VPC公共网络和私有网络划分
本篇将指导您创建自己的IBM Cloud™ Virtual Private Cloud (VPC)环境,该环境是一个具有多个子网,并在每个子网中有一个虚拟服务器实例(VSI)的虚拟私有云。VPC是您自己的私有云,位于共享云基础设施上,与其他虚拟网络进行逻辑隔离。
子网是一段IP地址范围。它绑定到单个区域,不能跨越多个Zones或Regions。对于专有网络而言,子网的一个重要特征是子网之间可以相互隔离,也可以按照通常的方式互连。子网隔离可以由充当防火墙的安全组来完成,这些安全组控制一个或多个虚拟服务器实例的入站和出站流量。
较好的做法是将一个子网用于必须对外公开的资源。具有受限访问权限且永远不应从外部直接访问的资源被放置在不同的子网中。此类子网内的实例可能是您的后端数据库或某些您不希望公开访问的机密存储。您将定义安全组以允许或拒绝到对应VSI的访问。
下面的步骤我们将着重介绍如何使用在命令行下调用RestAPI的方式进行整个环境的创建,来帮助大家更好的了解VPC后端的细节。 如需使用UI的方式,大家也可参考IBM Cloud上的教程进行配置。
前提准备:
1.拥有IBM Cloud账号,该账户有权限创建虚拟服务器实例。
2.准备好IBM Cloud密钥。(用于命令行下获取账户权限)
3.准备好SSH公用密钥。(后面创建虚拟机使用)
4.准备一个命令行环境(可以是Linux环境,可以是IBM Cloud Shell)
步骤 1:将 API 密钥存储为变量
# apikey=" your api key"步骤 2:获取 IBM Identity and Access Management(IAM)令牌,并存入变量中。
# iam_token=`curl -k -X POST \
--header "Content-Type: application/x-www-form-urlencoded" \
--header "Accept: application/json" \
--data-urlencode "grant_type=urn:ibm:params:oauth:grant-type:apikey" \
--data-urlencode "apikey=$apikey" \
"https://iam.cloud.ibm.com/identity/token" |jq -r '(.token_type + " " + .access_token)'
如果你的环境中没有安装jq,请先安装jq: 复制jq文件到/usr/bin目录下,修改文件可执行权限
# chmod +x /usr/bin/jq步骤 3:将 API 端点和 version 参数存储为变量
API 端点是基于区域的,并遵循约定 'https://region.iaas.cloud.ibm.com', 现在IBM Cloud有6个区域提供VPC服务:
Location Region API Endpoint
Dallas us-south us-south.iaas.cloud.ibm.com
Frankfurt eu-de eu-de.iaas.cloud.ibm.com
Tokyo jp-tok jp-tok.iaas.cloud.ibm.com
London eu-gb eu-gb.iaas.cloud.ibm.com
Sydney au-syd au-syd.iaas.cloud.ibm.com
Washington DC us-east us-east.iaas.cloud.ibm.com
在我们的这个实验中,我们使用us-south的环境。
# rias_endpoint="https://us-south.iaas.cloud.ibm.com" 每个 API 请求都必须包含 version 参数,格式为 YYYY-MM-DD, 具体日期可以是之前的任一时间,但建议使用较临近的日期。运行以下命令将版本日期存储在变量中,以便可以在会话中复用。
# version="2020-06-30"步骤 4:运行 GET VPCs API
以下命令以 JSON 格式返回在您的帐户下创建的所有 VPC。(下面API Call中的generation=2是指获取创建的2代VPC环境,如果希望获取创建的1代环境,将数字2改为1即可)
# curl -X GET "$rias_endpoint/v1/vpcs?version=$version&generation=2" -H "Authorization: $iam_token"如果你想使用现有的VPC环境,可以将现有VPC的ID存入VPC变量中,供后面使用:
# vpc="<YOUR_VPC_ID>"第一部分,创建堡垒机,以及为堡垒机配置防御安全组,维护安全组和子网。
在我们这个实验中,我们新建VPC进行练习。
步骤 5:创建虚拟私有云,并将VPC标识存储在变量中。
# vpc=`curl -X POST "$rias_endpoint/v1/vpcs?version=$version&generation=2" -H "Authorization: $iam_token" \
-d '{
"name": "my-vpc"
}' |jq -r .id`
步骤 6:创建堡垒机私有子网,并将子网标识存储在变量中
以下示例在 us-south-2 专区中创建 VPC 要获取 VPC 的地址前缀列表,请运行以下命令:
# curl -X GET "$rias_endpoint/v1/vpcs/$vpc/address_prefixes?version=$version&generation=2" -H "Authorization:$iam_token"|jq -r '.address_prefixes[]|{cidr:.cidr,name:.zone.name}'创建堡垒机安全子网bastion-subnet,用于后续创建堡垒机实例所在子网使用:
# bastion_subnet=`curl -X POST "$rias_endpoint/v1/subnets?version=$version&generation=2" \
-H "Authorization:$iam_token" \
