aws(学习笔记第五课) AWS的firewall SecurityGroup，代理转发技术

aws(学习笔记第五课) 
 AWS的firewall– SecurityGroup，代理转发技术
 
 
学习内容： 
AWS的firewall– SecurityGroup
代理转发技术
 
1. AWS的filewall– SecurityGroup 
控制进入虚拟服务器的网络流量 通常的firewall(防火墙)配置
 
AWS上使用安全组进行网络流量的控制
 创建SecurityGroup并用来配置一个ec2 server，但是首先不配置入站和出站规则。新建一个CloudFormation的堆栈。{"AWSTemplateFormatVersion": "2010-09-09","Description": " (firewall 1)","Parameters": {"KeyName": {"Description": "Key Pair name","Type": "AWS::EC2::KeyPair::KeyName","Default": "my-cli-key"},"VPC": {"Description": "Just select the one and only default VPC","Type": "AWS::EC2::VPC::Id"},"Subnet": {"Description": "Just select one of the available subnets","Type": "AWS::EC2::Subnet::Id"}},"Mappings": {"EC2RegionMap": {"ap-northeast-1": {"AmazonLinuxAMIHVMEBSBacked64bit": "ami-cbf90ecb"},"ap-southeast-1": {"AmazonLinuxAMIHVMEBSBacked64bit": "ami-68d8e93a"},"ap-southeast-2": {"AmazonLinuxAMIHVMEBSBacked64bit": "ami-fd9cecc7"},"eu-central-1": {"AmazonLinuxAMIHVMEBSBacked64bit": "ami-a8221fb5"},"eu-west-1": {"AmazonLinuxAMIHVMEBSBacked64bit": "ami-a10897d6"},"sa-east-1": {"AmazonLinuxAMIHVMEBSBacked64bit": "ami-b52890a8"},"us-east-1": {"AmazonLinuxAMIHVMEBSBacked64bit": "ami-1ecae776"},"us-west-1": {"AmazonLinuxAMIHVMEBSBacked64bit": "ami-d114f295"},"us-west-2": {"AmazonLinuxAMIHVMEBSBacked64bit": "ami-e7527ed7"}}},"Resources": {"SecurityGroup": {"Type": "AWS::EC2::SecurityGroup","Properties": {"GroupDescription": "My security group","VpcId": {"Ref": "VPC"}}},"Server": {"Type": "AWS::EC2::Instance","Properties": {"ImageId": {"Fn::FindInMap": ["EC2RegionMap", {"Ref": "AWS::Region"}, "AmazonLinuxAMIHVMEBSBacked64bit"]},"InstanceType": "t2.micro","KeyName": {"Ref": "KeyName"},"SecurityGroupIds": [{"Ref": "SecurityGroup"}],"SubnetId": {"Ref": "Subnet"}}}},"Outputs": {"PublicName": {"Value": {"Fn::GetAtt": ["Server", "PublicDnsName"]},"Description": "Public name (connect via SSH as user ec2-user)"}}
}
 
创建堆栈
 
ec2 server被创建
检查SecurityGroup
 没有创建任何入站规则。
对该ip地址进行进行ping
 
对该SecurityGroup加入ping协议{"AWSTemplateFormatVersion": "2010-09-09","Description": "(firewall 2)","Parameters": {"KeyName": {"Description": "Key Pair name","Type": "AWS::EC2::KeyPair::KeyName","Default": "my-cli-key"},"VPC": {"Description": "Just select the one and only default VPC","Type": "AWS::EC2::VPC::Id"},"Subnet": {"Description": "Just select one of the available subnets","Type": "AWS::EC2::Subnet::Id"}},"Mappings": {"EC2RegionMap": {"ap-northeast-1": {"AmazonLinuxAMIHVMEBSBacked64bit": "ami-cbf90ecb"},"ap-southeast-1": {"AmazonLinuxAMIHVMEBSBacked64bit": "ami-68d8e93a"},"ap-southeast-2": {"AmazonLinuxAMIHVMEBSBacked64bit": "ami-fd9cecc7"},"eu-central-1": {"AmazonLinuxAMIHVMEBSBacked64bit": "ami-a8221fb5"},"eu-west-1": {"AmazonLinuxAMIHVMEBSBacked64bit": "ami-a10897d6"},"sa-east-1": {"AmazonLinuxAMIHVMEBSBacked64bit": "ami-b52890a8"},"us-east-1": {"AmazonLinuxAMIHVMEBSBacked64bit": "ami-1ecae776"},"us-west-1": {"AmazonLinuxAMIHVMEBSBacked64bit": "ami-d114f295"},"us-west-2": {"AmazonLinuxAMIHVMEBSBacked64bit": "ami-e7527ed7"}}},"Resources": {"SecurityGroup": {"Type": "AWS::EC2::SecurityGroup","Properties": {"GroupDescription": "My security group","VpcId": {"Ref": "VPC"}}},"AllowInboundICMP": {"Type": "AWS::EC2::SecurityGroupIngress","Properties": {"GroupId": {"Ref": "SecurityGroup"},"IpProtocol": "icmp","FromPort": "-1","ToPort": "-1","CidrIp": "0.0.0.0/0"}},"Server": {"Type": "AWS::EC2::Instance","Properties": {"ImageId": {"Fn::FindInMap": ["EC2RegionMap", {"Ref": "AWS::Region"}, "AmazonLinuxAMIHVMEBSBacked64bit"]},"InstanceType": "t2.micro","KeyName": {"Ref": "KeyName"},"SecurityGroupIds": [{"Ref": "SecurityGroup"}],"SubnetId": {"Ref": "Subnet"}}}},"Outputs": {"PublicName": {"Value": {"Fn::GetAtt": ["Server", "PublicDnsName"]},"Description": "Public name (connect via SSH as user ec2-user)"}}
}
 
