本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。
# 建立 VPC 網路
Amazon Managed Workflows for Apache Airflow 需要 Amazon VPC 和特定聯網元件來支援環境。本指南說明為 Amazon Managed Workflows for Apache Airflow 環境建立 Amazon VPC 網路的不同選項。
**注意**
Apache Airflow 在低延遲的網路環境中效果最佳。如果您使用的是將流量路由到另一個區域或內部部署環境的現有 Amazon VPC,建議您為 Amazon SQS、CloudWatch、Amazon S3 和 新增 AWS PrivateLink 端點 AWS KMS。如需 AWS PrivateLink 設定 Amazon MWAA 的詳細資訊,請參閱[建立沒有網際網路存取權的 Amazon VPC 網路](#vpc-create-template-private-only)。
**Contents**
+ [先決條件](#vpc-create-prereqs)
+ [開始之前](#vpc-create-how-networking)
+ [建立 Amazon VPC 網路的選項](#vpc-create-options)
+ [選項一:在 Amazon MWAA 主控台上建立 VPC 網路](#vpc-create-mwaa-console)
+ [選項二:建立*具有*網際網路存取的 Amazon VPC 網路](#vpc-create-template-private-or-public)
+ [選項三:在沒有網際網路存取*的情況下*建立 Amazon VPC 網路](#vpc-create-template-private-only)
+ [後續步驟?](#create-vpc-next-up)
## 先決條件
AWS Command Line Interface (AWS CLI) 是一種開放原始碼工具,您可以使用命令列 shell 中的 命令與 AWS 服務互動。若要完成此頁面上的步驟,您需要下列項目:
+ [AWS CLI – 安裝第 2 版](https://docs.aws.amazon.com/cli/latest/userguide/install-cliv2.html)。
+ [AWS CLI – 使用 的快速組態`aws configure`](https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-configure.html)。
## 開始之前
+ 您為環境指定的 [VPC 網路](#vpc-create)無法在環境建立後變更。
+ 您可以為 Amazon VPC 和 Apache Airflow Web 伺服器使用私有或公有路由。若要存取選項清單,請參閱 [Amazon VPC 和 Apache Airflow 存取模式的範例使用案例](networking-about.md#networking-about-network-usecase)。
## 建立 Amazon VPC 網路的選項
下一節說明為 環境建立 Amazon VPC 網路的可用選項。
**注意**
Amazon MWAA 不支援在美國東部 (維吉尼亞北部) 區域使用`use1-az3`可用區域 (AZ)。在美國東部 (維吉尼亞北部) 區域中建立 Amazon MWAA 的 VPC 時,您必須在 CloudFormation (CFN) 範本`AvailabilityZone`中明確指派 。指派的可用區域名稱不得映射至 `use1-az3`。您可以執行下列命令,將 AZ 名稱的詳細映射擷取到其對應的 AZ IDs:
```
aws ec2 describe-availability-zones --region us-east-1
```
### 選項一:在 Amazon MWAA 主控台上建立 VPC 網路
下一節說明如何在 Amazon MWAA 主控台上建立 Amazon VPC 網路。此選項使用 [透過網際網路的公有路由](networking-about.md#networking-about-overview-public)。它可用於具有**私有網路**或**公有網路**存取模式的 Apache Airflow Web 伺服器。
下圖說明您可以在 Amazon **MWAA 主控台上找到建立 MWAA VPC** 按鈕的位置。
![\[此圖說明您可以在 Amazon MWAA 主控台上找到建立 MWAA VPC 的位置。\]](http://docs.aws.amazon.com/zh_tw/mwaa/latest/userguide/images/mwaa-console-create-vpc.png)
### 選項二:建立*具有*網際網路存取的 Amazon VPC 網路
下列 CloudFormation 範本會在您的預設 中建立具有網際網路存取的 Amazon VPC 網路 AWS 區域。此選項使用 [透過網際網路的公有路由](networking-about.md#networking-about-overview-public)。此範本可用於具有**私有網路**或**公有網路**存取模式的 Apache Airflow Web 伺服器。
1. 複製下列範本的內容,並在本機儲存為 `cfn-vpc-public-private.yaml`。您也可以[下載 範本](./samples/cfn-vpc-public-private.zip)。
```
Description: This template deploys a VPC, with a pair of public and private subnets spread
across two Availability Zones. It deploys an internet gateway, with a default
route on the public subnets. It deploys a pair of NAT gateways (one in each AZ),
and default routes for them in the private subnets.
