1. 首页
  2. 专栏
  3. 文章详情

创建生产级 VPC,规划和实施要点一览

Python
Amazon Cloud Development Kit (Amazon CDK)
Amazon Lambda
Amazon Fargate
0
0
> **本文作者 李小飞** > > 凌志软件云解决方案架构师 > > 亚马逊云科技技领云博主 ### **简介** 实际应用过程中,如何将亚马逊云科技的服务投入生产使用,需要根据自己的实际情况考量。本文将介绍我们是如何思考并实施这些工作的。 **目前有很多亚马逊云科技环境构建的方法,这里我们将使用 Amazon CDK 进行说明。** *\*本文不会涉及 Amazon CDK 的基本操作方法或术语的解释。* ### **使用 Amazon CDK 进行 IaC 的优势** 通过将基础设施代码化(Infrastructure as Code, laC),可以避免“什么时候做的这个设置”的困惑。**如果将 Amazon CDK 的设置进行代码管理,就能轻松创建历史记录,更新和回滚也变得简单。** Amazon CDK 的优点很多,比如:**使用 Amazon CDK 进行创建更直观易懂,并且更容易实现堆栈之间的联动。** 另外,由于 Amazon CDK 经常更新,所以经常因 Amazon CDK 内部处理的变化而被迫更新堆栈,即使设置本身没有变化,也经常需要在生产环境中进行部署。虽然这增加了工作量,但是否将其视为一个优点见仁见智。通过这种方法,**我们能够确保及时更新安全补丁,并妥善处理 Amazon NodeJS、[Amazon RDS](https://aws.amazon.com/cn/rds/?trk=cndc-detail) 等软件版本终止更新的问题。** ### **首先创建 VPC** 我们先来创建第一个要构建的 VPC。**我们希望用 Amazon CDK 创建的 VPC 能够自由设定 CIDR 和自定义名称,因此我们将使用 L1  Construct(例如 Cfn VPC)来创建。** 然而,使用L1创建的 VPC 在与L2构建的堆栈之间的联动上会有一些困难。 **可以创建的资源如下:** * **VPC** * **子网**(IPv4,IPv6) * **Internet Gateway**(用于 IPv4 和 IPv6 的 Egress) * **路由表** * **NAT 网关** * **用于 NAT 网关的 EIP** 我们将使用以下的 [Python 示例代码](https://github.com/keiyow/sample-aws-cdk-vpc?trk=cndc-detail)进行解释。Python 对主要从事基础设施工作的开发者来说更易理解,用 Type Script 可以做到的事情,几乎都可以用 Python 实现。 ### **VPC 网络的考量** 由于网络的形态有很多种,我们需要解释一下各种形态。 #### **多可用区(Multi-AZ)Public网络x 2 / Private 网络x 2 / NATGW 冗余** 在生产环境中,几乎都会使用这个结构。关于每个可用区是否需要NAT网关,取决于具体情况。但如果在 VPC 内部署 Amazon Fargate 或 Amazon Lambda 等服务,应用程序侧通常会需要进行外部通信。因此,**为了在出现可用区故障时依然能够正常运行,基础设施在生产环境中需要具备冗余功能**,这就是采用该结构的原因。然而,这样的配置会增加成本,因此通常适用于中大型规模的系统。 ![image.png](https://dev-media.amazoncloud.cn/745916999459479e8a5ff5c7c55aa75b_image.png "image.png") 在样本代码中,我们为每个可用区配置了公共和私有网络。配置在私有网络中的资源可以通过配置在公共网络中的 NAT 网关与互联网进行通信。 ```js vpcCidr: 10.10.0.0/16 publicSubnets: - name: public1 cidr: 10.10.0.0/24 az: ap-northeast-1c nat: true - name: public2 cidr: 10.10.1.0/24 az: ap-northeast-1a nat: true privateSubnets: - name: private1 cidr: 10.10.2.0/24 az: ap-northeast-1c nat: true natRoute: public1 - name: private2 cidr: 10.10.3.0/24 az: ap-northeast-1a nat: true natRoute: public2 ``` ```js cdk diff --context stage=multi_with_nat --context service_name=test-multi-with-nat Stack test-multi-with-nat-VpcStack Parameters [+] Parameter BootstrapVersion BootstrapVersion: {"Type":"AWS::SSM::Parameter::Value<String>","Default":"/cdk-bootstrap/hnb659fds/version","Description":"Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]"} Resources [+] AWS::EC2::VPC test-multi-with-nat-VPC testmultiwithnatVPC [+] AWS::EC2::InternetGateway test-multi-with-nat-Gateway testmultiwithnatGateway [+] AWS::EC2::VPCGatewayAttachment test-multi-with-nat-GatewayAttachment testmultiwithnatGatewayAttachment [+] AWS::EC2::RouteTable test-multi-with-nat-Route-Public testmultiwithnatRoutePublic [+] AWS::EC2::Route test-multi-with-nat-PublicRoute testmultiwithnatPublicRoute [+] AWS::EC2::Subnet test-multi-with-nat-Subnet-public1 testmultiwithnatSubnetpublic1 [+] AWS::EC2::SubnetRouteTableAssociation test-multi-with-nat-Subnet-public1-Association testmultiwithnatSubnetpublic1Association [+] AWS::EC2::EIP test-multi-with-nat-EIP-public1 testmultiwithnatEIPpublic1 [+] AWS::EC2::NatGateway test-multi-with-nat-NatGateway-public1 testmultiwithnatNatGatewaypublic1 [+] AWS::EC2::Subnet test-multi-with-nat-Subnet-public2 testmultiwithnatSubnetpublic2 [+] AWS::EC2::SubnetRouteTableAssociation test-multi-with-nat-Subnet-public2-Association testmultiwithnatSubnetpublic2Association [+] AWS::EC2::EIP test-multi-with-nat-EIP-public2 testmultiwithnatEIPpublic2 [+] AWS::EC2::NatGateway test-multi-with-nat-NatGateway-public2 testmultiwithnatNatGatewaypublic2 [+] AWS::EC2::Subnet test-multi-with-nat-Subnet-private1 testmultiwithnatSubnetprivate1 [+] AWS::EC2::RouteTable test-multi-with-nat-Route-private1 testmultiwithnatRouteprivate1 [+] AWS::EC2::SubnetRouteTableAssociation test-multi-with-nat-Subnet-private1-Association testmultiwithnatSubnetprivate1Association [+] AWS::EC2::Route test-multi-with-nat-private1-nat testmultiwithnatprivate1nat [+] AWS::EC2::Subnet test-multi-with-nat-Subnet-private2 testmultiwithnatSubnetprivate2 [+] AWS::EC2::RouteTable test-multi-with-nat-Route-private2 testmultiwithnatRouteprivate2 [+] AWS::EC2::SubnetRouteTableAssociation test-multi-with-nat-Subnet-private2-Association testmultiwithnatSubnetprivate2Association [+] AWS::EC2::Route test-multi-with-nat-private2-nat testmultiwithnatprivate2nat Outputs [+] Output VPC VPC: {"Value":{"Ref":"testmultiwithnatVPC"},"Export":{"Name":"test-multi-with-nat-VPC"}} [+] Output Subnet-public1 Subnetpublic1: {"Value":{"Ref":"testmultiwithnatSubnetpublic1"},"Export":{"Name":"test-multi-with-nat-Subnet-public1"}} [+] Output Subnet-public2 Subnetpublic2: {"Value":{"Ref":"testmultiwithnatSubnetpublic2"},"Export":{"Name":"test-multi-with-nat-Subnet-public2"}} [+] Output Subnet-private1 Subnetprivate1: {"Value":{"Ref":"testmultiwithnatSubnetprivate1"},"Export":{"Name":"test-multi-with-nat-Subnet-private1"}} [+] Output Subnet-private2 Subnetprivate2: {"Value":{"Ref":"testmultiwithnatSubnetprivate2"},"Export":{"Name":"test-multi-with-nat-Subnet-private2"}} Other Changes [+] Unknown Rules: {"CheckBootstrapVersion":{"Assertions":[{"Assert":{"Fn::Not":[{"Fn::Contains":[["1","2","3","4","5"],{"Ref":"BootstrapVersion"}]}]},"AssertDescription":"CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI."}]}} ✨ Number of stacks with differences: 1 ``` #### **多可用区(Multi-AZ)Public 网络 x 2 / Private 网络 x 2 / NATGW 冗余/启用 IPv6** 最近,由于 IPv4 公共地址成为收费项目,许多地方正在推进 IPv6 化。虽然我们尚未在生产环境中进行更改,但由于可以动态地进行更改,因此我们计划将来肯定会采用与 IPv6 网络的双栈模式。 与仅有IPv4的网络不同,我们需要为 IPv6 准备以下内容: * **仅出站 Internet Gateway**(Egress Only Internet  Gateway) * **启用各子网的双栈模式** * **在 IPv6 无法通信的情况下启用 NAT64/DNS64** * **IPv6 的 DHCP 设置** ![image.png](https://dev-media.amazoncloud.cn/736d423648de4dd78bf8d2ae7a605514_image.png "image.png") 在样本代码中,我们**为每个可用区配置了公共和私有网络。配置在私有网络中的资源可以通过配置在公共网络中的 NAT 网关与互联网进行通信。** 对于拥有 IPv6 的资源,如果它们配置在私有网络中,可以使用仅出站 Internet Gateway(Egress Only Internet Gateway)与支持 IPv6 的外部互联网通信。**如果访问不支持 IPv6 的网站,也可以通过转换为 IPv4 来进行访问。** ```js vpcCidr: 10.10.0.0/16 ipv6: true amazon_provided_ipv6_cidr_block: true publicSubnets: - name: public1 cidr: 10.10.0.0/24 az: ap-northeast-1c nat: true ipv6: true - name: public2 cidr: 10.10.1.0/24 az: ap-northeast-1a nat: true ipv6: true privateSubnets: - name: private1 cidr: 10.10.2.0/24 az: ap-northeast-1c nat: true natRoute: public1 ipv6: true dns64: true - name: private2 cidr: 10.10.3.0/24 az: ap-northeast-1a nat: true natRoute: public2 ipv6: true dns64: true ``` ```js cdk diff --context stage=multi_with_nat_ipv6_dualstack --context service_name=test-multi-with-nat-ipv6-dualstack Stack test-multi-with-nat-ipv6-dualstack-VpcStack Parameters [+] Parameter BootstrapVersion BootstrapVersion: {"Type":"AWS::SSM::Parameter::Value<String>","Default":"/cdk-bootstrap/hnb659fds/version","Description":"Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]"} Resources [+] AWS::EC2::VPC test-multi-with-nat-ipv6-dualstack-VPC testmultiwithnatipv6dualstackVPC [+] AWS::EC2::InternetGateway test-multi-with-nat-ipv6-dualstack-Gateway testmultiwithnatipv6dualstackGateway [+] AWS::EC2::VPCGatewayAttachment test-multi-with-nat-ipv6-dualstack-GatewayAttachment testmultiwithnatipv6dualstackGatewayAttachment [+] AWS::EC2::RouteTable test-multi-with-nat-ipv6-dualstack-Route-Public testmultiwithnatipv6dualstackRoutePublic [+] AWS::EC2::Route test-multi-with-nat-ipv6-dualstack-PublicRoute testmultiwithnatipv6dualstackPublicRoute [+] AWS::EC2::EgressOnlyInternetGateway test-multi-with-nat-ipv6-dualstack-EgressGateway testmultiwithnatipv6dualstackEgressGateway [+] AWS::EC2::VPCCidrBlock test-multi-with-nat-ipv6-dualstack-IPv6-CidrBlock testmultiwithnatipv6dualstackIPv6CidrBlock [+] AWS::EC2::Route test-multi-with-nat-ipv6-dualstack-PublicRoute-IPv6 testmultiwithnatipv6dualstackPublicRouteIPv6 [+] AWS::EC2::Subnet test-multi-with-nat-ipv6-dualstack-Subnet-public1 testmultiwithnatipv6dualstackSubnetpublic1 [+] AWS::EC2::SubnetRouteTableAssociation test-multi-with-nat-ipv6-dualstack-Subnet-public1-Association testmultiwithnatipv6dualstackSubnetpublic1Association [+] AWS::EC2::EIP test-multi-with-nat-ipv6-dualstack-EIP-public1 testmultiwithnatipv6dualstackEIPpublic1 [+] AWS::EC2::NatGateway test-multi-with-nat-ipv6-dualstack-NatGateway-public1 testmultiwithnatipv6dualstackNatGatewaypublic1 [+] AWS::EC2::Subnet test-multi-with-nat-ipv6-dualstack-Subnet-public2 testmultiwithnatipv6dualstackSubnetpublic2 [+] AWS::EC2::SubnetRouteTableAssociation test-multi-with-nat-ipv6-dualstack-Subnet-public2-Association testmultiwithnatipv6dualstackSubnetpublic2Association [+] AWS::EC2::EIP test-multi-with-nat-ipv6-dualstack-EIP-public2 testmultiwithnatipv6dualstackEIPpublic2 [+] AWS::EC2::NatGateway test-multi-with-nat-ipv6-dualstack-NatGateway-public2 testmultiwithnatipv6dualstackNatGatewaypublic2 [+] AWS::EC2::Subnet test-multi-with-nat-ipv6-dualstack-Subnet-private1 testmultiwithnatipv6dualstackSubnetprivate1 [+] AWS::EC2::RouteTable test-multi-with-nat-ipv6-dualstack-Route-private1 testmultiwithnatipv6dualstackRouteprivate1 [+] AWS::EC2::SubnetRouteTableAssociation test-multi-with-nat-ipv6-dualstack-Subnet-private1-Association testmultiwithnatipv6dualstackSubnetprivate1Association [+] AWS::EC2::Route test-multi-with-nat-ipv6-dualstack-private1-IPv6 testmultiwithnatipv6dualstackprivate1IPv6 [+] AWS::EC2::Route test-multi-with-nat-ipv6-dualstack-private1-nat testmultiwithnatipv6dualstackprivate1nat [+] AWS::EC2::Route test-multi-with-nat-ipv6-dualstack-private1-nat-ipv6 testmultiwithnatipv6dualstackprivate1natipv6 [+] AWS::EC2::Subnet test-multi-with-nat-ipv6-dualstack-Subnet-private2 testmultiwithnatipv6dualstackSubnetprivate2 [+] AWS::EC2::RouteTable test-multi-with-nat-ipv6-dualstack-Route-private2 testmultiwithnatipv6dualstackRouteprivate2 [+] AWS::EC2::SubnetRouteTableAssociation test-multi-with-nat-ipv6-dualstack-Subnet-private2-Association testmultiwithnatipv6dualstackSubnetprivate2Association [+] AWS::EC2::Route test-multi-with-nat-ipv6-dualstack-private2-IPv6 testmultiwithnatipv6dualstackprivate2IPv6 [+] AWS::EC2::Route test-multi-with-nat-ipv6-dualstack-private2-nat testmultiwithnatipv6dualstackprivate2nat [+] AWS::EC2::Route test-multi-with-nat-ipv6-dualstack-private2-nat-ipv6 