使用CLI创建VPC
作者:互联网
1. 架构图
2. 前期准备
2.1 创建具有具有AKSK的账户
打开AWS portal:https://amazonaws-china.com/cn/,并且登陆
选择Service-> 安全性、身份与合规性->IAM服务
选择用户->添加用户
输入用户名,并选择访问类型为编程访问。编程访问主要是为了客户使用CLI或者Rest API的时候提供AKSK;AWS管理控制台访问主要是为了客户portal访问的用户名密码。
在权限页面,选择直接附加现有策略,为改用户附加管理员权限。本例为实验,在实际过程中,应用最小权限原则,应该为用户分配所需要的权限。
添加标签页面是可选的,直接点下一步。
审核页面,检查之前的配置是否正确,之后点击创建用户
显示添加成功以后,要把AKSK保存起来,AK就是访问秘钥ID,SK就是私有访问秘钥。SK只在这一次显示,以后不会再显示,所以一定要保存好,也可以下载保存CSV文件
2.2. 安装CLI命令行工具
Windows系统安装CLI:https://docs.aws.amazon.com/zhcn/cli/latest/userguide/install-cliv2-windows.html
Linux系统安装CLI:https://docs.aws.amazon.com/zhcn/cli/latest/userguide/install-cliv2-linux.html
MacOS系统安装CLI:https://docs.aws.amazon.com/zhcn/cli/latest/userguide/install-cliv2-mac.html
2.3 配置CLI环境
输入:aws configure,配置aws CLI的AKSK
AWS Access Key ID是步骤2.1的AK
AWS secret Access Key是步骤2.1的SK
Default region name,输入默认部署区域,本例为东京区域,区域参数可以在以后的部署步骤中另外指定
Default output format: 保持默认Json就可以
3. 创建VPC
3.1 创建VPC
#VPC的IP地址范围CIDR为10.0.0.0/16
#VPC的Tag为garyvpc
#具体命令如下:
aws ec2 create-vpc --cidr-block 10.0.0.0/16 --tag-specifications 'ResourceType=vpc,Tags=[{Key=Name,Value=garyvpc}]'
#输出为:
{
"Vpc": {
"CidrBlock": "10.0.0.0/16",
"DhcpOptionsId": "dopt-9f6a28f8",
"State": "pending",
"VpcId": "vpc-024f1b212f5bf801b",
"OwnerId": "624581614683",
"InstanceTenancy": "default",
"Ipv6CidrBlockAssociationSet": [],
"CidrBlockAssociationSet": [
{
"AssociationId": "vpc-cidr-assoc-0a2ce03662264b802",
"CidrBlock": "10.0.0.0/16",
"CidrBlockState": {
"State": "associated"
}
}
],
"IsDefault": false,
"Tags": [
{
"Key": "Name",
"Value": "garyvpc"
}
]
}
}
请记录VpcId=vpc-024f1b212f5bf801b
3.2 创建子网
本教程只在AZ1中创建子网,若打算再AZ2中创建,将AZ改成ap-northeast-1b或者ap-northeast-1c
#子网1的IP地址范围CIDR为:10.0.0.0/24
#子网1的名称为:sub-1
#具体命令如下:
aws ec2 create-subnet \
--vpc-id $VpcId \
--availability-zone ap-northeast-1a \
--cidr-block 10.0.0.0/24 \
--tag-specifications 'ResourceType=subnet,Tags=[{Key=Name,Value=sub-1}]'
#输出为:
{
"Subnet": {
"AvailabilityZone": "ap-northeast-1a",
"AvailabilityZoneId": "apne1-az4",
"AvailableIpAddressCount": 251,
"CidrBlock": "10.0.0.0/24",
"DefaultForAz": false,
"MapPublicIpOnLaunch": false,
"State": "available",
"SubnetId": "subnet-02a5d46bd55bcaf2b",
"VpcId": "vpc-024f1b212f5bf801b",
"OwnerId": "624581614683",
"AssignIpv6AddressOnCreation": false,
"Ipv6CidrBlockAssociationSet": [],
"Tags": [
{
"Key": "Name",
"Value": "sub-1"
}
],
"SubnetArn": "arn:aws:ec2:ap-northeast-1:624581614683:subnet/subnet-02a5d46bd55bcaf2b"
}
}
#记录sub-1的ID,SubId1=subnet-02a5d46bd55bcaf2b
#子网2的IP地址范围CIDR为:10.0.1.0/24
#子网2的名称为:sub-2
#具体命令如下:
aws ec2 create-subnet \
--vpc-id $VpcId \
--availability-zone ap-northeast-1a \
--cidr-block 10.0.1.0/24 \
--tag-specifications 'ResourceType=subnet,Tags=[{Key=Name,Value=sub-2}]'
##输出为:
{
"Subnet": {
"AvailabilityZone": "ap-northeast-1a",
"AvailabilityZoneId": "apne1-az4",
"AvailableIpAddressCount": 251,
"CidrBlock": "10.0.1.0/24",
"DefaultForAz": false,
"MapPublicIpOnLaunch": false,
"State": "available",
"SubnetId": "subnet-0e53a61969ce06fb1",
"VpcId": "vpc-024f1b212f5bf801b",
"OwnerId": "624581614683",
"AssignIpv6AddressOnCreation": false,