Parameters:
EnvironmentName:
Description: An environment name that is prefixed to resource names
Type: String
Default: mwaa-
VpcCIDR:
Description: Please enter the IP range (CIDR notation) for this VPC
Type: String
Default: 10.192.0.0/16
PublicSubnet1CIDR:
Description: Please enter the IP range (CIDR notation) for the public subnet in the first Availability Zone
Type: String
Default: 10.192.10.0/24
PublicSubnet2CIDR:
Description: Please enter the IP range (CIDR notation) for the public subnet in the second Availability Zone
Type: String
Default: 10.192.11.0/24
PrivateSubnet1CIDR:
Description: Please enter the IP range (CIDR notation) for the private subnet in the first Availability Zone
Type: String
Default: 10.192.20.0/24
PrivateSubnet2CIDR:
Description: Please enter the IP range (CIDR notation) for the private subnet in the second Availability Zone
Type: String
Default: 10.192.21.0/24
Resources:
VPC:
Type: AWS::EC2::VPC
Properties:
CidrBlock: !Ref VpcCIDR
EnableDnsSupport: true
EnableDnsHostnames: true
Tags:
- Key: Name
Value: !Ref EnvironmentName
InternetGateway:
Type: AWS::EC2::InternetGateway
Properties:
Tags:
- Key: Name
Value: !Ref EnvironmentName
InternetGatewayAttachment:
Type: AWS::EC2::VPCGatewayAttachment
Properties:
InternetGatewayId: !Ref InternetGateway
VpcId: !Ref VPC
PublicSubnet1:
Type: AWS::EC2::Subnet
Properties:
VpcId: !Ref VPC
AvailabilityZone: !Select [ 0, !GetAZs '' ]
CidrBlock: !Ref PublicSubnet1CIDR
MapPublicIpOnLaunch: true
Tags:
- Key: Name
Value: !Sub ${EnvironmentName} Public Subnet (AZ1)
PublicSubnet2:
Type: AWS::EC2::Subnet
Properties:
VpcId: !Ref VPC
AvailabilityZone: !Select [ 1, !GetAZs '' ]
CidrBlock: !Ref PublicSubnet2CIDR
MapPublicIpOnLaunch: true
Tags:
- Key: Name
Value: !Sub ${EnvironmentName} Public Subnet (AZ2)
PrivateSubnet1:
Type: AWS::EC2::Subnet
Properties:
VpcId: !Ref VPC
AvailabilityZone: !Select [ 0, !GetAZs '' ]
CidrBlock: !Ref PrivateSubnet1CIDR
MapPublicIpOnLaunch: false
Tags:
- Key: Name
Value: !Sub ${EnvironmentName} Private Subnet (AZ1)
PrivateSubnet2:
Type: AWS::EC2::Subnet
Properties:
VpcId: !Ref VPC
AvailabilityZone: !Select [ 1, !GetAZs '' ]
CidrBlock: !Ref PrivateSubnet2CIDR
MapPublicIpOnLaunch: false
Tags:
- Key: Name
Value: !Sub ${EnvironmentName} Private Subnet (AZ2)
NatGateway1EIP:
Type: AWS::EC2::EIP
DependsOn: InternetGatewayAttachment
Properties:
Domain: vpc
NatGateway2EIP:
Type: AWS::EC2::EIP
DependsOn: InternetGatewayAttachment
Properties:
Domain: vpc
NatGateway1:
Type: AWS::EC2::NatGateway
Properties:
AllocationId: !GetAtt NatGateway1EIP.AllocationId
SubnetId: !Ref PublicSubnet1
NatGateway2:
Type: AWS::EC2::NatGateway
Properties:
AllocationId: !GetAtt NatGateway2EIP.AllocationId
SubnetId: !Ref PublicSubnet2
PublicRouteTable:
Type: AWS::EC2::RouteTable