testmultiwithnatipv6dualstackprivate2natipv6 Outputs [+] Output VPC VPC: {"Value":{"Ref":"testmultiwithnatipv6dualstackVPC"},"Export":{"Name":"test-multi-with-nat-ipv6-dualstack-VPC"}} [+] Output Subnet-public1 Subnetpublic1: {"Value":{"Ref":"testmultiwithnatipv6dualstackSubnetpublic1"},"Export":{"Name":"test-multi-with-nat-ipv6-dualstack-Subnet-public1"}} [+] Output Subnet-public2 Subnetpublic2: {"Value":{"Ref":"testmultiwithnatipv6dualstackSubnetpublic2"},"Export":{"Name":"test-multi-with-nat-ipv6-dualstack-Subnet-public2"}} [+] Output Subnet-private1 Subnetprivate1: {"Value":{"Ref":"testmultiwithnatipv6dualstackSubnetprivate1"},"Export":{"Name":"test-multi-with-nat-ipv6-dualstack-Subnet-private1"}} [+] Output Subnet-private2 Subnetprivate2: {"Value":{"Ref":"testmultiwithnatipv6dualstackSubnetprivate2"},"Export":{"Name":"test-multi-with-nat-ipv6-dualstack-Subnet-private2"}} Other Changes [+] Unknown Rules: {"CheckBootstrapVersion":{"Assertions":[{"Assert":{"Fn::Not":[{"Fn::Contains":[["1","2","3","4","5"],{"Ref":"BootstrapVersion"}]}]},"AssertDescription":"CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI."}]}} ✨ Number of stacks with differences: 1 ``` #### **多可用区(Multi-AZ)Public 网络x 2 / Private 网络 x 2 / NATGW 一台** 在开发环境中,我们使用这种结构。**由于我们使用 Amazon CDK 进行构建,因此从测试配置的角度来看,这种结构与生产环境相似。** 缺点是 NAT Gateway 成本较高,因此如果使用 NAT 实例替代 NAT Gateway,成本会更低。此外,在可用区故障时,如果 Fargate 等应用程序需要进行外部互联网通信,NAT Gateway 的故障可能导致通信中断的风险(因此用于开发环境)。 ![image.png](https://dev-media.amazoncloud.cn/4a73ac293ce34e798231114b82028d32_image.png "image.png") 在样本代码中,我们为每个可用区配置了公共和私有网络。配置在各个私有网络中的资源可以通过配置在其中一个公共网络中的 NAT 网关与外部互联网进行通信。 ```js 代码类内容vpcCidr: 10.10.0.0/16 publicSubnets: - name: public1 cidr: 10.10.0.0/24 az: ap-northeast-1c nat: true - name: public2 cidr: 10.10.1.0/24 az: ap-northeast-1a nat: false privateSubnets: - name: private1 cidr: 10.10.2.0/24 az: ap-northeast-1c nat: true natRoute: public1 - name: private2 cidr: 10.10.3.0/24 az: ap-northeast-1a nat: true natRoute: public1使用 ``` ```js cdk diff --context stage=multi_with_single_nat --context service_name=test-multi-with-single-nat Stack test-multi-with-single-nat-VpcStack Parameters [+] Parameter BootstrapVersion BootstrapVersion: {"Type":"AWS::SSM::Parameter::Value<String>","Default":"/cdk-bootstrap/hnb659fds/version","Description":"Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]"} Resources [+] AWS::EC2::VPC test-multi-with-single-nat-VPC testmultiwithsinglenatVPC [+] AWS::EC2::InternetGateway test-multi-with-single-nat-Gateway testmultiwithsinglenatGateway [+] AWS::EC2::VPCGatewayAttachment test-multi-with-single-nat-GatewayAttachment testmultiwithsinglenatGatewayAttachment [+] AWS::EC2::RouteTable test-multi-with-single-nat-Route-Public testmultiwithsinglenatRoutePublic [+] AWS::EC2::Route test-multi-with-single-nat-PublicRoute testmultiwithsinglenatPublicRoute [+] AWS::EC2::Subnet test-multi-with-single-nat-Subnet-public1 testmultiwithsinglenatSubnetpublic1 [+] AWS::EC2::SubnetRouteTableAssociation test-multi-with-single-nat-Subnet-public1-Association testmultiwithsinglenatSubnetpublic1Association [+] AWS::EC2::EIP test-multi-with-single-nat-EIP-public1 testmultiwithsinglenatEIPpublic1 [+] AWS::EC2::NatGateway test-multi-with-single-nat-NatGateway-public1 testmultiwithsinglenatNatGatewaypublic1 [+] AWS::EC2::Subnet test-multi-with-single-nat-Subnet-public2 testmultiwithsinglenatSubnetpublic2 [+] AWS::EC2::SubnetRouteTableAssociation