本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。
# 使用 Amazon EC2 测试设置
[Amazon Elastic Compute Cloud](https://docs.aws.amazon.com/ec2/?icmpid=docs_homepage_compute) (Amazon EC2) 在 Amazon Web Services 云中提供可扩展的计算容量。您可以使用 Amazon EC2 启动所需数量的虚拟服务器,配置安全性和联网以及管理存储。在此设置中,我们使用 [Fleet Manager](https://docs.aws.amazon.com/systems-manager/latest/userguide/fleet.html)( AWS Systems Manager的一项功能),通过远程桌面协议(RDP)连接到 Amazon EC2 Windows 实例。
本指南演示了一个测试环境,用于设置和体验从 Amazon EC2 实例到亚马逊简单存储服务的 AWS 管理控制台 私有访问连接。本教程 CloudFormation 用于创建和配置 Amazon EC2 用于可视化此功能的网络设置。
下图描述了使用 Amazon EC2 访问 AWS 管理控制台 私有访问设置的工作流程。它显示了用户如何使用私有端点连接到 Amazon S3。
![\[使用 Amazon EC2 试用 AWS 管理控制台 私有访问的设置配置。\]](http://docs.aws.amazon.com/zh_cn/awsconsolehelpdocs/latest/gsg/images/vpce-ec2-how-to-1.png)
复制以下 CloudFormation 模板并将其保存到您将在*设置网络*过程的第三步中使用的文件中。
**注意**
此 CloudFormation 模板使用的配置目前在以色列(特拉维夫)地区不受支持。
## AWS 管理控制台 私有访问环境 Amazon EC2 CloudFormation 模板
```
Description: |
AWS Management Console Private Access.
Parameters:
VpcCIDR:
Type: String
Default: 172.16.0.0/16
Description: CIDR range for VPC
Ec2KeyPair:
Type: AWS::EC2::KeyPair::KeyName
Description: The EC2 KeyPair to use to connect to the Windows instance
PublicSubnet1CIDR:
Type: String
Default: 172.16.1.0/24
Description: CIDR range for Public Subnet A
PublicSubnet2CIDR:
Type: String
Default: 172.16.0.0/24
Description: CIDR range for Public Subnet B
PublicSubnet3CIDR:
Type: String
Default: 172.16.2.0/24
Description: CIDR range for Public Subnet C
PrivateSubnet1CIDR:
Type: String
Default: 172.16.4.0/24
Description: CIDR range for Private Subnet A
PrivateSubnet2CIDR:
Type: String
Default: 172.16.5.0/24
Description: CIDR range for Private Subnet B
PrivateSubnet3CIDR:
Type: String
Default: 172.16.3.0/24
Description: CIDR range for Private Subnet C
LatestWindowsAmiId:
Type: 'AWS::SSM::Parameter::Value'
Default: '/aws/service/ami-windows-latest/Windows_Server-2022-English-Full-Base'
InstanceTypeParameter:
Type: String
Default: 't3.medium'
Resources:
#########################
# VPC AND SUBNETS
#########################
AppVPC:
Type: 'AWS::EC2::VPC'
Properties:
CidrBlock: !Ref VpcCIDR
InstanceTenancy: default
EnableDnsSupport: true
EnableDnsHostnames: true
PublicSubnetA:
Type: 'AWS::EC2::Subnet'
Properties:
VpcId: !Ref AppVPC
CidrBlock: !Ref PublicSubnet1CIDR
MapPublicIpOnLaunch: true
AvailabilityZone:
Fn::Select:
- 0
- Fn::GetAZs: ""
PublicSubnetB:
Type: 'AWS::EC2::Subnet'
Properties:
VpcId: !Ref AppVPC
CidrBlock: !Ref PublicSubnet2CIDR
MapPublicIpOnLaunch: true
AvailabilityZone:
Fn::Select:
- 1
- Fn::GetAZs: ""
PublicSubnetC:
Type: 'AWS::EC2::Subnet'
Properties:
VpcId: !Ref AppVPC
CidrBlock: !Ref PublicSubnet3CIDR
MapPublicIpOnLaunch: true
AvailabilityZone:
Fn::Select:
- 2
- Fn::GetAZs: ""
PrivateSubnetA:
Type: 'AWS::EC2::Subnet'
Properties:
VpcId: !Ref AppVPC