Properties:
VpcId: !Ref VPC
Tags:
- Key: Name
Value: !Sub ${EnvironmentName} Public Routes
DefaultPublicRoute:
Type: AWS::EC2::Route
DependsOn: InternetGatewayAttachment
Properties:
RouteTableId: !Ref PublicRouteTable
DestinationCidrBlock: 0.0.0.0/0
GatewayId: !Ref InternetGateway
PublicSubnet1RouteTableAssociation:
Type: AWS::EC2::SubnetRouteTableAssociation
Properties:
RouteTableId: !Ref PublicRouteTable
SubnetId: !Ref PublicSubnet1
PublicSubnet2RouteTableAssociation:
Type: AWS::EC2::SubnetRouteTableAssociation
Properties:
RouteTableId: !Ref PublicRouteTable
SubnetId: !Ref PublicSubnet2
PrivateRouteTable1:
Type: AWS::EC2::RouteTable
Properties:
VpcId: !Ref VPC
Tags:
- Key: Name
Value: !Sub ${EnvironmentName} Private Routes (AZ1)
DefaultPrivateRoute1:
Type: AWS::EC2::Route
Properties:
RouteTableId: !Ref PrivateRouteTable1
DestinationCidrBlock: 0.0.0.0/0
NatGatewayId: !Ref NatGateway1
PrivateSubnet1RouteTableAssociation:
Type: AWS::EC2::SubnetRouteTableAssociation
Properties:
RouteTableId: !Ref PrivateRouteTable1
SubnetId: !Ref PrivateSubnet1
PrivateRouteTable2:
Type: AWS::EC2::RouteTable
Properties:
VpcId: !Ref VPC
Tags:
- Key: Name
Value: !Sub ${EnvironmentName} Private Routes (AZ2)
DefaultPrivateRoute2:
Type: AWS::EC2::Route
Properties:
RouteTableId: !Ref PrivateRouteTable2
DestinationCidrBlock: 0.0.0.0/0
NatGatewayId: !Ref NatGateway2
PrivateSubnet2RouteTableAssociation:
Type: AWS::EC2::SubnetRouteTableAssociation
Properties:
RouteTableId: !Ref PrivateRouteTable2
SubnetId: !Ref PrivateSubnet2
SecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupName: "mwaa-security-group"
GroupDescription: "Security group with a self-referencing inbound rule."
VpcId: !Ref VPC
SecurityGroupIngress:
Type: AWS::EC2::SecurityGroupIngress
Properties:
GroupId: !Ref SecurityGroup
IpProtocol: "-1"
SourceSecurityGroupId: !Ref SecurityGroup
Outputs:
VPC:
Description: A reference to the created VPC
Value: !Ref VPC
PublicSubnets:
Description: A list of the public subnets
Value: !Join [ ",", [ !Ref PublicSubnet1, !Ref PublicSubnet2 ]]
PrivateSubnets:
Description: A list of the private subnets
Value: !Join [ ",", [ !Ref PrivateSubnet1, !Ref PrivateSubnet2 ]]
PublicSubnet1:
Description: A reference to the public subnet in the 1st Availability Zone
Value: !Ref PublicSubnet1
PublicSubnet2:
Description: A reference to the public subnet in the 2nd Availability Zone
Value: !Ref PublicSubnet2
PrivateSubnet1:
Description: A reference to the private subnet in the 1st Availability Zone
Value: !Ref PrivateSubnet1
PrivateSubnet2:
Description: A reference to the private subnet in the 2nd Availability Zone
Value: !Ref PrivateSubnet2
SecurityGroupIngress:
Description: Security group with self-referencing inbound rule
Value: !Ref SecurityGroupIngress
```