test-multi-with-single-nat-Subnet-public2-Association testmultiwithsinglenatSubnetpublic2Association [+] AWS::EC2::Subnet test-multi-with-single-nat-Subnet-private1 testmultiwithsinglenatSubnetprivate1 [+] AWS::EC2::RouteTable test-multi-with-single-nat-Route-private1 testmultiwithsinglenatRouteprivate1 [+] AWS::EC2::SubnetRouteTableAssociation test-multi-with-single-nat-Subnet-private1-Association testmultiwithsinglenatSubnetprivate1Association [+] AWS::EC2::Route test-multi-with-single-nat-private1-nat testmultiwithsinglenatprivate1nat [+] AWS::EC2::Subnet test-multi-with-single-nat-Subnet-private2 testmultiwithsinglenatSubnetprivate2 [+] AWS::EC2::RouteTable test-multi-with-single-nat-Route-private2 testmultiwithsinglenatRouteprivate2 [+] AWS::EC2::SubnetRouteTableAssociation test-multi-with-single-nat-Subnet-private2-Association testmultiwithsinglenatSubnetprivate2Association [+] AWS::EC2::Route test-multi-with-single-nat-private2-nat testmultiwithsinglenatprivate2nat Outputs [+] Output VPC VPC: {"Value":{"Ref":"testmultiwithsinglenatVPC"},"Export":{"Name":"test-multi-with-single-nat-VPC"}} [+] Output Subnet-public1 Subnetpublic1: {"Value":{"Ref":"testmultiwithsinglenatSubnetpublic1"},"Export":{"Name":"test-multi-with-single-nat-Subnet-public1"}} [+] Output Subnet-public2 Subnetpublic2: {"Value":{"Ref":"testmultiwithsinglenatSubnetpublic2"},"Export":{"Name":"test-multi-with-single-nat-Subnet-public2"}} [+] Output Subnet-private1 Subnetprivate1: {"Value":{"Ref":"testmultiwithsinglenatSubnetprivate1"},"Export":{"Name":"test-multi-with-single-nat-Subnet-private1"}} [+] Output Subnet-private2 Subnetprivate2: {"Value":{"Ref":"testmultiwithsinglenatSubnetprivate2"},"Export":{"Name":"test-multi-with-single-nat-Subnet-private2"}} Other Changes [+] Unknown Rules: {"CheckBootstrapVersion":{"Assertions":[{"Assert":{"Fn::Not":[{"Fn::Contains":[["1","2","3","4","5"],{"Ref":"BootstrapVersion"}]}]},"AssertDescription":"CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI."}]}} ✨ Number of stacks with differences: 1 ``` #### **多可用区(Multi-AZ)Public 网络 x 2 / Isolated 网络 x 2** **这是一个没有配置 NAT 的结构。**在使用 Amazon CDK 进行构建时,如果设置 Private 网络无法连接到互联网,则会被识别为 Isolated 网络。 我们有时会**使用这种结构来创建类似于 Amazon  CloudFront + Amazon ALB + Amazon EC2(Public 配置) + [Amazon RDS](https://aws.amazon.com/cn/rds/?trk=cndc-detail)(Isolated 配置)的配置**。然而,当需要将 Amazon Lambda 或 Amazon CodeBuild 等服务放置在 VPC 中时,如果无法连接到互联网,这种结构就不适用了。因此,我们较少使用这种配置。 ![image.png](https://dev-media.amazoncloud.cn/d7c8fc7a39ec4d6fbc6780c36fb3cd69_image.png "image.png") 在样本代码中,我们为每个可用区分别配置了公共网络和私有(隔离)网络。 ```js vpcCidr: 10.10.0.0/16 publicSubnets: - name: public1 cidr: 10.10.0.0/24 az: ap-northeast-1c nat: false - name: public2 cidr: 10.10.1.0/24 az: ap-northeast-1a nat: false privateSubnets: - name: private1 cidr: 10.10.2.0/24 az: ap-northeast-1c nat: false natRoute: public1 - name: private2 cidr: 10.10.3.0/24 az: ap-northeast-1a nat: false natRoute: public2 ``` ```js cdk diff --context stage=multi_with_no_nat --context service_name=test-multi-with-no-nat Stack test-multi-with-no-nat-VpcStack Parameters [+] Parameter BootstrapVersion BootstrapVersion: {"Type":"AWS::SSM::Parameter::Value<String>","Default":"/cdk-bootstrap/hnb659fds/version","Description":"Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]"} Resources [+] AWS::EC2::VPC test-multi-with-no-nat-VPC testmultiwithnonatVPC [+] AWS::EC2::InternetGateway test-multi-with-no-nat-Gateway