AWS PrivateLink全面可用，可用安全地从本地访问S3

{"type":"doc","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"AWS最近宣布，用于Amazon S3的"},{"type":"link","attrs":{"href":"https:\/\/cloud.google.com\/vpc\/docs\/private-access-options","title":null,"type":null},"content":[{"type":"text","text":"PrivateLink"}]},{"type":"text","text":"现在全面可用。有了PrivateLink，客户可以安全地将Amazon S3连接到本地资源。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"在去年的AWS re:Invent大会上，亚马逊预先发布了用于Amazon S3的PrivateLink，现在已全面可用。通过用户虚拟网络中的私有IP，为用户提供Amazon Simple Storage Service与本地资源之间的私有连接。从2015年开始，S3已经配备了VPC端点，但仍然不允许AWS用户通过安全连接(如AWS Direct Connect或AWS VPN)从内部访问S3。AWS首席布道师Martin Beeby在一篇博文中写道，一些用户在他们的Amazon虚拟私有云中设置了私有IP地址的代理服务器，并使用S3的网关端点："}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"blockquote","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"尽管这种解决方案是有效的，但代理服务器通常会限制性能，增加额外的故障点，并增加运维复杂性。我们研究了如何在避免这些缺陷的情况下为客户解决这个问题，于是就有了用于S3的PrivateLink。"}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"有了用于S3的PrivateLink，用户现在可以在他们的虚拟私有云中使用新的VPC端点接口，在他们的安全虚拟网络中作为私有端点直接访问S3。它扩展了现有网关端点的功能，使用户能够使用私有IP地址访问S3——从其内部应用程序到S3的任何API请求和HTTPS请求都自动通过接口端点进行重定向。此外，用户可以在其接口端点上设置安全组和访问控制策略。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https:\/\/static001.geekbang.org\/infoq\/9e\/9e84c9f32a90587f823e4e16d9ca2cbc.png","alt":null,"title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"图片来源:https:\/\/aws.amazon.com\/blogs\/aws\/aws-privatelink-for-amazon-s3-now-available\/"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"其他云提供商也提供了类似的服务，允许用户从本地连接到云存储服务。微软提供了Azure Private Link，它从2020年3月开始为Azure存储提供私有端点支持。谷歌也为用户提供了私有访问解决方案，包括Cloud Storage。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"在Reddit上，受访者对用于S3的PrivateLink的可用性表示欢迎："}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"blockquote","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"这是针对一些特定的情况，即你正在使用本地资源，并希望通过连接获得一个直接连接到S3的私有路由。以前，你能做的是将它指向一个EC2代理，并通过现有的VPC端点转发，但这种方式不是很理想。或者通过公共网络连接，这种方式也不是很理想。"}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"以及："}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"blockquote","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"一些企业不能在他们的网络中配置分离路由，所以他们不能使用网关端点。有了PrivateLink，他们就可以在PrivateLink接口上使用网关端点。"}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"此外，Trivadis的高级顾问和培训师Daniel Hillinger在推特上表示："}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"blockquote","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"昨晚，AWS发布了很棒的S3接口端点公告！特别是对安全有限定的客户来说，这是期待已久的。因为在之前，他们必须将公共IP加入白名单，并在S3网关端点的NACL中进行定期更新。"}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"注意，该特性只在用户需要从内部访问S3时才有用，否则，就像Reddit上说的那样："}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"blockquote","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"如果不需要从本地访问S3，就不要使用它。S3网关端点是免费的，但这个端点可能很贵。"}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"PrivateLink目前适用于所有AWS区域，处理数据的费用按GB收取，VPC端点的费用按小时收取。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong"}],"text":"原文链接"},{"type":"text","text":"："}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"link","attrs":{"href":"https:\/\/www.infoq.com\/news\/2021\/02\/aws-privatelink-amazon-s3-ga\/","title":null,"type":null},"content":[{"type":"text","text":"AWS Releases Privatelink for Amazon S3 into General Availability"}]}]}]}