使用AWS CDK构建生产级VPC基础设施指南

news2024/11/14 21:17:56

简介

虽然有很多关于AWS的信息,但实际如何将这些服务投入生产使用,还是需要自己思考。本文将介绍我们是如何思考并实施这些工作的。

目前有很多AWS环境构建的方法,但在这里我们将使用AWS CDK进行说明。

※ 本文不会涉及CDK的基本操作方法或术语的解释。

使用CDK进行IaC的优势

通过将基础设施代码化,可以避免“什么时候做的这个设置”的困惑。如果将CDK的设置进行代码管理,就能轻松创建历史记录,更新和回滚也变得简单了。

起初我们是直接创建CloudFormation模板进行操作的,但使用CDK进行创建更直观易懂,并且更容易实现堆栈之间的联动,所以CDK的优点更多。

另外,由于AWS CDK经常更新,所以经常因CDK内部处理的变化而被迫更新堆栈,即使设置本身没有变化,也经常需要在生产环境中进行部署。虽然这增加了工作量,但是否将其视为一个优点见仁见智。实际上,这种方式使我们能够及时更新安全补丁以及NodeJS和RDS等的版本寿命终止等问题。

首先创建VPC

前置说明到此为止,我们先来创建第一个要构建的VPC。我们希望用CDK创建的VPC能够自由设定CIDR和自定义名称,因此我们将使用L1 Construct(例如CfnVPC)来创建。

然而,使用L1创建的VPC在与L2构建的堆栈之间的联动上会有一些困难,这也是唯一的缺点。

可以创建的资源如下:

  • VPC
  • 子网(IPv4, IPv6)
  • Internet Gateway(用于IPv4和IPv6的Egress)
  • 路由表
  • NAT网关
  • 用于NAT网关的EIP

我们将使用以下的示例代码进行解释。最初我是用TypeScript编写的,但后来为了学习Python,并且觉得Python对主要从事基础设施工作的我更易理解,因此改用了Python。我认为用TypeScript可以做到的事情,几乎都可以用Python实现。

GitHub - keiyow/sample-aws-cdk-vpc

VPC网络的考量

由于网络的形态有很多种,我们想解释一下各种形态。

多可用区(Multi-AZ)Public网络 x 2 / Private网络 x 2 / NATGW冗余

在生产环境中,几乎都会使用这个结构。关于每个可用区是否需要NAT网关,这取决于具体情况。但如果在VPC内部署Fargate或Lambda等服务,应用程序侧通常会需要进行外部通信。因此,为了在出现可用区故障时依然能够正常运行,基础设施在生产环境中需要具备冗余功能,这就是采用该结构的原因。然而,这样的配置会增加成本,因此通常适用于中大型规模的系统。

样本代码内容

在样本代码中,我们为每个可用区配置了公共和私有网络。配置在私有网络中的资源可以通过配置在公共网络中的NAT网关与互联网进行通信。

vpcCidr: 10.10.0.0/16
publicSubnets:
  - name: public1
    cidr: 10.10.0.0/24
    az: ap-northeast-1c
    nat: true
  - name: public2
    cidr: 10.10.1.0/24
    az: ap-northeast-1a
    nat: true
privateSubnets:
  - name: private1
    cidr: 10.10.2.0/24
    az: ap-northeast-1c
    nat: true
    natRoute: public1
  - name: private2
    cidr: 10.10.3.0/24
    az: ap-northeast-1a
    nat: true
    natRoute: public2

cdk diff --context stage=multi_with_nat --context service_name=test-multi-with-nat
Stack test-multi-with-nat-VpcStack
Parameters
[+] Parameter BootstrapVersion BootstrapVersion: {"Type":"AWS::SSM::Parameter::Value<String>","Default":"/cdk-bootstrap/hnb659fds/version","Description":"Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]"}

