create private subnet

[litencatt]

• create private subnet
• create security group "db-sg" and assign to db-server
  • check ping
• ssh to db-server from web-server

[litencatt]

プライベートサブネット作成

[litencatt]

EC2にDBサーバ追加

[litencatt]

DBサーバにセキュリティグループを追加

ICMPエコー許可設定追加

ICMPの許可設定でfrom_port = 0、to_port = 65535としていしたらエラーが出た

* aws_security_group.db-sg: Error revoking security group ingress rules: InvalidParameterValue: ICMP code (65535) out of range

issue: hashicorp/terraform#1313

https://www.terraform.io/docs/providers/aws/r/security_group.html#from_port
protocolがICMPの場合、from_port、to_portはポート番号ではなくICMP番号を指定しなければならない

+  ingress {
+    from_port   = 8
+    to_port     = 0
+    protocol    = "icmp"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+ 

上記設定をapply後

[litencatt]

Webサーバ(10.0.1.10)からDBサーバ(10.0.2.10)へのICMPエコー確認

プライベートIPに対して

[ec2-user@ip-10-0-1-10 ~]$ ping 10.0.2.10
PING 10.0.2.10 (10.0.2.10) 56(84) bytes of data.
64 bytes from 10.0.2.10: icmp_seq=1 ttl=255 time=0.567 ms
64 bytes from 10.0.2.10: icmp_seq=2 ttl=255 time=0.421 ms
64 bytes from 10.0.2.10: icmp_seq=3 ttl=255 time=0.325 ms
64 bytes from 10.0.2.10: icmp_seq=4 ttl=255 time=0.470 ms
64 bytes from 10.0.2.10: icmp_seq=5 ttl=255 time=0.500 ms
^C
--- 10.0.2.10 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4074ms
rtt min/avg/max/mdev = 0.325/0.456/0.567/0.084 ms

プライベートDNSに対して

[ec2-user@ip-10-0-1-10 ~]$ ping ip-10-0-2-10.ap-northeast-1.compute.internal
PING ip-10-0-2-10.ap-northeast-1.compute.internal (10.0.2.10) 56(84) bytes of data.
64 bytes from ip-10-0-2-10.ap-northeast-1.compute.internal (10.0.2.10): icmp_seq=1 ttl=255 time=0.348 ms
64 bytes from ip-10-0-2-10.ap-northeast-1.compute.internal (10.0.2.10): icmp_seq=2 ttl=255 time=0.522 ms
64 bytes from ip-10-0-2-10.ap-northeast-1.compute.internal (10.0.2.10): icmp_seq=3 ttl=255 time=0.609 ms
64 bytes from ip-10-0-2-10.ap-northeast-1.compute.internal (10.0.2.10): icmp_seq=4 ttl=255 time=0.538 ms
^C
--- ip-10-0-2-10.ap-northeast-1.compute.internal ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3004ms
rtt min/avg/max/mdev = 0.348/0.504/0.609/0.097 ms

[litencatt]

WebサーバからDBサーバへのssh

# my-key.pemをweb-serverへコピー
$ scp -i my-key.pem my-key.pem ec2-user@13.230.158.124:~/
my-key.pem                                                                                                        100% 1696     1.7KB/s   00:00

$ ssh -i my-key.pem ec2-user@13.230.158.124
Last login: Sat Dec  2 04:21:32 2017 from 133.208.249.39

       __|  __|_  )
       _|  (     /   Amazon Linux AMI
      ___|\___|___|

https://aws.amazon.com/amazon-linux-ami/2017.09-release-notes/

# my-key.pemの権限変更
[ec2-user@ip-10-0-1-10 ~]$ chmod 400 my-key.pem

[ec2-user@ip-10-0-1-10 ~]$ ssh -i my-key.pem ec2-user@10.0.2.10

       __|  __|_  )
       _|  (     /   Amazon Linux AMI
      ___|\___|___|

https://aws.amazon.com/amazon-linux-ami/2017.09-release-notes/
[ec2-user@ip-10-0-2-10 ~]$