-d '{
"name": "bastion-subnet",
"ipv4_cidr_block": "10.240.64.0/28",
"zone": { "name": "us-south-2" },
"vpc": { "id": "'$vpc'" }
}'|jq -r '.id'`
注意上面:<"ipv4_cidr_block": "10.240.64.0">,其中的IP段是获取的VPC的地址前缀列表中的数据。
步骤 7:检查子网的状态
要在子网中供应资源,子网必须处于 available 状态。继续操作之前,请查询子网资源,并确保状态为 available。如果状态为 failed,请联系支持人员并提供详细信息。您可以尝试继续供应其他子网。
# curl -X GET "$rias_endpoint/v1/subnets/$bastion_subnet?version=$version&generation=2" -H "Authorization: $iam_token"|jq -r '.status'步骤 8:创建公共网关,并将公共网关标识存储在变量中。
# bastion_gateway=`curl -X POST "$rias_endpoint/v1/public_gateways?version=$version&generation=2" \
-H "Authorization:$iam_token" \
-d '{
"name": "bastion-gateway",
"zone": { "name": "us-south-2" },
"vpc": { "id": "'$vpc'" }
}' |jq -r '.id' `
为了连接并使用公共网关,公共网关必须处于 available 状态。继续操作之前,请查询公共网关资源,并确保状态为 available。 要检查公共网关的状态,请运行以下命令:
# curl -X GET "$rias_endpoint/v1/public_gateways/$bastion_gateway?version=$version&generation=2" -H "Authorization: $iam_token" |jq -r '.status'步骤 9:将公共网关连接到堡垒机子网
此处,我们将公共网关连接至堡垒机子网,这样堡垒机子网里面的机器就可以访问互联网。
# curl -X PUT "$rias_endpoint/v1/subnets/$bastion_subnet/public_gateway?version=$version&generation=2" \
-H "Authorization:$iam_token" \
-d '{
"id": "'$bastion_gateway'"
}'
步骤 10:为堡垒机创建和配置防御安全组
将安全组标识存储在vpc_secure_bastion_sg变量中
# vpc_secure_bastion_sg=`curl -X POST "$rias_endpoint/v1/security_groups?version=$version&generation=2" \
-H "Authorization: $iam_token" \
-d '{
"name": "vpc-sure-bastion-sg",
"vpc": {
"id": "'$vpc'"
}
}' | jq -r '.id'`
为防御安全组(vpc-secure-bastion-sg)添加入站规则,创建以下规则,允许 SSH 访问和 Ping (ICMP) 操作。入站规则如下:
协议 源类型 源 值
TCP 任意 0.0.0.0/0 端口 22-22
ICMP 任意 0.0.0.0/0 类型:8,代码:留空
命令如下:
# curl -X POST "$rias_endpoint/v1/security_groups/$vpc_secure_bastion_sg/rules?version=$version&generation=2" \
-H "Authorization: $iam_token" \
-d '{
"direction": "inbound",
"ip_version": "ipv4",
"protocol": "tcp",
"port_min": 22,
"port_max": 22
}'
# curl -X POST "$rias_endpoint/v1/security_groups/$vpc_secure_bastion_sg/rules?version=$version&generation=2" \
-H "Authorization: $iam_token" \
-d '{
"direction": "inbound",
"ip_version": "ipv4",
"protocol": "icmp",
"type": 8
}'
步骤 11:创建并配置维护安全组
创建名为vpc-secure-maintenance-sg的维护安全组,用于安装和更新软件之类的维护任务的安全组。 出站规则如下:
协议 目标类型 目标 值
TCP 任意 0.0.0.0/0 端口 80-80
TCP 任意 0.0.0.0/0 端口 443-443
TCP 任意 0.0.0.0/0 端口 53-53
UDP 任意 0.0.0.0/0 端口 53-53
命令如下:
# vpc_secure_maintenance_sg=`curl -X POST "$rias_endpoint/v1/security_groups?version=$version&generation=2" \
-H "Authorization: $iam_token" \
-d '{
"name": "vpc-secure-maintenance-sg",
"rules": [
{
"direction": "outbound",
"ip_version": "ipv4",
"port_max": 80,
"port_min": 80,
"protocol": "tcp"
},
{
"direction": "outbound",
"ip_version": "ipv4",