Resources
[+] AWS::EC2::VPC test-multi-with-nat-VPC testmultiwithnatVPC 
[+] AWS::EC2::InternetGateway test-multi-with-nat-Gateway testmultiwithnatGateway 
[+] AWS::EC2::VPCGatewayAttachment test-multi-with-nat-GatewayAttachment testmultiwithnatGatewayAttachment 
[+] AWS::EC2::RouteTable test-multi-with-nat-Route-Public testmultiwithnatRoutePublic 
[+] AWS::EC2::Route test-multi-with-nat-PublicRoute testmultiwithnatPublicRoute 
[+] AWS::EC2::Subnet test-multi-with-nat-Subnet-public1 testmultiwithnatSubnetpublic1 
[+] AWS::EC2::SubnetRouteTableAssociation test-multi-with-nat-Subnet-public1-Association testmultiwithnatSubnetpublic1Association 
[+] AWS::EC2::EIP test-multi-with-nat-EIP-public1 testmultiwithnatEIPpublic1 
[+] AWS::EC2::NatGateway test-multi-with-nat-NatGateway-public1 testmultiwithnatNatGatewaypublic1 
[+] AWS::EC2::Subnet test-multi-with-nat-Subnet-public2 testmultiwithnatSubnetpublic2 
[+] AWS::EC2::SubnetRouteTableAssociation test-multi-with-nat-Subnet-public2-Association testmultiwithnatSubnetpublic2Association 
[+] AWS::EC2::EIP test-multi-with-nat-EIP-public2 testmultiwithnatEIPpublic2 
[+] AWS::EC2::NatGateway test-multi-with-nat-NatGateway-public2 testmultiwithnatNatGatewaypublic2 
[+] AWS::EC2::Subnet test-multi-with-nat-Subnet-private1 testmultiwithnatSubnetprivate1 
[+] AWS::EC2::RouteTable test-multi-with-nat-Route-private1 testmultiwithnatRouteprivate1 
[+] AWS::EC2::SubnetRouteTableAssociation test-multi-with-nat-Subnet-private1-Association testmultiwithnatSubnetprivate1Association 
[+] AWS::EC2::Route test-multi-with-nat-private1-nat testmultiwithnatprivate1nat 
[+] AWS::EC2::Subnet test-multi-with-nat-Subnet-private2 testmultiwithnatSubnetprivate2 
[+] AWS::EC2::RouteTable test-multi-with-nat-Route-private2 testmultiwithnatRouteprivate2 
[+] AWS::EC2::SubnetRouteTableAssociation test-multi-with-nat-Subnet-private2-Association testmultiwithnatSubnetprivate2Association 
[+] AWS::EC2::Route test-multi-with-nat-private2-nat testmultiwithnatprivate2nat 

Outputs
[+] Output VPC VPC: {"Value":{"Ref":"testmultiwithnatVPC"},"Export":{"Name":"test-multi-with-nat-VPC"}}
[+] Output Subnet-public1 Subnetpublic1: {"Value":{"Ref":"testmultiwithnatSubnetpublic1"},"Export":{"Name":"test-multi-with-nat-Subnet-public1"}}
[+] Output Subnet-public2 Subnetpublic2: {"Value":{"Ref":"testmultiwithnatSubnetpublic2"},"Export":{"Name":"test-multi-with-nat-Subnet-public2"}}
[+] Output Subnet-private1 Subnetprivate1: {"Value":{"Ref":"testmultiwithnatSubnetprivate1"},"Export":{"Name":"test-multi-with-nat-Subnet-private1"}}
[+] Output Subnet-private2 Subnetprivate2: {"Value":{"Ref":"testmultiwithnatSubnetprivate2"},"Export":{"Name":"test-multi-with-nat-Subnet-private2"}}

Other Changes
[+] Unknown Rules: {"CheckBootstrapVersion":{"Assertions":[{"Assert":{"Fn::Not":[{"Fn::Contains":[["1","2","3","4","5"],{"Ref":"BootstrapVersion"}]}]},"AssertDescription":"CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI."}]}}


✨  Number of stacks with differences: 1

多可用区(Multi-AZ)Public网络 x 2 / Private网络 x 2 / NATGW冗余 / 启用IPv6

最近,由于IPv4公共地址成为收费项目,许多地方正在推进IPv6化。虽然我们尚未在生产环境中进行更改,但由于可以动态地进行更改,因此我们计划将来肯定会采用与IPv6网络的双栈模式。

与仅有IPv4的网络不同,我们需要为IPv6准备以下内容:

  • 仅出站Internet Gateway(Egress Only Internet Gateway)
  • 启用各子网的双栈模式
  • 在IPv6无法通信的情况下启用NAT64/DNS64
  • IPv6的DHCP设置

在样本代码中,我们为每个可用区配置了公共和私有网络。配置在私有网络中的资源可以通过配置在公共网络中的NAT网关与互联网进行通信。

对于拥有IPv6的资源,如果它们配置在私有网络中,可以使用仅出站Internet Gateway(Egress Only Internet Gateway)与支持IPv6的外部互联网通信。如果访问不支持IPv6的网站,也可以通过转换为IPv4来进行访问。

vpcCidr: 10.10.0.0/16
ipv6: true
amazon_provided_ipv6_cidr_block: true
publicSubnets:
  - name: public1
    cidr: 10.10.0.0/24
    az: ap-northeast-1c
    nat: true
    ipv6: true
  - name: public2
    cidr: 10.10.1.0/24
    az: ap-northeast-1a
    nat: true
    ipv6: true
privateSubnets:
  - name: private1
    cidr: 10.10.2.0/24
    az: ap-northeast-1c
    nat: true
    natRoute: public1
    ipv6: true
    dns64: true
  - name: private2
    cidr: 10.10.3.0/24
    az: ap-northeast-1a
    nat: true
    natRoute: public2
    ipv6: true
    dns64: true

cdk diff --context stage=multi_with_nat_ipv6_dualstack --context service_name=test-multi-with-nat-ipv6-dualstack
Stack test-multi-with-nat-ipv6-dualstack-VpcStack
Parameters
[+] Parameter BootstrapVersion BootstrapVersion: {"Type":"AWS::SSM::Parameter::Value<String>","Default":"/cdk-bootstrap/hnb659fds/version","Description":"Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]"}