"Ipv6CidrBlockAssociationSet": [],
"Tags": [
{
"Key": "Name",
"Value": "sub-2"
}
],
"SubnetArn": "arn:aws:ec2:ap-northeast-1:624581614683:subnet/subnet-0e53a61969ce06fb1"
}
}
#记录sub-2的ID,SubId2=subnet-0e53a61969ce06fb1
3.3 创建IGW
#创建IGW,名称为IGW-garyvpc
aws ec2 create-internet-gateway \
--tag-specifications 'ResourceType=internet-gateway,Tags=[{Key=Name,Value=IGW-garyvpc}]'
#输出:
{
"InternetGateway": {
"Attachments": [],
"InternetGatewayId": "igw-04133c69ad783377f",
"OwnerId": "624581614683",
"Tags": [
{
"Key": "Name",
"Value": "IGW-garyvpc"
}
]
}
}
#记录,igwId=igw-04133c69ad783377f
#IGW关联VPC
aws ec2 attach-internet-gateway --internet-gateway-id $igwId --vpc-id $VpcId
3.4 创建IGW路由
#创建路由1
aws ec2 create-route-table --vpc-id $VpcId \
--tag-specifications 'ResourceType=route-table,Tags=[{Key=Name,Value=Public-Sub-Route}]'
#输出为:
{
"RouteTable": {
"Associations": [],
"PropagatingVgws": [],
"RouteTableId": "rtb-0825a722d5c529067",
"Routes": [
{
"DestinationCidrBlock": "10.0.0.0/16",
"GatewayId": "local",
"Origin": "CreateRouteTable",
"State": "active"
}
],
"Tags": [
{
"Key": "Name",
"Value": "Public-Sub-Route"
}
],
"VpcId": "vpc-024f1b212f5bf801b",
"OwnerId": "624581614683"
}
}
#记录路由ID,RouteId1=rtb-0825a722d5c529067
#创建路由条目
aws ec2 create-route --route-table-id $RouteId1 --destination-cidr-block 0.0.0.0/0 --gateway-id $igwId
#关联子网
aws ec2 associate-route-table --route-table-id $RouteId1 --subnet-id $SubId1
3.5 创建NAT网关
#创建EIP
aws ec2 allocate-address
#输出为:
{
"PublicIp": "35.72.202.78",
"AllocationId": "eipalloc-02b0b3cab4c0907c1",
"PublicIpv4Pool": "amazon",
"NetworkBorderGroup": "ap-northeast-1",
"Domain": "vpc"
}
#记录EIPID=eipalloc-02b0b3cab4c0907c1
#创建NAT
aws ec2 create-nat-gateway --subnet-id $SubId1 --allocation-id $EIPID
#输出为:
{
"ClientToken": "b1d50343-6017-45a7-acd5-43e503f8f05e",
"NatGateway": {
"CreateTime": "2021-03-19T13:06:41+00:00",
"NatGatewayAddresses": [
{
"AllocationId": "eipalloc-02b0b3cab4c0907c1"
}
],
"NatGatewayId": "nat-0980a6db6520841ae",
"State": "pending",
"SubnetId": "subnet-02a5d46bd55bcaf2b",
"VpcId": "vpc-024f1b212f5bf801b"
}
}
#记录NATID=nat-0980a6db6520841ae
3.6 创建NAT路由
aws ec2 create-route-table --vpc-id $VpcId \
--tag-specifications 'ResourceType=route-table,Tags=[{Key=Name,Value=Private-Sub-Route}]'
#输出为:
{
"RouteTable": {
"Associations": [],
"PropagatingVgws": [],
"RouteTableId": "rtb-0f1b1c3b51f5d1dd2",
"Routes": [
{
"DestinationCidrBlock": "10.0.0.0/16",
"GatewayId": "local",
"Origin": "CreateRouteTable",
"State": "active"
}
],
"Tags": [
{
"Key": "Name",
"Value": "Private-Sub-Route"
}
],
"VpcId": "vpc-024f1b212f5bf801b",
"OwnerId": "624581614683"
}
}
#记录路由ID,RouteId2=rtb-0f1b1c3b51f5d1dd2
#创建路由条目
aws ec2 create-route --route-table-id $RouteId2 --destination-cidr-block 0.0.0.0/0 --gateway-id $NATID
#关联子网
aws ec2 associate-route-table --route-table-id $RouteId2 --subnet-id $SubId2
4. 验证成果
4.1 验证公有子网可以被访问
在Sub-1中创建EC2,名为: Bastion,并附带public IP,尝试登陆,可以登陆。
4.2 验证私有子网可以访问Internet
在Sub-2中创建EC2,名为Server1,通过Bastion登陆Server1,可以访问Internet
标签:subnet,CLI,VPC,--,创建,aws,ec2,vpc,id 来源: https://blog.51cto.com/garycloud/2666024