CidrBlock: !Ref PrivateSubnet1CIDR
AvailabilityZone:
Fn::Select:
- 0
- Fn::GetAZs: ""
PrivateSubnetB:
Type: 'AWS::EC2::Subnet'
Properties:
VpcId: !Ref AppVPC
CidrBlock: !Ref PrivateSubnet2CIDR
AvailabilityZone:
Fn::Select:
- 1
- Fn::GetAZs: ""
PrivateSubnetC:
Type: 'AWS::EC2::Subnet'
Properties:
VpcId: !Ref AppVPC
CidrBlock: !Ref PrivateSubnet3CIDR
AvailabilityZone:
Fn::Select:
- 2
- Fn::GetAZs: ""
InternetGateway:
Type: AWS::EC2::InternetGateway
InternetGatewayAttachment:
Type: AWS::EC2::VPCGatewayAttachment
Properties:
InternetGatewayId: !Ref InternetGateway
VpcId: !Ref AppVPC
NatGatewayEIP:
Type: AWS::EC2::EIP
DependsOn: InternetGatewayAttachment
NatGateway:
Type: AWS::EC2::NatGateway
Properties:
AllocationId: !GetAtt NatGatewayEIP.AllocationId
SubnetId: !Ref PublicSubnetA
#########################
# Route Tables
#########################
PrivateRouteTable:
Type: 'AWS::EC2::RouteTable'
Properties:
VpcId: !Ref AppVPC
DefaultPrivateRoute:
Type: AWS::EC2::Route
Properties:
RouteTableId: !Ref PrivateRouteTable
DestinationCidrBlock: 0.0.0.0/0
NatGatewayId: !Ref NatGateway
PrivateSubnetRouteTableAssociation1:
Type: 'AWS::EC2::SubnetRouteTableAssociation'
Properties:
RouteTableId: !Ref PrivateRouteTable
SubnetId: !Ref PrivateSubnetA
PrivateSubnetRouteTableAssociation2:
Type: 'AWS::EC2::SubnetRouteTableAssociation'
Properties:
RouteTableId: !Ref PrivateRouteTable
SubnetId: !Ref PrivateSubnetB
PrivateSubnetRouteTableAssociation3:
Type: 'AWS::EC2::SubnetRouteTableAssociation'
Properties:
RouteTableId: !Ref PrivateRouteTable
SubnetId: !Ref PrivateSubnetC
PublicRouteTable:
Type: AWS::EC2::RouteTable
Properties:
VpcId: !Ref AppVPC
DefaultPublicRoute:
Type: AWS::EC2::Route
DependsOn: InternetGatewayAttachment
Properties:
RouteTableId: !Ref PublicRouteTable
DestinationCidrBlock: 0.0.0.0/0
GatewayId: !Ref InternetGateway
PublicSubnetARouteTableAssociation1:
Type: AWS::EC2::SubnetRouteTableAssociation
Properties:
RouteTableId: !Ref PublicRouteTable
SubnetId: !Ref PublicSubnetA
PublicSubnetBRouteTableAssociation2:
Type: AWS::EC2::SubnetRouteTableAssociation
Properties:
RouteTableId: !Ref PublicRouteTable
SubnetId: !Ref PublicSubnetB
PublicSubnetBRouteTableAssociation3:
Type: AWS::EC2::SubnetRouteTableAssociation
Properties:
RouteTableId: !Ref PublicRouteTable
SubnetId: !Ref PublicSubnetC
#########################
# SECURITY GROUPS
#########################
VPCEndpointSecurityGroup:
Type: 'AWS::EC2::SecurityGroup'
Properties:
GroupDescription: Allow TLS for VPC Endpoint
VpcId: !Ref AppVPC
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: 443
ToPort: 443
CidrIp: !GetAtt AppVPC.CidrBlock
EC2SecurityGroup:
Type: 'AWS::EC2::SecurityGroup'
Properties:
GroupDescription: Default EC2 Instance SG
VpcId: !Ref AppVPC
#########################
# VPC ENDPOINTS
#########################