Resources
[+] AWS::EC2::VPC test-multi-with-nat-ipv6-dualstack-VPC testmultiwithnatipv6dualstackVPC 
[+] AWS::EC2::InternetGateway test-multi-with-nat-ipv6-dualstack-Gateway testmultiwithnatipv6dualstackGateway 
[+] AWS::EC2::VPCGatewayAttachment test-multi-with-nat-ipv6-dualstack-GatewayAttachment testmultiwithnatipv6dualstackGatewayAttachment 
[+] AWS::EC2::RouteTable test-multi-with-nat-ipv6-dualstack-Route-Public testmultiwithnatipv6dualstackRoutePublic 
[+] AWS::EC2::Route test-multi-with-nat-ipv6-dualstack-PublicRoute testmultiwithnatipv6dualstackPublicRoute 
[+] AWS::EC2::EgressOnlyInternetGateway test-multi-with-nat-ipv6-dualstack-EgressGateway testmultiwithnatipv6dualstackEgressGateway 
[+] AWS::EC2::VPCCidrBlock test-multi-with-nat-ipv6-dualstack-IPv6-CidrBlock testmultiwithnatipv6dualstackIPv6CidrBlock 
[+] AWS::EC2::Route test-multi-with-nat-ipv6-dualstack-PublicRoute-IPv6 testmultiwithnatipv6dualstackPublicRouteIPv6 
[+] AWS::EC2::Subnet test-multi-with-nat-ipv6-dualstack-Subnet-public1 testmultiwithnatipv6dualstackSubnetpublic1 
[+] AWS::EC2::SubnetRouteTableAssociation test-multi-with-nat-ipv6-dualstack-Subnet-public1-Association testmultiwithnatipv6dualstackSubnetpublic1Association 
[+] AWS::EC2::EIP test-multi-with-nat-ipv6-dualstack-EIP-public1 testmultiwithnatipv6dualstackEIPpublic1 
[+] AWS::EC2::NatGateway test-multi-with-nat-ipv6-dualstack-NatGateway-public1 testmultiwithnatipv6dualstackNatGatewaypublic1 
[+] AWS::EC2::Subnet test-multi-with-nat-ipv6-dualstack-Subnet-public2 testmultiwithnatipv6dualstackSubnetpublic2 
[+] AWS::EC2::SubnetRouteTableAssociation test-multi-with-nat-ipv6-dualstack-Subnet-public2-Association testmultiwithnatipv6dualstackSubnetpublic2Association 
[+] AWS::EC2::EIP test-multi-with-nat-ipv6-dualstack-EIP-public2 testmultiwithnatipv6dualstackEIPpublic2 
[+] AWS::EC2::NatGateway test-multi-with-nat-ipv6-dualstack-NatGateway-public2 testmultiwithnatipv6dualstackNatGatewaypublic2 
[+] AWS::EC2::Subnet test-multi-with-nat-ipv6-dualstack-Subnet-private1 testmultiwithnatipv6dualstackSubnetprivate1 
[+] AWS::EC2::RouteTable test-multi-with-nat-ipv6-dualstack-Route-private1 testmultiwithnatipv6dualstackRouteprivate1 
[+] AWS::EC2::SubnetRouteTableAssociation test-multi-with-nat-ipv6-dualstack-Subnet-private1-Association testmultiwithnatipv6dualstackSubnetprivate1Association 
[+] AWS::EC2::Route test-multi-with-nat-ipv6-dualstack-private1-IPv6 testmultiwithnatipv6dualstackprivate1IPv6 
[+] AWS::EC2::Route test-multi-with-nat-ipv6-dualstack-private1-nat testmultiwithnatipv6dualstackprivate1nat 
[+] AWS::EC2::Route test-multi-with-nat-ipv6-dualstack-private1-nat-ipv6 testmultiwithnatipv6dualstackprivate1natipv6 
[+] AWS::EC2::Subnet test-multi-with-nat-ipv6-dualstack-Subnet-private2 testmultiwithnatipv6dualstackSubnetprivate2 
[+] AWS::EC2::RouteTable test-multi-with-nat-ipv6-dualstack-Route-private2 testmultiwithnatipv6dualstackRouteprivate2 
[+] AWS::EC2::SubnetRouteTableAssociation test-multi-with-nat-ipv6-dualstack-Subnet-private2-Association testmultiwithnatipv6dualstackSubnetprivate2Association 
[+] AWS::EC2::Route test-multi-with-nat-ipv6-dualstack-private2-IPv6 testmultiwithnatipv6dualstackprivate2IPv6 
[+] AWS::EC2::Route test-multi-with-nat-ipv6-dualstack-private2-nat testmultiwithnatipv6dualstackprivate2nat 
[+] AWS::EC2::Route test-multi-with-nat-ipv6-dualstack-private2-nat-ipv6 testmultiwithnatipv6dualstackprivate2natipv6 