使用上面CloudFormation代码更新stack
 
 
stack更新结束
 *
重新ping该ec2 server
 可以看出入站规则已经生效。
检查ssh的22端口
继续更新CloudFormation，对SecurityGroup配置开放22端口{"AWSTemplateFormatVersion": "2010-09-09","Description": " (firewall 3)","Parameters": {"KeyName": {"Description": "Key Pair name","Type": "AWS::EC2::KeyPair::KeyName","Default": "my-cli-key"},"VPC": {"Description": "Just select the one and only default VPC","Type": "AWS::EC2::VPC::Id"},"Subnet": {"Description": "Just select one of the available subnets","Type": "AWS::EC2::Subnet::Id"}},"Mappings": {"EC2RegionMap": {"ap-northeast-1": {"AmazonLinuxAMIHVMEBSBacked64bit": "ami-cbf90ecb"},"ap-southeast-1": {"AmazonLinuxAMIHVMEBSBacked64bit": "ami-68d8e93a"},"ap-southeast-2": {"AmazonLinuxAMIHVMEBSBacked64bit": "ami-fd9cecc7"},"eu-central-1": {"AmazonLinuxAMIHVMEBSBacked64bit": "ami-a8221fb5"},"eu-west-1": {"AmazonLinuxAMIHVMEBSBacked64bit": "ami-a10897d6"},"sa-east-1": {"AmazonLinuxAMIHVMEBSBacked64bit": "ami-b52890a8"},"us-east-1": {"AmazonLinuxAMIHVMEBSBacked64bit": "ami-1ecae776"},"us-west-1": {"AmazonLinuxAMIHVMEBSBacked64bit": "ami-d114f295"},"us-west-2": {"AmazonLinuxAMIHVMEBSBacked64bit": "ami-e7527ed7"}}},"Resources": {"SecurityGroup": {"Type": "AWS::EC2::SecurityGroup","Properties": {"GroupDescription": "My security group","VpcId": {"Ref": "VPC"}}},"AllowInboundICMP": {"Type": "AWS::EC2::SecurityGroupIngress","Properties": {"GroupId": {"Ref": "SecurityGroup"},"IpProtocol": "icmp","FromPort": "-1","ToPort": "-1","CidrIp": "0.0.0.0/0"}},"AllowInboundSSH": {"Type": "AWS::EC2::SecurityGroupIngress","Properties": {"GroupId": {"Ref": "SecurityGroup"},"IpProtocol": "tcp","FromPort": "22","ToPort": "22","CidrIp": "0.0.0.0/0"}},"Server": {"Type": "AWS::EC2::Instance","Properties": {"ImageId": {"Fn::FindInMap": ["EC2RegionMap", {"Ref": "AWS::Region"}, "AmazonLinuxAMIHVMEBSBacked64bit"]},"InstanceType": "t2.micro","KeyName": {"Ref": "KeyName"},"SecurityGroupIds": [{"Ref": "SecurityGroup"}],"SubnetId": {"Ref": "Subnet"}}}},"Outputs": {"PublicName": {"Value": {"Fn::GetAtt": ["Server", "PublicDnsName"]},"Description": "Public name (connect via SSH as user ec2-user)"}}
}
 
ping这个ec2 server
 
 
 
2. 代理转发技术（AgentForward） 
使用git bash的场合
 
使用putty的场合
 .