VPCEndpointGatewayS3:
Type: 'AWS::EC2::VPCEndpoint'
Properties:
ServiceName: !Sub 'com.amazonaws.${AWS::Region}.s3'
VpcEndpointType: Gateway
VpcId: !Ref AppVPC
RouteTableIds:
- !Ref PrivateRouteTable
VPCEndpointInterfaceSSM:
Type: 'AWS::EC2::VPCEndpoint'
Properties:
VpcEndpointType: Interface
PrivateDnsEnabled: false
SubnetIds:
- !Ref PrivateSubnetA
- !Ref PrivateSubnetB
SecurityGroupIds:
- !Ref VPCEndpointSecurityGroup
ServiceName: !Sub 'com.amazonaws.${AWS::Region}.ssm'
VpcId: !Ref AppVPC
VPCEndpointInterfaceEc2messages:
Type: 'AWS::EC2::VPCEndpoint'
Properties:
VpcEndpointType: Interface
PrivateDnsEnabled: false
SubnetIds:
- !Ref PrivateSubnetA
- !Ref PrivateSubnetB
- !Ref PrivateSubnetC
SecurityGroupIds:
- !Ref VPCEndpointSecurityGroup
ServiceName: !Sub 'com.amazonaws.${AWS::Region}.ec2messages'
VpcId: !Ref AppVPC
VPCEndpointInterfaceSsmmessages:
Type: 'AWS::EC2::VPCEndpoint'
Properties:
VpcEndpointType: Interface
PrivateDnsEnabled: false
SubnetIds:
- !Ref PrivateSubnetA
- !Ref PrivateSubnetB
- !Ref PrivateSubnetC
SecurityGroupIds:
- !Ref VPCEndpointSecurityGroup
ServiceName: !Sub 'com.amazonaws.${AWS::Region}.ssmmessages'
VpcId: !Ref AppVPC
VPCEndpointInterfaceSignin:
Type: 'AWS::EC2::VPCEndpoint'
Properties:
VpcEndpointType: Interface
PrivateDnsEnabled: false
SubnetIds:
- !Ref PrivateSubnetA
- !Ref PrivateSubnetB
- !Ref PrivateSubnetC
SecurityGroupIds:
- !Ref VPCEndpointSecurityGroup
ServiceName: !Sub 'com.amazonaws.${AWS::Region}.signin'
VpcId: !Ref AppVPC
VPCEndpointInterfaceConsole:
Type: 'AWS::EC2::VPCEndpoint'
Properties:
VpcEndpointType: Interface
PrivateDnsEnabled: false
SubnetIds:
- !Ref PrivateSubnetA
- !Ref PrivateSubnetB
- !Ref PrivateSubnetC
SecurityGroupIds:
- !Ref VPCEndpointSecurityGroup
ServiceName: !Sub 'com.amazonaws.${AWS::Region}.console'
VpcId: !Ref AppVPC
#########################
# ROUTE53 RESOURCES
#########################
ConsoleHostedZone:
Type: "AWS::Route53::HostedZone"
Properties:
HostedZoneConfig:
Comment: 'Console VPC Endpoint Hosted Zone'
Name: 'console.aws.amazon.com'
VPCs:
-
VPCId: !Ref AppVPC
VPCRegion: !Ref "AWS::Region"
ConsoleRecordGlobal:
Type: AWS::Route53::RecordSet
Properties:
HostedZoneId: !Ref 'ConsoleHostedZone'
Name: 'console.aws.amazon.com'
AliasTarget:
DNSName: !Select ['1', !Split [':', !Select ['0', !GetAtt VPCEndpointInterfaceConsole.DnsEntries]]]
HostedZoneId: !Select ['0', !Split [':', !Select ['0', !GetAtt VPCEndpointInterfaceConsole.DnsEntries]]]
Type: A
GlobalConsoleRecord:
Type: AWS::Route53::RecordSet
Properties:
HostedZoneId: !Ref 'ConsoleHostedZone'
Name: 'global.console.aws.amazon.com'
AliasTarget:
DNSName: !Select ['1', !Split [':', !Select ['0', !GetAtt VPCEndpointInterfaceConsole.DnsEntries]]]
HostedZoneId: !Select ['0', !Split [':', !Select ['0', !GetAtt VPCEndpointInterfaceConsole.DnsEntries]]]