Outputs
[+] Output VPC VPC: {"Value":{"Ref":"testmultiwithnatipv6dualstackVPC"},"Export":{"Name":"test-multi-with-nat-ipv6-dualstack-VPC"}}
[+] Output Subnet-public1 Subnetpublic1: {"Value":{"Ref":"testmultiwithnatipv6dualstackSubnetpublic1"},"Export":{"Name":"test-multi-with-nat-ipv6-dualstack-Subnet-public1"}}
[+] Output Subnet-public2 Subnetpublic2: {"Value":{"Ref":"testmultiwithnatipv6dualstackSubnetpublic2"},"Export":{"Name":"test-multi-with-nat-ipv6-dualstack-Subnet-public2"}}
[+] Output Subnet-private1 Subnetprivate1: {"Value":{"Ref":"testmultiwithnatipv6dualstackSubnetprivate1"},"Export":{"Name":"test-multi-with-nat-ipv6-dualstack-Subnet-private1"}}
[+] Output Subnet-private2 Subnetprivate2: {"Value":{"Ref":"testmultiwithnatipv6dualstackSubnetprivate2"},"Export":{"Name":"test-multi-with-nat-ipv6-dualstack-Subnet-private2"}}

Other Changes
[+] Unknown Rules: {"CheckBootstrapVersion":{"Assertions":[{"Assert":{"Fn::Not":[{"Fn::Contains":[["1","2","3","4","5"],{"Ref":"BootstrapVersion"}]}]},"AssertDescription":"CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI."}]}}


✨  Number of stacks with differences: 1

多可用区(Multi-AZ)Public网络 x 2 / Private网络 x 2 / NATGW一台

在开发环境中,我们使用这种结构。由于我们使用CDK进行构建,因此从测试配置的角度来看,这种结构与生产环境相似。

缺点是NAT Gateway成本较高,因此如果使用NAT实例替代NAT Gateway,成本会更低。此外,在可用区故障时,如果Fargate等应用程序需要进行外部互联网通信,NAT Gateway的故障可能导致通信中断的风险。(因此用于开发环境)

在样本代码中,我们为每个可用区配置了公共和私有网络。配置在各个私有网络中的资源可以通过配置在其中一个公共网络中的NAT网关与外部互联网进行通信。

vpcCidr: 10.10.0.0/16
publicSubnets:
  - name: public1
    cidr: 10.10.0.0/24
    az: ap-northeast-1c
    nat: true
  - name: public2
    cidr: 10.10.1.0/24
    az: ap-northeast-1a
    nat: false
privateSubnets:
  - name: private1
    cidr: 10.10.2.0/24
    az: ap-northeast-1c
    nat: true
    natRoute: public1
  - name: private2
    cidr: 10.10.3.0/24
    az: ap-northeast-1a
    nat: true
    natRoute: public1

cdk diff --context stage=multi_with_single_nat --context service_name=test-multi-with-single-nat
Stack test-multi-with-single-nat-VpcStack
Parameters
[+] Parameter BootstrapVersion BootstrapVersion: {"Type":"AWS::SSM::Parameter::Value<String>","Default":"/cdk-bootstrap/hnb659fds/version","Description":"Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]"}

Resources
[+] AWS::EC2::VPC test-multi-with-single-nat-VPC testmultiwithsinglenatVPC 
[+] AWS::EC2::InternetGateway test-multi-with-single-nat-Gateway testmultiwithsinglenatGateway 
[+] AWS::EC2::VPCGatewayAttachment test-multi-with-single-nat-GatewayAttachment testmultiwithsinglenatGatewayAttachment 
[+] AWS::EC2::RouteTable test-multi-with-single-nat-Route-Public testmultiwithsinglenatRoutePublic 
[+] AWS::EC2::Route test-multi-with-single-nat-PublicRoute testmultiwithsinglenatPublicRoute 
[+] AWS::EC2::Subnet test-multi-with-single-nat-Subnet-public1 testmultiwithsinglenatSubnetpublic1 
[+] AWS::EC2::SubnetRouteTableAssociation test-multi-with-single-nat-Subnet-public1-Association testmultiwithsinglenatSubnetpublic1Association 
[+] AWS::EC2::EIP test-multi-with-single-nat-EIP-public1 testmultiwithsinglenatEIPpublic1 
[+] AWS::EC2::NatGateway test-multi-with-single-nat-NatGateway-public1 testmultiwithsinglenatNatGatewaypublic1 
[+] AWS::EC2::Subnet test-multi-with-single-nat-Subnet-public2 testmultiwithsinglenatSubnetpublic2 
[+] AWS::EC2::SubnetRouteTableAssociation test-multi-with-single-nat-Subnet-public2-Association testmultiwithsinglenatSubnetpublic2Association 
[+] AWS::EC2::Subnet test-multi-with-single-nat-Subnet-private1 testmultiwithsinglenatSubnetprivate1 
[+] AWS::EC2::RouteTable test-multi-with-single-nat-Route-private1 testmultiwithsinglenatRouteprivate1 
[+] AWS::EC2::SubnetRouteTableAssociation test-multi-with-single-nat-Subnet-private1-Association testmultiwithsinglenatSubnetprivate1Association 
[+] AWS::EC2::Route test-multi-with-single-nat-private1-nat testmultiwithsinglenatprivate1nat 
[+] AWS::EC2::Subnet test-multi-with-single-nat-Subnet-private2 testmultiwithsinglenatSubnetprivate2 
[+] AWS::EC2::RouteTable test-multi-with-single-nat-Route-private2 testmultiwithsinglenatRouteprivate2 
[+] AWS::EC2::SubnetRouteTableAssociation test-multi-with-single-nat-Subnet-private2-Association testmultiwithsinglenatSubnetprivate2Association 
[+] AWS::EC2::Route test-multi-with-single-nat-private2-nat testmultiwithsinglenatprivate2nat 

