版本資訊
本繁體中文版使用機器翻譯,譯文僅供參考,若與英文版本牴觸,應以英文版本為準。
適用於 Windows AD 伺服器的 AWS 安全性群組設定
貢獻者
建議變更
PDF
如果您使用 Windows Active Directory ( AD )伺服器搭配雲端磁碟區、您應該熟悉 AWS 安全性群組設定的指引。這些設定可讓雲端磁碟區與 AD 正確整合。
根據預設、套用至 EC2 Windows 執行個體的 AWS 安全性群組不會包含任何通訊協定的傳入規則、除非是 RDP 。您必須將規則新增至附加至每個 Windows AD 執行個體的安全性群組、才能從 Cloud Volumes Service 支援來源進行傳入通訊。所需的連接埠如下:
| 服務 | 連接埠 | 傳輸協定 |
|---|---|---|
AD 網路服務 |
9389 |
TCP |
DNS |
53. |
TCP |
DNS |
53. |
UDP |
ICMPv4 |
不適用 |
回應回覆 |
Kerberos |
464.64 |
TCP |
Kerberos |
464.64 |
UDP |
Kerberos |
88 |
TCP |
Kerberos |
88 |
UDP |
LDAP |
389 |
TCP |
LDAP |
389 |
UDP |
LDAP |
3268/ |
TCP |
NetBios 名稱 |
138 |
UDP |
Sam/LSA |
445 |
TCP |
Sam/LSA |
445 |
UDP |
安全 LDAP |
636 |
TCP |
安全 LDAP |
3269 |
TCP |
W32Time |
123. |
UDP |
如果您要在 AWS EC2 執行個體上部署及管理 AD 安裝網域控制器和成員伺服器、則需要多個安全群組規則、才能允許資料流用於 Cloud Volumes Service 此功能。以下範例說明如何將這些規則作為 AWS CloudForation 範本的一部分來實作 AD 應用程式。
{
"AWSTemplateFormatVersion" : "2010-09-09",
"Description" : "Security Group for AD",
"Parameters" :
{
"VPC" :
{
"Type" : "AWS::EC2::VPC::Id",
"Description" : "VPC where the Security Group will belong:"
},
"Name" :
{
"Type" : "String",
"Description" : "Name Tag of the Security Group:"
},
"Description" :
{
"Type" : "String",
"Description" : "Description Tag of the Security Group:",
"Default" : "Security Group for Active Directory for CVS "
},
"CIDRrangeforTCPandUDP" :
{
"Type" : "String",
"Description" : "CIDR Range for the UDP ports 445,138,464,389,53,123 and for the TCP ports 464,339,3389,3268,88,636,9389,445 and 0-65535: *CIDR range format: 10.0.0.0/24"
}
},
"Resources" :
{
"ADSGWest" :
{
"Type" : "AWS::EC2::SecurityGroup",
"Properties" :
{
"GroupDescription" : {"Ref" : "Description"},
"VpcId" : { "Ref" : "VPC" },
"SecurityGroupIngress" : [
{
"IpProtocol" : "udp",
"CidrIp" : {"Ref" : "CIDRrangeforTCPandUDP"},
"FromPort" : "445",
"ToPort" : "445"
},
{
"IpProtocol" : "udp",
"CidrIp" : {"Ref" : "CIDRrangeforTCPandUDP"},
"FromPort" : "138",
"ToPort" : "138"
},
{
"IpProtocol" : "udp",
"CidrIp" : {"Ref" : "CIDRrangeforTCPandUDP"},
"FromPort" : "464",
"ToPort" : "464"
},
{
"IpProtocol" : "tcp",
"CidrIp" : {"Ref" : "CIDRrangeforTCPandUDP"},
"FromPort" : "464",
"ToPort" : "464"
},
{
"IpProtocol" : "udp",
"CidrIp" : {"Ref" : "CIDRrangeforTCPandUDP"},
"FromPort" : "389",
"ToPort" : "389"
},
{
"IpProtocol" : "udp",
"CidrIp" : {"Ref" : "CIDRrangeforTCPandUDP"},
"FromPort" : "53",
"ToPort" : "53"
},
{
"IpProtocol" : "tcp",
"CidrIp" : {"Ref" : "CIDRrangeforTCPandUDP"},
"FromPort" : "339",
"ToPort" : "339"
},
{
"IpProtocol" : "udp",
"CidrIp" : {"Ref" : "CIDRrangeforTCPandUDP"},
"FromPort" : "123",
"ToPort" : "123"
},
{
"IpProtocol" : "tcp",
"CidrIp" : {"Ref" : "CIDRrangeforTCPandUDP"},
"FromPort" : "3389",
"ToPort" : "3389"
},
{
"IpProtocol" : "tcp",
"CidrIp" : {"Ref" : "CIDRrangeforTCPandUDP"},
"FromPort" : "3268",
"ToPort" : "3268"
},
{
"IpProtocol" : "tcp",
"CidrIp" : {"Ref" : "CIDRrangeforTCPandUDP"},
"FromPort" : "88",
"ToPort" : "88"
},
{
"IpProtocol" : "tcp",
"CidrIp" : {"Ref" : "CIDRrangeforTCPandUDP"},
"FromPort" : "636",
"ToPort" : "636"
},
{
"IpProtocol" : "tcp",
"CidrIp" : {"Ref" : "CIDRrangeforTCPandUDP"},
"FromPort" : "3269",
"ToPort" : "3269"
},
{
"IpProtocol" : "tcp",
"CidrIp" : {"Ref" : "CIDRrangeforTCPandUDP"},
"FromPort" : "53",
"ToPort" : "53"
},
{
"IpProtocol" : "tcp",
"CidrIp" : {"Ref" : "CIDRrangeforTCPandUDP"},
"FromPort" : "0",
"ToPort" : "65535"
},
{
"IpProtocol" : "tcp",
"CidrIp" : {"Ref" : "CIDRrangeforTCPandUDP"},
"FromPort" : "9389",
"ToPort" : "9389"
},
{
"IpProtocol" : "tcp",
"CidrIp" : {"Ref" : "CIDRrangeforTCPandUDP"},
"FromPort" : "445",
"ToPort" : "445"
}
]
}
}
},
"Outputs" :
{
"SecurityGroupID" :
{
"Description" : "Security Group ID",
"Value" : { "Ref" : "ADSGWest" }
}
}
}