"port_max": 443,
"port_min": 443,
"protocol": "tcp"
},
{
"direction": "outbound",
"ip_version": "ipv4",
"port_max": 53,
"port_min": 53,
"protocol": "tcp"
},
{
"direction": "outbound",
"ip_version": "ipv4",
"port_max": 53,
"port_min": 53,
"protocol": "udp"
},
{
"direction": "inbound",
"ip_version": "ipv4",
"port_max": 22,
"port_min": 22,
"protocol": "tcp",
"remote": {
"id": "'$vpc_secure_bastion_sg'"
}
}
],
"vpc": {
"id": "'$vpc'"
}
}'|jq -r '.id'`
(可选)如果需要在维护安全组内的机器能够ping到外面的域名或IP地址的话,可以添加下面的出站规则:
协议 源类型 源 值
ICMP 任意 0.0.0.0/0 类型:8,代码:留空
命令如下:
# curl -X POST "$rias_endpoint/v1/security_groups/$vpc_secure_maintenance_sg/rules?version=$version&generation=2" \
-H "Authorization: $iam_token" \
-d '{
"direction": "outbound",
"ip_version": "ipv4",
"protocol": "icmp",
"type": 8
}'
再为先前创建的防御安全组(vpc-secure-bastion-sg)增加出站规则,指向vpc-secure-maintenance-sg,使得能够让堡垒机作为跳板登录到此vpc中其他子网中应用了维护安全组的机器中,已进行原件的安装和维护等等。
# curl -X POST "$rias_endpoint/v1/security_groups/$vpc_secure_bastion_sg/rules?version=$version&generation=2" \
-H "Authorization: $iam_token" \
-d '{
"direction": "outbound",
"ip_version": "ipv4",
"protocol": "tcp",
"port_min": 22,
"port_max": 22,
"remote": {
"id": "'$vpc_secure_maintenance_sg'"
}
}'
步骤 12:创建 SSH 密钥
使用公用 SSH 密钥创建密钥。创建虚拟服务器实例时,将使用此密钥。此外,登录到虚拟服务器实例时,也需要此密钥。 提示: 在 UI 或 CLI 中创建 VPC 之初,可以添加密钥。以后没有任何工具可用于添加密钥。
# key=`curl -X POST "$rias_endpoint/v1/keys?version=$version&generation=2" \
-H "Authorization:$iam_token" \
-d '{
"name": "my-key",
"public_key": "ssh-rsa AAA....n",
"type": "rsa"
}'|jq -r '.id'`
步骤 13:为虚拟服务器实例选择概要文件和映像
运行 API 以列出可用于虚拟服务器实例的所有概要文件和映像,然后选择组合。
# curl -X GET "$rias_endpoint/v1/instance/profiles?version=$version&generation=2" -H "Authorization:$iam_token"将概要文件名称存储在变量中
# profile_name="<CHOSEN_PROFILE_NAME>"运行以下命令将列出可用的映像。
# curl -X GET "$rias_endpoint/v1/images?version=$version&generation=2" -H "Authorization:$iam_token"|jq -r '.images[]|{id:.id,name:.name,osname:.operating_system.name,osarch:.operating_system.architecture}'将映像标识存储在变量中
# image_id="<CHOSEN_IMAGE_ID>"步骤 14:供应堡垒机虚拟服务器实例,并将虚拟服务器实例标识存储在变量中。
在新创建的堡垒机子网中供应虚拟服务器实例 (VSI)。请传入公用 SSH 密钥,以便可以在供应实例后登录。
# bastion_server=`curl -X POST "$rias_endpoint/v1/instances?version=$version&generation=2" \
-H "Authorization:$iam_token" \
-d '{
"name": "bastion-server",
"zone": {
"name": "us-south-2"
},
"vpc": {
"id": "'$vpc'"
},
"primary_network_interface": {
"subnet": {
"id": "'$bastion_subnet'"
},
"security_groups": [
{
"id": "'$vpc_secure_bastion_sg'"
}
]
},
"keys":[{"id": "'$key'"}],
"profile": {
"name": "'$profile_name'"
},
"image": {
"id": "'$image_id'"
},
"user_data": ""
}'|jq -r '.id'`
步骤 15:检查虚拟服务器实例的状态
供应虚拟服务器实例可能需要最长几分钟时间。继续操作之前,请查询服务器的状态,并确保状态为 running