Outputs
[+] Output VPC VPC: {"Value":{"Ref":"testmultiwithsinglenatVPC"},"Export":{"Name":"test-multi-with-single-nat-VPC"}}
[+] Output Subnet-public1 Subnetpublic1: {"Value":{"Ref":"testmultiwithsinglenatSubnetpublic1"},"Export":{"Name":"test-multi-with-single-nat-Subnet-public1"}}
[+] Output Subnet-public2 Subnetpublic2: {"Value":{"Ref":"testmultiwithsinglenatSubnetpublic2"},"Export":{"Name":"test-multi-with-single-nat-Subnet-public2"}}
[+] Output Subnet-private1 Subnetprivate1: {"Value":{"Ref":"testmultiwithsinglenatSubnetprivate1"},"Export":{"Name":"test-multi-with-single-nat-Subnet-private1"}}
[+] Output Subnet-private2 Subnetprivate2: {"Value":{"Ref":"testmultiwithsinglenatSubnetprivate2"},"Export":{"Name":"test-multi-with-single-nat-Subnet-private2"}}

Other Changes
[+] Unknown Rules: {"CheckBootstrapVersion":{"Assertions":[{"Assert":{"Fn::Not":[{"Fn::Contains":[["1","2","3","4","5"],{"Ref":"BootstrapVersion"}]}]},"AssertDescription":"CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI."}]}}


✨  Number of stacks with differences: 1

多可用区(Multi-AZ)Public网络 x 2 / Isolated网络 x 2

这是一个没有配置NAT的结构。在使用CDK进行构建时,如果设置Private网络无法连接到互联网,则会被识别为Isolated网络。

我们有时会使用这种结构来创建类似于CloudFront + ALB + EC2(Public配置) + RDS(Isolated配置)的配置。然而,当需要将Lambda或CodeBuild等服务放置在VPC中时,如果无法连接到互联网,这种结构就不适用了。因此,我们较少使用这种配置。

在样本代码中,我们为每个可用区分别配置了公共网络和私有(隔离)网络。

 

vpcCidr: 10.10.0.0/16
publicSubnets:
  - name: public1
    cidr: 10.10.0.0/24
    az: ap-northeast-1c
    nat: false
  - name: public2
    cidr: 10.10.1.0/24
    az: ap-northeast-1a
    nat: false
privateSubnets:
  - name: private1
    cidr: 10.10.2.0/24
    az: ap-northeast-1c
    nat: false
    natRoute: public1
  - name: private2
    cidr: 10.10.3.0/24
    az: ap-northeast-1a
    nat: false
    natRoute: public2

 cdk diff --context stage=multi_with_no_nat --context service_name=test-multi-with-no-nat
Stack test-multi-with-no-nat-VpcStack
Parameters
[+] Parameter BootstrapVersion BootstrapVersion: {"Type":"AWS::SSM::Parameter::Value<String>","Default":"/cdk-bootstrap/hnb659fds/version","Description":"Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]"}

Resources
[+] AWS::EC2::VPC test-multi-with-no-nat-VPC testmultiwithnonatVPC 
[+] AWS::EC2::InternetGateway test-multi-with-no-nat-Gateway testmultiwithnonatGateway 
[+] AWS::EC2::VPCGatewayAttachment test-multi-with-no-nat-GatewayAttachment testmultiwithnonatGatewayAttachment 
[+] AWS::EC2::RouteTable test-multi-with-no-nat-Route-Public testmultiwithnonatRoutePublic 
[+] AWS::EC2::Route test-multi-with-no-nat-PublicRoute testmultiwithnonatPublicRoute 
[+] AWS::EC2::Subnet test-multi-with-no-nat-Subnet-public1 testmultiwithnonatSubnetpublic1 
[+] AWS::EC2::SubnetRouteTableAssociation test-multi-with-no-nat-Subnet-public1-Association testmultiwithnonatSubnetpublic1Association 
[+] AWS::EC2::Subnet test-multi-with-no-nat-Subnet-public2 testmultiwithnonatSubnetpublic2 
[+] AWS::EC2::SubnetRouteTableAssociation test-multi-with-no-nat-Subnet-public2-Association testmultiwithnonatSubnetpublic2Association 
[+] AWS::EC2::Subnet test-multi-with-no-nat-Subnet-private1 testmultiwithnonatSubnetprivate1 
[+] AWS::EC2::RouteTable test-multi-with-no-nat-Route-private1 testmultiwithnonatRouteprivate1 
[+] AWS::EC2::SubnetRouteTableAssociation test-multi-with-no-nat-Subnet-private1-Association testmultiwithnonatSubnetprivate1Association 
[+] AWS::EC2::Subnet test-multi-with-no-nat-Subnet-private2 testmultiwithnonatSubnetprivate2 
[+] AWS::EC2::RouteTable test-multi-with-no-nat-Route-private2 testmultiwithnonatRouteprivate2 
[+] AWS::EC2::SubnetRouteTableAssociation test-multi-with-no-nat-Subnet-private2-Association testmultiwithnonatSubnetprivate2Association 