Type: A
ConsoleS3ProxyRecordGlobal:
Type: AWS::Route53::RecordSet
Properties:
HostedZoneId: !Ref 'ConsoleHostedZone'
Name: 's3.console.aws.amazon.com'
AliasTarget:
DNSName: !Select ['1', !Split [':', !Select ['0', !GetAtt VPCEndpointInterfaceConsole.DnsEntries]]]
HostedZoneId: !Select ['0', !Split [':', !Select ['0', !GetAtt VPCEndpointInterfaceConsole.DnsEntries]]]
Type: A
ConsoleSupportProxyRecordGlobal:
Type: AWS::Route53::RecordSet
Properties:
HostedZoneId: !Ref 'ConsoleHostedZone'
Name: "support.console.aws.amazon.com"
AliasTarget:
DNSName: !Select ['1', !Split [':', !Select ['0', !GetAtt VPCEndpointInterfaceConsole.DnsEntries]]]
HostedZoneId: !Select ['0', !Split [':', !Select ['0', !GetAtt VPCEndpointInterfaceConsole.DnsEntries]]]
Type: A
ExplorerProxyRecordGlobal:
Type: AWS::Route53::RecordSet
Properties:
HostedZoneId: !Ref 'ConsoleHostedZone'
Name: "resource-explorer.console.aws.amazon.com"
AliasTarget:
DNSName: !Select ['1', !Split [':', !Select ['0', !GetAtt VPCEndpointInterfaceConsole.DnsEntries]]]
HostedZoneId: !Select ['0', !Split [':', !Select ['0', !GetAtt VPCEndpointInterfaceConsole.DnsEntries]]]
Type: A
WidgetProxyRecord:
Type: AWS::Route53::RecordSet
Properties:
HostedZoneId: !Ref 'ConsoleHostedZone'
Name: "*.widget.console.aws.amazon.com"
AliasTarget:
DNSName: !Select ["1", !Split [":", !Select ["0", !GetAtt VPCEndpointInterfaceConsole.DnsEntries],],]
HostedZoneId: !Select ["0", !Split [":", !Select ["0", !GetAtt VPCEndpointInterfaceConsole.DnsEntries],],]
Type: A
ConsoleRecordRegional:
Type: AWS::Route53::RecordSet
Properties:
HostedZoneId: !Ref 'ConsoleHostedZone'
Name: !Sub "${AWS::Region}.console.aws.amazon.com"
AliasTarget:
DNSName: !Select ['1', !Split [':', !Select ['0', !GetAtt VPCEndpointInterfaceConsole.DnsEntries]]]
HostedZoneId: !Select ['0', !Split [':', !Select ['0', !GetAtt VPCEndpointInterfaceConsole.DnsEntries]]]
Type: A
ConsoleRecordRegionalMultiSession:
Type: AWS::Route53::RecordSet
Properties:
HostedZoneId: !Ref 'ConsoleHostedZone'
Name: !Sub "*.${AWS::Region}.console.aws.amazon.com"
AliasTarget:
DNSName: !Select ['1', !Split [':', !Select ['0', !GetAtt VPCEndpointInterfaceConsole.DnsEntries]]]
HostedZoneId: !Select ['0', !Split [':', !Select ['0', !GetAtt VPCEndpointInterfaceConsole.DnsEntries]]]
Type: A
SigninHostedZone:
Type: "AWS::Route53::HostedZone"
Properties:
HostedZoneConfig:
Comment: 'Signin VPC Endpoint Hosted Zone'
Name: 'signin.aws.amazon.com'
VPCs:
-
VPCId: !Ref AppVPC
VPCRegion: !Ref "AWS::Region"
SigninRecordGlobal:
Type: AWS::Route53::RecordSet
Properties:
HostedZoneId: !Ref 'SigninHostedZone'
Name: 'signin.aws.amazon.com'
AliasTarget:
DNSName: !Select ['1', !Split [':', !Select ['0', !GetAtt VPCEndpointInterfaceSignin.DnsEntries]]]
HostedZoneId: !Select ['0', !Split [':', !Select ['0', !GetAtt VPCEndpointInterfaceSignin.DnsEntries]]]