1. 在您的命令提示字元中,導覽至`cfn-vpc-public-private.yaml`存放 的目錄。例如:
```
cd mwaaproject
```
1. 使用 [https://docs.aws.amazon.com/cli/latest/reference/cloudformation/create-stack.html](https://docs.aws.amazon.com/cli/latest/reference/cloudformation/create-stack.html)命令來使用 建立堆疊 AWS CLI。
```
aws cloudformation create-stack --stack-name mwaa-environment --template-body file://cfn-vpc-public-private.yaml
```
**注意**
建立 Amazon VPC 基礎設施大約需要 30 分鐘。
### 選項三:在沒有網際網路存取*的情況下*建立 Amazon VPC 網路
下列 CloudFormation 範本會在您的預設 中建立*沒有網際網路存取權*的 Amazon VPC 網路 AWS 區域。
此選項使用 [沒有網際網路存取的私有路由](networking-about.md#networking-about-overview-private)。此範本僅適用於具有**私有網路**存取模式的 Apache Airflow Web 伺服器。它會[為環境使用 AWS 的服務建立所需的 VPC 端點](vpc-vpe-create-access.md#vpc-vpe-create-view-endpoints-attach-services)。
1. 複製下列範本的內容,並在本機儲存為 `cfn-vpc-private.yaml`。您也可以[下載 範本](./samples/cfn-vpc-private-no-ops.zip)。
```
AWSTemplateFormatVersion: "2010-09-09"
Parameters:
VpcCIDR:
Description: The IP range (CIDR notation) for this VPC
Type: String
Default: 10.192.0.0/16
PrivateSubnet1CIDR:
Description: The IP range (CIDR notation) for the private subnet in the first Availability Zone
Type: String
Default: 10.192.10.0/24
PrivateSubnet2CIDR:
Description: The IP range (CIDR notation) for the private subnet in the second Availability Zone
Type: String
Default: 10.192.11.0/24
Resources:
VPC:
Type: AWS::EC2::VPC
Properties:
CidrBlock: !Ref VpcCIDR
EnableDnsSupport: true
EnableDnsHostnames: true
Tags:
- Key: Name
Value: !Ref AWS::StackName
RouteTable:
Type: AWS::EC2::RouteTable
Properties:
VpcId: !Ref VPC
Tags:
- Key: Name
Value: !Sub "${AWS::StackName}-route-table"
PrivateSubnet1:
Type: AWS::EC2::Subnet
Properties:
VpcId: !Ref VPC
AvailabilityZone: !Select [ 0, !GetAZs '' ]
CidrBlock: !Ref PrivateSubnet1CIDR
MapPublicIpOnLaunch: false
Tags:
- Key: Name
Value: !Sub "${AWS::StackName} Private Subnet (AZ1)"
PrivateSubnet2:
Type: AWS::EC2::Subnet
Properties:
VpcId: !Ref VPC
AvailabilityZone: !Select [ 1, !GetAZs '' ]
CidrBlock: !Ref PrivateSubnet2CIDR
MapPublicIpOnLaunch: false
Tags:
- Key: Name
Value: !Sub "${AWS::StackName} Private Subnet (AZ2)"
PrivateSubnet1RouteTableAssociation:
Type: AWS::EC2::SubnetRouteTableAssociation
Properties:
RouteTableId: !Ref RouteTable
SubnetId: !Ref PrivateSubnet1
PrivateSubnet2RouteTableAssociation:
Type: AWS::EC2::SubnetRouteTableAssociation
Properties:
RouteTableId: !Ref RouteTable
SubnetId: !Ref PrivateSubnet2
S3VpcEndoint:
Type: AWS::EC2::VPCEndpoint
Properties:
ServiceName: !Sub "com.amazonaws.${AWS::Region}.s3"
VpcEndpointType: Gateway
VpcId: !Ref VPC
RouteTableIds:
- !Ref RouteTable
SecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
VpcId: !Ref VPC
GroupDescription: Security Group for Amazon MWAA Environments to access VPC endpoints
GroupName: !Sub "${AWS::StackName}-mwaa-vpc-endpoints"