Outputs
[+] Output VPC VPC: {"Value":{"Ref":"testmultiwithnonatVPC"},"Export":{"Name":"test-multi-with-no-nat-VPC"}}
[+] Output Subnet-public1 Subnetpublic1: {"Value":{"Ref":"testmultiwithnonatSubnetpublic1"},"Export":{"Name":"test-multi-with-no-nat-Subnet-public1"}}
[+] Output Subnet-public2 Subnetpublic2: {"Value":{"Ref":"testmultiwithnonatSubnetpublic2"},"Export":{"Name":"test-multi-with-no-nat-Subnet-public2"}}
[+] Output Subnet-private1 Subnetprivate1: {"Value":{"Ref":"testmultiwithnonatSubnetprivate1"},"Export":{"Name":"test-multi-with-no-nat-Subnet-private1"}}
[+] Output Subnet-private2 Subnetprivate2: {"Value":{"Ref":"testmultiwithnonatSubnetprivate2"},"Export":{"Name":"test-multi-with-no-nat-Subnet-private2"}}

Other Changes
[+] Unknown Rules: {"CheckBootstrapVersion":{"Assertions":[{"Assert":{"Fn::Not":[{"Fn::Contains":[["1","2","3","4","5"],{"Ref":"BootstrapVersion"}]}]},"AssertDescription":"CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI."}]}}


✨  Number of stacks with differences: 1

单可用区(Single-AZ)Public网络 x 1 / Private网络 x 1 / NATGW一台

这种结构几乎没有优势,因此我们很少使用。由于诸如ALB之类的服务需要指定两个或以上的可用区,这种结构不适用。

 在样本代码中,我们为每个可用区配置了公共网络和私有网络。配置在私有网络中的资源可以通过配置在公共网络中的NAT网关与外部互联网进行通信。

vpcCidr: 10.10.0.0/16
publicSubnets:
  - name: public1
    cidr: 10.10.0.0/24
    az: ap-northeast-1c
    nat: true
privateSubnets:
  - name: private1
    cidr: 10.10.2.0/24
    az: ap-northeast-1c
    nat: true
    natRoute: public1
cdk diff --context stage=single_with_nat --context service_name=test-single-with-nat
Stack test-single-with-nat-VpcStack
Parameters
[+] Parameter BootstrapVersion BootstrapVersion: {"Type":"AWS::SSM::Parameter::Value<String>","Default":"/cdk-bootstrap/hnb659fds/version","Description":"Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]"}

Resources
[+] AWS::EC2::VPC test-single-with-nat-VPC testsinglewithnatVPC 
[+] AWS::EC2::InternetGateway test-single-with-nat-Gateway testsinglewithnatGateway 
[+] AWS::EC2::VPCGatewayAttachment test-single-with-nat-GatewayAttachment testsinglewithnatGatewayAttachment 
[+] AWS::EC2::RouteTable test-single-with-nat-Route-Public testsinglewithnatRoutePublic 
[+] AWS::EC2::Route test-single-with-nat-PublicRoute testsinglewithnatPublicRoute 
[+] AWS::EC2::Subnet test-single-with-nat-Subnet-public1 testsinglewithnatSubnetpublic1 
[+] AWS::EC2::SubnetRouteTableAssociation test-single-with-nat-Subnet-public1-Association testsinglewithnatSubnetpublic1Association 
[+] AWS::EC2::EIP test-single-with-nat-EIP-public1 testsinglewithnatEIPpublic1 
[+] AWS::EC2::NatGateway test-single-with-nat-NatGateway-public1 testsinglewithnatNatGatewaypublic1 
[+] AWS::EC2::Subnet test-single-with-nat-Subnet-private1 testsinglewithnatSubnetprivate1 
[+] AWS::EC2::RouteTable test-single-with-nat-Route-private1 testsinglewithnatRouteprivate1 
[+] AWS::EC2::SubnetRouteTableAssociation test-single-with-nat-Subnet-private1-Association testsinglewithnatSubnetprivate1Association 
[+] AWS::EC2::Route test-single-with-nat-private1-nat testsinglewithnatprivate1nat 

Outputs
[+] Output VPC VPC: {"Value":{"Ref":"testsinglewithnatVPC"},"Export":{"Name":"test-single-with-nat-VPC"}}
[+] Output Subnet-public1 Subnetpublic1: {"Value":{"Ref":"testsinglewithnatSubnetpublic1"},"Export":{"Name":"test-single-with-nat-Subnet-public1"}}
[+] Output Subnet-private1 Subnetprivate1: {"Value":{"Ref":"testsinglewithnatSubnetprivate1"},"Export":{"Name":"test-single-with-nat-Subnet-private1"}}

Other Changes
[+] Unknown Rules: {"CheckBootstrapVersion":{"Assertions":[{"Assert":{"Fn::Not":[{"Fn::Contains":[["1","2","3","4","5"],{"Ref":"BootstrapVersion"}]}]},"AssertDescription":"CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI."}]}}


✨  Number of stacks with differences: 1

结语

使用CDK的一个优点是可以在以后动态地进行更改。虽然这里仅介绍了VPC的内容,但我们也希望能够进一步撰写关于堆栈之间的联动以及创建其他资源的说明。

本文来自互联网用户投稿,该文观点仅代表作者本人,不代表本站立场。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如若转载,请注明出处:http://www.coloradmin.cn/o/1964031.html

如若内容造成侵权/违法违规/事实不符,请联系多彩编程网进行投诉反馈,一经查实,立即删除!