testmultiwithnonatGateway [+] AWS::EC2::VPCGatewayAttachment test-multi-with-no-nat-GatewayAttachment testmultiwithnonatGatewayAttachment [+] AWS::EC2::RouteTable test-multi-with-no-nat-Route-Public testmultiwithnonatRoutePublic [+] AWS::EC2::Route test-multi-with-no-nat-PublicRoute testmultiwithnonatPublicRoute [+] AWS::EC2::Subnet test-multi-with-no-nat-Subnet-public1 testmultiwithnonatSubnetpublic1 [+] AWS::EC2::SubnetRouteTableAssociation test-multi-with-no-nat-Subnet-public1-Association testmultiwithnonatSubnetpublic1Association [+] AWS::EC2::Subnet test-multi-with-no-nat-Subnet-public2 testmultiwithnonatSubnetpublic2 [+] AWS::EC2::SubnetRouteTableAssociation test-multi-with-no-nat-Subnet-public2-Association testmultiwithnonatSubnetpublic2Association [+] AWS::EC2::Subnet test-multi-with-no-nat-Subnet-private1 testmultiwithnonatSubnetprivate1 [+] AWS::EC2::RouteTable test-multi-with-no-nat-Route-private1 testmultiwithnonatRouteprivate1 [+] AWS::EC2::SubnetRouteTableAssociation test-multi-with-no-nat-Subnet-private1-Association testmultiwithnonatSubnetprivate1Association [+] AWS::EC2::Subnet test-multi-with-no-nat-Subnet-private2 testmultiwithnonatSubnetprivate2 [+] AWS::EC2::RouteTable test-multi-with-no-nat-Route-private2 testmultiwithnonatRouteprivate2 [+] AWS::EC2::SubnetRouteTableAssociation test-multi-with-no-nat-Subnet-private2-Association testmultiwithnonatSubnetprivate2Association Outputs [+] Output VPC VPC: {"Value":{"Ref":"testmultiwithnonatVPC"},"Export":{"Name":"test-multi-with-no-nat-VPC"}} [+] Output Subnet-public1 Subnetpublic1: {"Value":{"Ref":"testmultiwithnonatSubnetpublic1"},"Export":{"Name":"test-multi-with-no-nat-Subnet-public1"}} [+] Output Subnet-public2 Subnetpublic2: {"Value":{"Ref":"testmultiwithnonatSubnetpublic2"},"Export":{"Name":"test-multi-with-no-nat-Subnet-public2"}} [+] Output Subnet-private1 Subnetprivate1: {"Value":{"Ref":"testmultiwithnonatSubnetprivate1"},"Export":{"Name":"test-multi-with-no-nat-Subnet-private1"}} [+] Output Subnet-private2 Subnetprivate2: {"Value":{"Ref":"testmultiwithnonatSubnetprivate2"},"Export":{"Name":"test-multi-with-no-nat-Subnet-private2"}} Other Changes [+] Unknown Rules: {"CheckBootstrapVersion":{"Assertions":[{"Assert":{"Fn::Not":[{"Fn::Contains":[["1","2","3","4","5"],{"Ref":"BootstrapVersion"}]}]},"AssertDescription":"CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI."}]}} ✨ Number of stacks with differences: 1 ``` #### **单可用区(Single-AZ)Public 网络 x 1 / Private 网络 x 1 / NATGW 一台** 这种结构几乎没有优势,因此我们很少使用。由于诸如 Amazon ALB 之类的服务需要指定两个或以上的可用区,这种结构不适用。 ![image.png](https://dev-media.amazoncloud.cn/72fee24dc42f4bb5b86cc1e5df4db523_image.png "image.png") 在样本代码中,我们为每个可用区配置了公共网络和私有网络。配置在私有网络中的资源可以通过配置在公共网络中的 NAT 网关与外部互联网进行通信。 ```js vpcCidr: 10.10.0.0/16 publicSubnets: - name: public1 cidr: 10.10.0.0/24 az: ap-northeast-1c nat: true privateSubnets: - name: private1 cidr: 10.10.2.0/24 az: ap-northeast-1c nat: true natRoute: public1 ``` ```js cdk diff --context stage=single_with_nat --context service_name=test-single-with-nat Stack test-single-with-nat-VpcStack Parameters [+] Parameter BootstrapVersion BootstrapVersion: {"Type":"AWS::SSM::Parameter::Value<String>","Default":"/cdk-bootstrap/hnb659fds/version","Description":"Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]"} Resources [+] AWS::EC2::VPC test-single-with-nat-VPC testsinglewithnatVPC [+] AWS::EC2::InternetGateway test-single-with-nat-Gateway