SecurityGroupIngress:
Type: AWS::EC2::SecurityGroupIngress
Properties:
GroupId: !Ref SecurityGroup
IpProtocol: "-1"
SourceSecurityGroupId: !Ref SecurityGroup
SqsVpcEndoint:
Type: AWS::EC2::VPCEndpoint
Properties:
ServiceName: !Sub "com.amazonaws.${AWS::Region}.sqs"
VpcEndpointType: Interface
VpcId: !Ref VPC
PrivateDnsEnabled: true
SubnetIds:
- !Ref PrivateSubnet1
- !Ref PrivateSubnet2
SecurityGroupIds:
- !Ref SecurityGroup
CloudWatchLogsVpcEndoint:
Type: AWS::EC2::VPCEndpoint
Properties:
ServiceName: !Sub "com.amazonaws.${AWS::Region}.logs"
VpcEndpointType: Interface
VpcId: !Ref VPC
PrivateDnsEnabled: true
SubnetIds:
- !Ref PrivateSubnet1
- !Ref PrivateSubnet2
SecurityGroupIds:
- !Ref SecurityGroup
CloudWatchMonitoringVpcEndoint:
Type: AWS::EC2::VPCEndpoint
Properties:
ServiceName: !Sub "com.amazonaws.${AWS::Region}.monitoring"
VpcEndpointType: Interface
VpcId: !Ref VPC
PrivateDnsEnabled: true
SubnetIds:
- !Ref PrivateSubnet1
- !Ref PrivateSubnet2
SecurityGroupIds:
- !Ref SecurityGroup
KmsVpcEndoint:
Type: AWS::EC2::VPCEndpoint
Properties:
ServiceName: !Sub "com.amazonaws.${AWS::Region}.kms"
VpcEndpointType: Interface
VpcId: !Ref VPC
PrivateDnsEnabled: true
SubnetIds:
- !Ref PrivateSubnet1
- !Ref PrivateSubnet2
SecurityGroupIds:
- !Ref SecurityGroup
Outputs:
VPC:
Description: A reference to the created VPC
Value: !Ref VPC
MwaaSecurityGroupId:
Description: Associates the Security Group to the environment to allow access to the VPC endpoints
Value: !Ref SecurityGroup
PrivateSubnets:
Description: A list of the private subnets
Value: !Join [ ",", [ !Ref PrivateSubnet1, !Ref PrivateSubnet2 ]]
PrivateSubnet1:
Description: A reference to the private subnet in the 1st Availability Zone
Value: !Ref PrivateSubnet1
PrivateSubnet2:
Description: A reference to the private subnet in the 2nd Availability Zone
Value: !Ref PrivateSubnet2
```
1. 在您的命令提示字元中,導覽至`cfn-vpc-private.yml`存放 的目錄。例如:
```
cd mwaaproject
```
1. 使用 [https://docs.aws.amazon.com/cli/latest/reference/cloudformation/create-stack.html](https://docs.aws.amazon.com/cli/latest/reference/cloudformation/create-stack.html)命令來使用 建立堆疊 AWS CLI。
```
aws cloudformation create-stack --stack-name mwaa-private-environment --template-body file://cfn-vpc-private.yml
```
**注意**
建立 Amazon VPC 基礎設施大約需要 30 分鐘。
1. 您需要建立機制,才能從電腦存取這些 VPC 端點。若要進一步了解,請參閱 [在 Amazon MWAA 上管理對服務特定 Amazon VPC 端點的存取](vpc-vpe-access.md)。
**注意**
您可以在 Amazon MWAA 安全群組的 CIDR 中進一步限制傳出存取。例如,您可以透過新增自我參考傳出規則、Amazon S3 的[字首清單](https://docs.aws.amazon.com/vpc/latest/privatelink/vpce-gateway.html),以及 Amazon VPC 的 CIDR 來限制 本身。
## 後續步驟?
+ 了解如何在 中建立 Amazon MWAA 環境[建立 Amazon MWAA 環境](create-environment.md)。
+ 了解如何在 中使用私有路由從您的電腦建立 VPN 通道至 Amazon VPC[教學課程:使用 設定私有網路存取 AWS Client VPN](tutorials-private-network-vpn-client.md)。