相关文章

Java每日一练,技术成长不间断

Java每日一练,技术成长不间断

目录 题目1.下列关于继承的哪项叙述是正确的&#xff1f;2.Java的跨平台特性是指它的源代码可以在多个平台运行。&#xff08;&#xff09;3.以下 _____ 不是 Object 类的方法4.以下代码&#xff1a;5.下面哪个流类不属于面向字符的流&#xff08;&#xff09;总结 题目 选自牛…
阅读更多...
AI系统测试方法|变异测试的流程及优化技术

AI系统测试方法|变异测试的流程及优化技术

变异测试是AI系统测试中较为常见的一种测试方法。通过引入人工制造的缺陷来评估系统的健壮性。在AI系统测试实践中&#xff0c;变异测试解决了对测试套件进行有效性和充分性评估的难题。本文将重点探讨变异测试在AI系统测试中的执行流程&#xff0c;呈现一个完整的测试框架&…
阅读更多...
Apple intelligence 正式开启测试!第一波文本工具测试体验来啦!

Apple intelligence 正式开启测试!第一波文本工具测试体验来啦!

Apple Intelligence 开启测试了&#xff01;苹果带着它的人工智能走进现实了&#xff01; 但是&#xff0c;坏消息是&#xff0c;目前Apple Intelligence仅支持美国地区使用美英语言的开发者账户使用&#xff0c;国行的小伙伴不要急着更新了。 本次测试内容为WWDC2024预告中公布…
阅读更多...
PTA 6-2 多项式求值

PTA 6-2 多项式求值

6-2 多项式求值&#xff08;15分&#xff09; 本题要求实现一个函数&#xff0c;计算阶数为n&#xff0c;系数为a[0] ... a[n]的多项式 在x点的值。 函数接口定义&#xff1a; double f( int n, double a[], double x ); 其中n是多项式的阶数&#xff0c;a[]中存储系数&…
阅读更多...
【Qt】QWidget的windowOpacity属性 cursor属性 font属性

【Qt】QWidget的windowOpacity属性 cursor属性 font属性

一.windowOpacity属性 1.概念&#xff1a; windowOpacity属性是Qt中QWindow类的一个属性。它用于设置窗口的不透明度&#xff08;透明度&#xff09;。 窗口的不透明度值范围是0.0到1.0之间&#xff0c;其中0.0表示完全透明&#xff0c;1.0表示完全不透明。默认情况下&#…
阅读更多...
Python科研数据可视化教程

Python科研数据可视化教程

原文链接&#xff1a;Python科研数据可视化教程https://mp.weixin.qq.com/s?__bizMzUzNTczMDMxMg&mid2247609609&idx4&sn8629ee10544f43b46993694d929843d0&chksmfa826ceecdf5e5f8ca4fbc72104c3488d5c53c0735f41f393c9a494aceddf2b93c8eb5622813&token214…
阅读更多...
部署一个nodejs项目+配置server

部署一个nodejs项目+配置server

1.jdk环境 tomcat服务器需要jdk环境 版本对应 ​ tomcat9>jdk1.8 ​ tomcat10>jdk17 配置系统变量JAVA_HOME 2.nginx平滑升级&#xff0c;不停服务升级nginx服务器&#xff0c;1.26.1升级到1.27.0 3.负载均衡&#xff0c;使用nginx管理后端服务器&#xff0c;…
阅读更多...
基础复习(IO流)

基础复习(IO流)

1.File类 创建对象 File f1 new File("D:/resource/ab.txt"); File f2 new File("D:\\resource\\abc.txt"); 基础方法 创建与删除方法 1、public boolean createNewFile()&#xff1a;创建一个新文件&#xff08;文件内容为空&#xff09;&#xff0c;…
阅读更多...
区块链技术在智能城市中的创新应用探索

区块链技术在智能城市中的创新应用探索

随着全球城市化进程的加速和信息技术的快速发展&#xff0c;智能城市成为了未来城市发展的重要方向。在智能城市建设中&#xff0c;区块链技术作为一种去中心化、安全和透明的分布式账本技术&#xff0c;正逐渐展现出其在优化城市管理、提升公共服务和增强城市安全性方面的潜力…
阅读更多...
1.6 树和二叉树

1.6 树和二叉树

1.树的基本概念 2.二叉树的概念和性质 2.1.二叉树性质 1&#xff09;结点个数 2&#xff09;第i层&#xff0c;最多结点个数 3&#xff09;者深度为k,前k层最多结点个数 4&#xff09;叶子结点个数 2.2.完全二叉树性质 1&#xff09;结点个数 2&#xff09;第i层最多节…
阅读更多...
云计算实训18——基于域名配置虚拟主机、基于ip配置虚拟主机、基于端口配置虚拟主机、配置samba、部署nfs服务器