# curl -X GET "$rias_endpoint/v1/instances/$bastion_server?version=$version&generation=2" -H "Authorization: $iam_token" |jq -r '.status'将虚拟服务器实例的主网络接口标识(在先前的 API 调用中返回)存储在变量中。
# bastion_network_interface=`curl -X GET "$rias_endpoint/v1/instances/$bastion-server?version=$version&generation=2" -H "Authorization: $iam_token"|jq -r '.primary_network_interface.id'`步骤 16:在堡垒机的网卡上创建浮动 IP, 并将浮动 IP 标识存储在变量中。
要为虚拟服务器实例创建浮动 IP,请将实例的主网络接口用作新浮动 IP 地址的目标。
# bastion_floating_ip=`curl -X POST "$rias_endpoint/v1/floating_ips?version=$version&generation=2" \
-H "Authorization:$iam_token" \
-d '{
"name": "bastion-server-floatingip",
"target": {
"id":"'$bastion_network_interface'"
}
}' |jq -r '.id'`
步骤 17:通过 SSH 登录到虚拟服务器实例
要通过 SSH 登录到服务器,请使用先前创建的浮动 IP 的 address。要获取浮动 IP 的 address,请运行以下命令:
# curl -X GET "$rias_endpoint/v1/floating_ips/$bastion_floating_ip?version=$version&generation=2" -H "Authorization:$iam_token"|jq -r '.address'使用浮动 IP 的 address 可通过 SSH 连接到虚拟服务器实例:
# ssh -i ~/.ssh/<PRIVATE_KEY> root@<BASTION_FLOATING_IP_ADDRESS>(可选)如果此堡垒机需要通过Internet安装软件包,则可以将实例添加到vpc-secure-maintenance-sg维护安全组中。
命令如下:
# curl -X PUT "$rias_endpoint/v1/security_groups/$vpc_secure_maintenance_sg/network_interfaces/$bastion_network_interface?version=$version&generation=2" -H "Authorization: $iam_token"第二部分,创建后端子网,安全组以及虚拟机实例
在这个部分,我们会创建对应的子网,安全组和虚拟服务器来用于后端应用。
步骤 18:创建后端子网
请运行以下命令,获取 VPC 的地址前缀列表:
# curl -X GET "$rias_endpoint/v1/vpcs/$vpc/address_prefixes?version=$version&generation=2" -H "Authorization:$iam_token"|jq -r '.address_prefixes[]|{cidr:.cidr,name:.zone.name}'创建后端子网(backend-subnet),用于部署后端实例。
# backend_subnet=`curl -X POST "$rias_endpoint/v1/subnets?version=$version&generation=2" \
-H "Authorization:$iam_token" \
-d '{
"name": "backend-subnet",
"ipv4_cidr_block": "10.240.65.0/28",
"zone": { "name": "us-south-2" },
"vpc": { "id": "'$vpc'" }
}'|jq -r '.id'`
检查子网状态:
# curl -X GET "$rias_endpoint/v1/subnets/$backend_subnet?version=$version&generation=2" -H "Authorization: $iam_token"|jq -r '.status'步骤 19:创建后端安全组(backend-sg)
将安全组标识存储在backend_sg变量中
# backend_sg=`curl -X POST "$rias_endpoint/v1/security_groups?version=$version&generation=2" \
-H "Authorization: $iam_token" \
-d '{
"name": "backend-sg",
"vpc": {
"id": "'$vpc'"
}
}' | jq -r '.id'`
步骤 20:创建后端虚拟机实例
创建后端实例的时候选择后端安全组(backend-sg)和维护安全组(vpc-secure-maintenance-sg),以便让管理员通过堡垒机作为跳板,登录到后端虚拟服务器实例进行操作。
# backend_server=`curl -X POST "$rias_endpoint/v1/instances?version=$version&generation=2" \
-H "Authorization:$iam_token" \
-d '{
"name": "backend-server",
"zone": {
"name": "us-south-2"
},
"vpc": {
"id": "'$vpc'"
},
"primary_network_interface": {
"subnet": {
"id": "'$backend_subnet'"
},
