明: 1. iCode9 技术分享网(下文简称本站)提供的所有内容,仅供技术学习、探讨和分享; 2. 关于本站的所有留言、评论、转载及引用,纯属内容发起人的个人观点,与本站观点和立场无关; 3. 关于本站的所有言论和文字,纯属内容发起人的个人观点,与本站观点和立场无关; 4. 本站文章均是网友提供,不完全保证技术分享内容的完整性、准确性、时效性、风险性和版权归属;如您发现该文章侵犯了您的权益,可联系我们第一时间进行删除; 5. 本站为非盈利性的个人网站,所有内容不会用来进行牟利,也不会利用任何形式的广告来间接获益,纯粹是为了广大技术爱好者提供技术内容和技术思想的分享性交流网站。