云计算实训18——基于域名配置虚拟主机、基于ip配置虚拟主机、基于端口配置虚拟主机、配置samba、部署nfs服务器

一、配置文件的结构 1.首先查看配置文件 [rootstatic-server ~]# vim /usr/local/nginx/conf/nginx.conf 使用grep指令查看配置文件&#xff0c;同时不看空行不看注释 [rootstatic-server ~]# grep -Ev "#|^$" /usr/local/nginx/conf/nginx.conf 2.备份文件 将原有…
阅读更多...
ComfyUI插件:ComfyUI Impact 节点(四)

ComfyUI插件:ComfyUI Impact 节点(四)

前言&#xff1a; 学习ComfyUI是一场持久战&#xff0c;而 ComfyUI Impact 是一个庞大的模块节点库&#xff0c;内置许多非常实用且强大的功能节点 &#xff0c;例如检测器、细节强化器、预览桥、通配符、Hook、图片发送器、图片接收器等等。通过这些节点的组合运用&#xff0…
阅读更多...
mediawiki 启用 Minerva 皮肤后报错 哎呀!您在$wgDefaultSkin定义的wiki默认皮肤minervaneue不可用。

mediawiki 启用 Minerva 皮肤后报错 哎呀!您在$wgDefaultSkin定义的wiki默认皮肤minervaneue不可用。

嗨喽大家好啊我是 kx 这是个常见的问题&#xff0c;废话不多说直接上解决方法 Minerva 皮肤在他的官网有说明怎么办 连接放到下面&#xff1a; https://www.mediawiki.org/wiki/Skin:Minerva_Neue 懒得看的话我把官网的话复制下来了&#xff0c;直接看就行了&#xff1a; 安…
阅读更多...
JAVA通过debezium实时采集mysql数据

JAVA通过debezium实时采集mysql数据

前期准备 需要提前安装mysql并且开启binlog,需要准备kafka和zookeeper环境 示例采用debezium1.9.0版本 Maven配置 <version.debezium>1.9.0.Final</version.debezium> <dependency> <groupId>io.debezium</groupId> <artifactId>debe…
阅读更多...
【大模型系列篇】本地问答系统-部署Ollama、Open WebUI

【大模型系列篇】本地问答系统-部署Ollama、Open WebUI

部署本地大模型&#xff0c;结合Ollama、Open WebUI以及本地RAG&#xff08;Retrieval-Augmented Generation&#xff09;可以为用户提供一个强大的本地知识库和交互式对话系统。以下是详细的部署步骤和功能介绍&#xff1a; 一、部署Ollama 访问Ollama官网&#xff1a;首先&…
阅读更多...
【3】Blazor链接数据库

【3】Blazor链接数据库

【3】Blazor链接数据 一、引入Nuget包二、添加链接字符串三、创建DbContext四、注入SqlServer数据库五、执行数据库迁移六、创建用户信息页面七、结果展示 一、引入Nuget包 Microsoft.EntityFrameworkCore Microsoft.EntityFrameworkCore.SqlServer Microsoft.EntityFramework…
阅读更多...
Kafka的搭建及使用

Kafka的搭建及使用

Kafka搭建及使用 Kafka搭建 1、上传解压修改环境变量 # 解压 tar -zxvf kafka_2.11-1.0.0.tgz -C /usr/local/soft mv kafka_2.11-1.0.0 kafka-1.0.0tar -xvf 是一个在Unix和类Unix操作系统&#xff08;如Linux和macOS&#xff09;中用于解压缩或解包.tar文件的命令。 tar -…
阅读更多...
java调用WebService接口

java调用WebService接口

案例&#xff1a; 接口&#xff1a; http://xxxxx:8080/GetSPService.asmx 调用方法&#xff1a;GetSPByStnCodeToJsonStr 参数1&#xff1a;begin 开始时间 格式 yyyymmdd hh:mi &#xff08;日和小时之间有空格&#xff09; 例如&#xff1a;20230718 06:00 参数2: end …
阅读更多...
IO模型思维导图

IO模型思维导图

背景 &#xff1a; 并发服务器模型可以在同一时刻响应多个用户请求 多路复用IO&#xff1a; 4.多路复用IO 1.select 2.poll 3.epoll 1.select 缺点: 1.select监听文件描述符最大个数为1024 &#xff08;数组&#xff…
阅读更多...
【CN】Argo 持续集成和交付(二)

【CN】Argo 持续集成和交付(二)

7.25.通知 概述 Argo CD 通知持续监控 Argo CD 应用程序&#xff0c;并提供一种灵活的方式来通知用户应用程序状态的重要变化。使用灵活的触发器和模板机制&#xff0c;可以配置何时发送通知以及通知内容。Argo CD 通知包含有用的触发器和模板目录。因此&#xff0c;可以直接…
阅读更多...
推荐文章
最新文章

Copyright @ 2022~2023