"security_groups": [
{
"id": "'$vpc_secure_maintenance_sg'"
},
{
"id": "'$backend_sg'"
}
]
},
"keys":[{"id": "'$key'"}],
"profile": {
"name": "'$profile_name'"
},
"image": {
"id": "'$image_id'"
},
"user_data": ""
}'|jq -r '.id'`
步骤 21:获取后端服务器主网络标识ID供后续使用:
# backend_network_interface=`curl -X GET "$rias_endpoint/v1/instances/$backend_server?version=$version&generation=2" -H "Authorization: $iam_token"|jq -r '.primary_network_interface.id'`第三部分,创建前端子网,安全组和虚拟服务器实例
与创建后端服务的步骤基本类似,需要注意的是创建子网时的cidr。
步骤 22:创建前端子网
请运行以下命令,获取 VPC 的地址前缀列表:
# curl -X GET "$rias_endpoint/v1/vpcs/$vpc/address_prefixes?version=$version&generation=2" -H "Authorization:$iam_token"|jq -r '.address_prefixes[]|{cidr:.cidr,name:.zone.name}'创建前端子网(frontend-subnet),用于部署前端实例。
# frontend_subnet=`curl -X POST "$rias_endpoint/v1/subnets?version=$version&generation=2" \
-H "Authorization:$iam_token" \
-d '{
"name": "frontend-subnet",
"ipv4_cidr_block": "10.240.66.0/28",
"zone": { "name": "us-south-2" },
"vpc": { "id": "'$vpc'" }
}'|jq -r '.id'`
检查子网状态:
# curl -X GET "$rias_endpoint/v1/subnets/$frontend_subnet?version=$version&generation=2" -H "Authorization: $iam_token"|jq -r '.status'步骤 23:创建前端安全组(frontend-sg)
将安全组标识存储在frontend_sg变量中
# frontend_sg=`curl -X POST "$rias_endpoint/v1/security_groups?version=$version&generation=2" \
-H "Authorization: $iam_token" \
-d '{
"name": "frontend-sg",
"vpc": {
"id": "'$vpc'"
}
}' | jq -r '.id'`
步骤 24:创建前端虚拟机实例
创建前端实例的时候选择前端安全组(frontend-sg)和维护安全组(vpc-secure-maintenance-sg),以便让管理员通过堡垒机作为跳板,登录到前端虚拟服务器实例进行操作。
# frontend_server=`curl -X POST "$rias_endpoint/v1/instances?version=$version&generation=2" \
-H "Authorization:$iam_token" \
-d '{
"name": "frontend-server",
"zone": {
"name": "us-south-2"
},
"vpc": {
"id": "'$vpc'"
},
"primary_network_interface": {
"subnet": {
"id": "'$frontend_subnet'"
},
"security_groups": [
{
"id": "'$vpc_secure_maintenance_sg'"
},
{
"id": "'$frontend_sg'"
}
]
},
"keys":[{"id": "'$key'"}],
"profile": {
"name": "'$profile_name'"
},
"image": {
"id": "'$image_id'"
},
"user_data": ""
}'|jq -r '.id'`
步骤 25:为前端实例添加浮动IP,并将浮动 IP 标识存储在变量中。
供应虚拟服务器实例可能需要最长几分钟时间。继续操作之前,请查询服务器的状态,并确保状态为 running
# curl -X GET "$rias_endpoint/v1/instances/$frontend_server?version=$version&generation=2" -H "Authorization: $iam_token" |jq -r '.status'将虚拟服务器实例的主网络接口标识(在先前的 API 调用中返回)存储在变量中。
# frontend_network_interface=`curl -X GET "$rias_endpoint/v1/instances/$frontend_server?version=$version&generation=2" -H "Authorization: $iam_token"|jq -r '.primary_network_interface.id'`要为虚拟服务器实例创建浮动 IP,请将实例的主网络接口用作浮动 IP 地址的目标。
# frontend_floating_ip=`curl -X POST "$rias_endpoint/v1/floating_ips?version=$version&generation=2" \
-H "Authorization:$iam_token" \