testsinglewithnatGateway [+] AWS::EC2::VPCGatewayAttachment test-single-with-nat-GatewayAttachment testsinglewithnatGatewayAttachment [+] AWS::EC2::RouteTable test-single-with-nat-Route-Public testsinglewithnatRoutePublic [+] AWS::EC2::Route test-single-with-nat-PublicRoute testsinglewithnatPublicRoute [+] AWS::EC2::Subnet test-single-with-nat-Subnet-public1 testsinglewithnatSubnetpublic1 [+] AWS::EC2::SubnetRouteTableAssociation test-single-with-nat-Subnet-public1-Association testsinglewithnatSubnetpublic1Association [+] AWS::EC2::EIP test-single-with-nat-EIP-public1 testsinglewithnatEIPpublic1 [+] AWS::EC2::NatGateway test-single-with-nat-NatGateway-public1 testsinglewithnatNatGatewaypublic1 [+] AWS::EC2::Subnet test-single-with-nat-Subnet-private1 testsinglewithnatSubnetprivate1 [+] AWS::EC2::RouteTable test-single-with-nat-Route-private1 testsinglewithnatRouteprivate1 [+] AWS::EC2::SubnetRouteTableAssociation test-single-with-nat-Subnet-private1-Association testsinglewithnatSubnetprivate1Association [+] AWS::EC2::Route test-single-with-nat-private1-nat testsinglewithnatprivate1nat Outputs [+] Output VPC VPC: {"Value":{"Ref":"testsinglewithnatVPC"},"Export":{"Name":"test-single-with-nat-VPC"}} [+] Output Subnet-public1 Subnetpublic1: {"Value":{"Ref":"testsinglewithnatSubnetpublic1"},"Export":{"Name":"test-single-with-nat-Subnet-public1"}} [+] Output Subnet-private1 Subnetprivate1: {"Value":{"Ref":"testsinglewithnatSubnetprivate1"},"Export":{"Name":"test-single-with-nat-Subnet-private1"}} Other Changes [+] Unknown Rules: {"CheckBootstrapVersion":{"Assertions":[{"Assert":{"Fn::Not":[{"Fn::Contains":[["1","2","3","4","5"],{"Ref":"BootstrapVersion"}]}]},"AssertDescription":"CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI."}]}} ✨ Number of stacks with differences: 1 ``` ### **总结** **使用 Amazon CDK 的一个优点是可以在以后动态地进行更改**。虽然这里仅介绍了 VPC 的内容,但我们也希望能够进一步撰写关于堆栈之间的联动以及创建其他资源的说明。 *\*对原文标题及内容略作修改* ![image.png](https://dev-media.amazoncloud.cn/ada40424b2d64abd86d915aff2dba916_image.png "image.png") ![image.png](https://dev-media.amazoncloud.cn/f2ff6055ce374cd6b46abab896bea6b1_image.png "image.png") ![image.png](https://dev-media.amazoncloud.cn/004c73f572a745c580374649ab5484d9_image.png "image.png") ![image.png](https://dev-media.amazoncloud.cn/45128c495d76463abbee38b10905220b_image.png "image.png")
亚马逊云科技解决方案 基于行业客户应用场景及技术领域的解决方案
联系亚马逊云科技专家
相关产品
Left image Amazon Cloud Development Kit (Amazon CDK)
Amazon Cloud Development Kit (Amazon CDK) 是一种开源软件开发框架,可让您使用熟悉的编程语言来定义云应用程序资源。
Left image Amazon Lambda
Amazon Lambda 是一项无服务器事件驱动型计算服务,该服务使您可以运行几乎任何类型的应用程序或后端服务的代码,而无需预置或管理服务器。您可以从 200 多个亚马逊云科技服务和软件即服务 (SaaS) 应用程序中触发 Lambda,且只需按您的使用量付费。
Left image Amazon Fargate
Amazon Fargate 是一种无服务器、随用随付的计算引擎,可让您专注于构建应用程序,而无需管理服务器。Amazon Fargate 与 Amazon Elastic Container Service (ECS) 和 Amazon Elastic Kubernetes Service (EKS) 兼容。
目录
相关产品
Left image Amazon Cloud Development Kit (Amazon CDK)
Amazon Cloud Development Kit (Amazon CDK) 是一种开源软件开发框架,可让您使用熟悉的编程语言来定义云应用程序资源。
Left image Amazon Lambda
Amazon Lambda 是一项无服务器事件驱动型计算服务,该服务使您可以运行几乎任何类型的应用程序或后端服务的代码,而无需预置或管理服务器。您可以从 200 多个亚马逊云科技服务和软件即服务 (SaaS) 应用程序中触发 Lambda,且只需按您的使用量付费。
Left image Amazon Fargate
Amazon Fargate 是一种无服务器、随用随付的计算引擎,可让您专注于构建应用程序,而无需管理服务器。Amazon Fargate 与 Amazon Elastic Container Service (ECS) 和 Amazon Elastic Kubernetes Service (EKS) 兼容。
亚马逊云科技解决方案 基于行业客户应用场景及技术领域的解决方案
联系亚马逊云科技专家
亚马逊云科技解决方案
基于行业客户应用场景及技术领域的解决方案
联系专家
0
目录
关闭
点赞
收藏
目录