Type: A
SigninRecordRegional:
Type: AWS::Route53::RecordSet
Properties:
HostedZoneId: !Ref 'SigninHostedZone'
Name: !Sub "${AWS::Region}.signin.aws.amazon.com"
AliasTarget:
DNSName: !Select ['1', !Split [':', !Select ['0', !GetAtt VPCEndpointInterfaceSignin.DnsEntries]]]
HostedZoneId: !Select ['0', !Split [':', !Select ['0', !GetAtt VPCEndpointInterfaceSignin.DnsEntries]]]
Type: A
#########################
# EC2 INSTANCE
#########################
Ec2InstanceRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: 2012-10-17
Statement:
-
Effect: Allow
Principal:
Service:
- ec2.amazonaws.com
Action:
- sts:AssumeRole
Path: /
ManagedPolicyArns:
- arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore
Ec2InstanceProfile:
Type: AWS::IAM::InstanceProfile
Properties:
Path: /
Roles:
- !Ref Ec2InstanceRole
EC2WinInstance:
Type: 'AWS::EC2::Instance'
Properties:
ImageId: !Ref LatestWindowsAmiId
IamInstanceProfile: !Ref Ec2InstanceProfile
KeyName: !Ref Ec2KeyPair
InstanceType:
Ref: InstanceTypeParameter
SubnetId: !Ref PrivateSubnetA
SecurityGroupIds:
- Ref: EC2SecurityGroup
BlockDeviceMappings:
- DeviceName: /dev/sda1
Ebs:
VolumeSize: 50
Tags:
- Key: "Name"
Value: "Console VPCE test instance"
```
**设置网络**
1. 登录您所在组织的管理账户并打开 [CloudFormation 控制台](https://console.aws.amazon.com/cloudformation)。
1. 选择**创建堆栈**。
1. 选择**使用新资源(标准)**。上传您之前创建的 CloudFormation 模板文件,然后选择**下一步**。
1. 输入堆栈的名称(例如 **PrivateConsoleNetworkForS3**),然后选择**下一步**。
1. 对于 **VPC 和子网**,输入您的首选 IP CIDR 范围,或使用提供的默认值。如果您使用默认值,请确认它们不与您的现有 VPC 资源重叠 AWS 账户。
1. 对于 E KeyPair c **2** 参数,请从您账户中的现有 Amazon EC2 密钥对中选择一个。如果您没有现有的 Amazon EC2 密钥对,必须先创建一个密钥对,然后转至下一步。有关更多信息,请参阅《Amazon EC2 用户指南》**中的[使用 Amazon EC2 创建密钥对](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/create-key-pairs.html#having-ec2-create-your-key-pair)。
1. 选择**创建堆栈**。
1. 创建堆栈后,选择**资源**选项卡以查看已创建的资源。
**连接到 Amazon EC2 实例**
1. 登录您所在组织的管理账户并打开 [Amazon EC2 控制台](https://console.aws.amazon.com/ec2)。
1. 在导航窗格中,选择 **Instances (实例)**。
1. 在**实例**页面上,选择由模板创建的**控制台 VPCE 测试实例**。 CloudFormation 然后选择**连接**。
**注意**
此示例使用队列管理器(一种功能)连接到您的 Windows 服务器。 AWS Systems Manager Explorer可能需要几分钟才能开始连接。
1. 在**连接到实例**页面上,选择 **RDP 客户端**,然后**使用 Fleet Manager 进行连接**。
1. 选择 **Fleet Manager 远程桌面**。
1. 要获取 Amazon EC2 实例的管理密码并使用网页界面访问 Windows 桌面,请使用与您在创建 CloudFormation 模板时使用的 Amazon EC2 密钥对关联的私钥。
1. 在 Amazon EC2 Windows 实例中, AWS 管理控制台 在浏览器中打开。
1. 使用 AWS 凭证登录后,打开 [Amazon S3 控制台](https://console.aws.amazon.com/s3)并确认您已使用 AWS 管理控制台 私有访问权限进行连接。
**测试 AWS 管理控制台 私有访问设置**
1. 登录您所在组织的管理账户并打开 [Amazon S3 控制台](https://console.aws.amazon.com/s3)。
1. 在导航栏中选择锁定私有图标,以查看所使用的 VPC 端点。以下屏幕截图显示了锁定私有图标的位置和 VPC 信息。
![\[显示锁定图标和 AWS 管理控制台 私有访问信息的 Amazon S3 控制台。\]](http://docs.aws.amazon.com/zh_cn/awsconsolehelpdocs/latest/gsg/images/console-private-access-verify-1.png)