-d '{
"name": "frontend-server-floatingip",
"target": {
"id":"'$frontend_network_interface'"
}
}' |jq -r '.id'`
要获取浮动 IP 的 address,请运行以下命令:
# curl -X GET "$rias_endpoint/v1/floating_ips/$frontend_floating_ip?version=$version&generation=2" -H "Authorization:$iam_token"|jq -r '.address'第四部分,建立前端和后端应用的连接。
步骤 26:配置前端安全组
首先,添加以下入站规则到前端安全组,允许进来的Http请求和Ping(ICMP)。
协议 源类型 源 值
TCP 任意 0.0.0.0/0 端口 80-80
ICMP 任意 0.0.0.0/0 类型:8,代码:留空
命令如下:
# curl -X POST "$rias_endpoint/v1/security_groups/$frontend_sg/rules?version=$version&generation=2" \
-H "Authorization: $iam_token" \
-d '{
"direction": "inbound",
"ip_version": "ipv4",
"protocol": "tcp",
"port_min": 80,
"port_max": 80
}'
# curl -X POST "$rias_endpoint/v1/security_groups/$frontend_sg/rules?version=$version&generation=2" \
-H "Authorization: $iam_token" \
-d '{
"direction": "inbound",
"ip_version": "ipv4",
"protocol": "icmp",
"type": 8
}'
然后添加出站规则,规则如下:
协议 源类型 源 值
TCP 安全组 backend-sg 端口 80-80
命令如下:
# curl -X POST "$rias_endpoint/v1/security_groups/$frontend_sg/rules?version=$version&generation=2" \
-H "Authorization: $iam_token" \
-d '{
"direction": "outbound",
"ip_version": "ipv4",
"protocol": "tcp",
"port_min": 80,
"port_max": 80,
"remote": {
"id": "'$backend_sg'"
}
}'
步骤 27:配置后端安全组
添加以下入站规则:
协议 源类型 源 值
TCP 安全组 frontend-sg 端口 80-80
命令如下:
# curl -X POST "$rias_endpoint/v1/security_groups/$backend_sg/rules?version=$version&generation=2" \
-H "Authorization: $iam_token" \
-d '{
"direction": "inbound",
"ip_version": "ipv4",
"protocol": "tcp",
"port_min": 80,
"port_max": 80,
"remote": {
"id": "'$frontend_sg'"
}
}'
步骤 28:测试前端应用
通过ssh登录到前端服务器实例: 如何获取前端服务器专用地址,命令如下:
# curl -X GET "$rias_endpoint/v1/instances/$frontend_server?version=$version&generation=2" -H "Authorization: $iam_token"|jq -r '.primary_network_interface.primary_ipv4_address'要获取堡垒机浮动IP地址,查看前面 # 步骤:17
# ssh -J root@<floating-ip-address-of-the-bastion-vsi> root@<private-ip-address-of-the-frontend-vsi>在前端服务器上安装nginx应用并启动:
CentOS 7.x:
运行以下命令:
# rpm -ivh http://nginx.org/packages/centos/7/noarch/RPMS/nginx-release-centos-7-0.el7.ngx.noarch.rpm
# yum install -y nginx
# echo "I'm the frontend server" > /usr/share/nginx/html/index.html
# systemctl start nginx
Ubuntu :
# apt-get update
# apt-get install -y nginx
# echo "I'm the backend server" > /var/www/html/index.html
# service start nginx
通过访问前端服务器的浮动IP测试前端应用的可用性(用浏览器打开下面网址):
http://<floating-ip-address-of-the-frontend-vsi>
步骤 29:测试前端到后端的连通性:
首选需要在后端实例上安装Nginx应用,以用作验证: 安装Nginx应用需要连接internet,所以需要给后端实例所在的子网添加公共网关,以使后端子网内的实例能够访问Internet。
注:由于我们前端实例自己配备有浮动IP地址,所以可以直接连上Internet,从而没有再配置公共网关。
创建网关:
# backend_servers_gateway=`curl -X POST "$rias_endpoint/v1/public_gateways?version=$version&generation=2" \
-H "Authorization:$iam_token" \
-d '{
"name": "backend-servers-gateway",
"zone": { "name": "us-south-2" },
"vpc": { "id": "'$vpc'" }
}' |jq -r '.id' `
关联网关到后端子网:
# curl -X PUT "$rias_endpoint/v1/subnets/$backend_subnet/public_gateway?version=$version&generation=2" \
-H "Authorization:$iam_token" \
-d '{
"id": "'$backend_servers_gateway'"
}'
如何获取后端服务器专用地址,然后通过堡垒机跳转连接至后端实例进行软件安装,命令如下:
# curl -X GET "$rias_endpoint/v1/instances/$backend_server?version=$version&generation=2" -H "Authorization: $iam_token"|jq -r '.primary_network_interface.primary_ipv4_address'# ssh -J root@<floating-ip-address-of-the-bastion-vsi> root@<private-ip-address-of-the-backend-vsi>在后端服务器上安装nginx应用并启动:
CentOS 7.x:
运行以下命令:
# rpm -ivh http://nginx.org/packages/centos/7/noarch/RPMS/nginx-release-centos-7-0.el7.ngx.noarch.rpm
# yum install -y nginx
# echo "I'm the frontend server" > /usr/share/nginx/html/index.html
# systemctl start nginx
Ubuntu :
# apt-get update
# apt-get install -y nginx
# echo "I'm the backend server" > /var/www/html/index.html
# service start nginx
退出后端实例的SSH连接,然后SSH连接到前端实例:
# ssh -J root@<floating-ip-address-of-the-bastion-vsi> root@<private-ip-address-of-the-frontend-vsi>在前端实例的shell内输入下面命令调用后端服务器的web服务:
# curl -v -m 30 http://<private-ip-address-of-the-backend-vsi>成功返回结果如下:
I'm the backend server步骤 30: 前端和后端实例退出维护安全组
对前端和后端实例进行安装维护完成后,可以将实例移出vpc-secure-maintenance-sg维护安全组,以防止他人通过堡垒机跳板登录虚拟机实例。
# curl -X DELETE "$rias_endpoint/v1/security_groups/$vpc_secure_maintenance_sg/network_interfaces/$frontend_network_interface?version=$version&generation=2" -H "Authorization: $iam_token"# curl -X DELETE "$rias_endpoint/v1/security_groups/$vpc_secure_maintenance_sg/network_interfaces/$backend_network_interface?version=$version&generation=2" -H "Authorization: $iam_token"附录
查找账号下的VPC:
curl -X GET "$rias_endpoint/v1/vpcs?version=$version&generation=2" -H "Authorization: $iam_token"|jq -r '.vpcs[]|{id:.id,name:.name}'查找 VPC 的区域:
curl -X GET "$rias_endpoint/v1/regions?version=$version&generation=2" -H "Authorization: $iam_token"查找所在Region的SSH Key:
curl -X GET "$rias_endpoint/v1/keys?version=$version&generation=2" -H "Authorization: $iam_token"|jq -r '.keys[]|{key_id:.id,key_name:.name,type:.type,public_key:.public_key'}
查找 VPC 中的虚拟实例:
curl -X GET "$rias_endpoint/v1/instances?version=$version&generation=2" -H "Authorization: $iam_token"|jq -r '.instances[]|{instance_id:.id,instance_name:.name,primarynetworkinterface_id:.primary_network_interface.id,primarynetworkinterface_ip:.primary_network_interface.primary_ipv4_address,primarynetworkinterface_name:.primary_network_interface.name,vpcbelong:.vpc.name,vpcid:.vpc.id,zone:.zone.name}'查找 VPC 中的子网:
curl -X GET "$rias_endpoint/v1/subnets?version=$version&generation=2" -H "Authorization:$iam_token"|jq '.subnets[]|{subnet_id:.id,subnet_name:.name,zone:.zone.name,vpcname:.vpc.name,vpcid:.vpc.id,publicgateway:.public_gateway.name}'查找 VPC 的安全组:
curl -X GET "$rias_endpoint/v1/security_groups?version=$version&generation=2" -H "Authorization:$iam_token"|jq -r '.security_groups[]|{sg_id:.id,sg_name:.name,vpcbelong:.vpc.id,vpcname:.vpc.name,netinterface:.network_interfaces}'curl -X GET "$rias_endpoint/v1/security_groups/$security_group_id?version=$version&generation=2" -H "Authorization:$iam_token"查找 VPC 中的公共网关:
curl -X GET "$rias_endpoint/v1/public_gateways?version=$version&generation=2" -H "Authorization:$iam_token"|jq -r '.public_gateways[]|{gateway_id:.id,gateway_name:.name,vpcname:.vpc.name,vpc_id:.vpc.id,floating_ip:.floating_ip.address,zone:.zone.name}'查找 VPC 中的浮动IP:
curl -X GET "$rias_endpoint/v1/floating_ips?version=$version&generation=2" -H "Authorization:$iam_token"|jq -r '.floating_ips[]|{ip_id:.id,name:.name,ip:.address,zone:.zone.name,target:.target.name}'查找虚拟实例的主网卡信息和ID:
curl -X GET "$rias_endpoint/v1/instances/$server?version=$version&generation=2" -H "Authorization: $iam_token"|jq -r '.primary_network_interface.id'将安全组连接到网络接口
(此处需要填入$security_group_id和$primary_network_interface_id,可以用上面的命令去查到相关信息。)
curl -X PUT "$rias_endpoint/v1/security_groups/$security_group_id/network_interfaces/$primary_network_interface_id?version=$version&generation=2" -H "Authorization: $iam_token"将安全组与网络接口解绑
curl -X DELETE "$rias_endpoint/v1/security_groups/$security_group_id/network_interfaces/$primary_network_interface_id?version=$version&generation=2" -H "Authorization: $iam_token"删除浮动 IP:
curl -X DELETE "$rias_endpoint/v1/floating_ips/$floating_ip?version=$version&generation=2" -H "Authorization:$iam_token"删除虚拟服务器实例:
curl -X DELETE "$rias_endpoint/v1/instances/$server?version=$version&generation=2" -H "Authorization:$iam_token"删除密钥:
curl -X DELETE "$rias_endpoint/v1/keys/$key?version=$version&generation=2" -H "Authorization:$iam_token"删除子网:
curl -X DELETE "$rias_endpoint/v1/subnets/$subnet?version=$version&generation=2" -H "Authorization:$iam_token"删除公共网关:
curl -X DELETE "$rias_endpoint/v1/public_gateways/$gateway?version=$version&generation=2" -H "Authorization:$iam_token"删除安全组:
curl -X DELETE "$rias_endpoint/v1/security_groups/$security_group_id?version=$version&generation=2" -H "Authorization:$iam_token"删除 VPC:
curl -X DELETE "$rias_endpoint/v1/vpcs/$vpc?version=$version&generation=2" -H "Authorization:$iam_token"
772
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