关于我们

更多资源

开发者工具

更多支持

立即关注

亚马逊云开发者公众号

亚马逊云开发者
公众号

User Group 公众号

User Group
公众号

亚马逊云科技官方小程序

亚马逊云科技
官方小程序

“AWS” 是 “Amazon Web Services” 的缩写,在此网站不作为商标展示。

详细了解怎样在中国使用 亚马逊云科技服务 »

关于我们

更多资源

开发者工具

更多支持

立即关注

亚马逊云开发者公众号

亚马逊云开发者
公众号

User Group 公众号

User Group
公众号

亚马逊云科技官方小程序

亚马逊云科技
官方小程序

“AWS” 是 “Amazon Web Services” 的缩写,在此网站不作为商标展示。

详细了解怎样在中国使用 亚马逊云科技服务 »

关于我们
更多资源
开发者工具
更多支持
立即关注
亚马逊云开发者公众号

亚马逊云开发者
公众号

User Group 公众号

User Group
公众号

亚马逊云科技官方小程序

亚马逊云科技
官方小程序

“AWS” 是 “Amazon Web Services” 的缩写,在此网站不作为商标展示。

详细了解怎样在中国使用 亚马逊云科技服务 »

cookie 偏好
友情链接
评价此页面
cookie 偏好
友情链接
评价此页面
cookie 偏好
友情链接
评价此页面
cookie 偏好
友情链接
评价此页面