我通过Terraform进行了设置,其中包括VPC,公共子网和带有安全组的EC2实例。我试图对EC2实例执行ping操作,但超时。
我尝试确保的几件事:
EC2在子网中,并且该子网通过网关路由到Internet
EC2具有一个安全组,允许双向所有流量
EC2具有弹性IP
VPC具有一个附加到子网的ACL,并允许双向所有流量
我不确定我在这里错过了什么。
我的tf文件看起来像(已编辑,以反映最新更改):
resource "aws_vpc" "foobar" {
cidr_block = "10.0.0.0/16"
}
resource "aws_internet_gateway" "foobar_gateway" {
vpc_id = aws_vpc.foobar.id
}
/*
Public subnet
*/
resource "aws_subnet" "foobar_subnet" {
vpc_id = aws_vpc.foobar.id
cidr_block = "10.0.1.0/24"
}
resource "aws_route_table" "foobar_routetable" {
vpc_id = aws_vpc.foobar.id
route {
cidr_block = "0.0.0.0/0"
gateway_id = aws_internet_gateway.foobar_gateway.id
}
}
resource "aws_route_table_association" "foobar_routetable_assoc" {
subnet_id = aws_subnet.foobar_subnet.id
route_table_id = aws_route_table.foobar_routetable.id
}
/*
Web
*/
resource "aws_security_group" "web" {
name = "vpc_web"
vpc_id = aws_vpc.foobar.id
ingress {
protocol = -1
from_port = 0
to_port = 0
cidr_blocks = ["0.0.0.0/0"]
}
egress {
protocol = -1
from_port = 0
to_port = 0
cidr_blocks = ["0.0.0.0/0"]
}
}
resource "aws_network_acl" "main" {
vpc_id = aws_vpc.foobar.id
subnet_ids = [aws_subnet.foobar_subnet.id]
egress {
protocol = -1
rule_no = 100
action = "allow"
cidr_block = "0.0.0.0/0"
from_port = 0
to_port = 0
}
ingress {
protocol = -1
rule_no = 100
action = "allow"
cidr_block = "0.0.0.0/0"
from_port = 0
to_port = 0
}
}
resource "aws_instance" "web-1" {
ami = "ami-0323c3dd2da7fb37d"
instance_type = "t2.micro"
subnet_id = aws_subnet.foobar_subnet.id
associate_public_ip_address = true
}
resource "aws_eip" "web-1" {
instance = aws_instance.web-1.id
vpc = true
}
为什么在安全组规则中添加self参数。 terraform的文档指出If true, the security group itself will be added as a source to this ingress rule.,这基本上意味着只有该安全组才能访问实例。请删除并尝试。
编辑:请参阅下面的注释以解决问题的步骤