使用 AWS re:Post 即表示您同意 AWS re:Post 使用條款

How do I patch Amazon EC2 Linux instances in a private network?

3 分的閱讀內容
0

I want to patch my Amazon Elastic Compute Cloud (Amazon EC2) Linux instance that's hosted in a private subnet or network.

Resolution

There are two options that you can use to patch a Linux instance that's hosted in a private network:

  • Use a NAT gateway to allow instances to reach repositories.
  • Create Amazon Simple Storage Service (Amazon S3) buckets.

Use a NAT gateway to allow instances to reach repositories

To create a NAT gateway for your environment, complete the following steps:

  1. Open the AWS Management Console, and then go to your virtual private cloud (VPC).
  2. Choose NAT Gateways, and then choose Create NAT Gateway.
  3. (Optional) Enter a name for the NAT gateway.
  4. For Subnet, make sure to select a public subnet that can reach the internet in the VPC that has your private network instance.
  5. For Connectivity Type, choose Public to make sure that your gateway can reach the internet.
  6. For Elastic IP allocation ID, allocate an Elastic IP address to assign to the NAT gateway. Use an existing Elastic IP address, or choose Allocate Elastic IP to create a new one.
  7. Choose Create NAT Gateway.

To update your VPC route tables, complete the following steps:

  1. Configure your virtual private cloud (VPC) environment with the correct route to allow traffic.

  2. Verify that the routes in the private subnet include a route for all connections to target the NAT gateway with a destination of 0.0.0.0/0, and a target of nat-gateway-id.

  3. The following routes are an example of the NAT gateway routing, based on these instructions:

    Private subnet:
    Destination (VPC CIDR), Target (local)
    Destination (0.0.0.0/0), Target (nat-gateway-id)

The NAT gateway use cases - Routing documentation has additional examples for the subnets.

To connect to the instance and update the packages, complete the following steps:

  1. Use SSH, Session Manager, a capability of AWS Systems Manager, or use EC2 Instance Connect Endpoint to connect to your instance in the private network.

  2. To update the packages on your instance, run the following commands:

    Ubuntu or Debian

    sudo apt-get update
    sudo apt-get upgrade
    

    Amazon Linux, RedHat, or CentOS

    sudo yum update 

    -or-

    sudo dnf update

    SUSE Linux

    sudo zypper refresh
    sudo zypper update
    

Create S3 bucket endpoints

Note: This option only applies to Amazon Linux distributions.

Amazon Simple Storage Service (Amazon S3) gateway endpoints don't require an internet gateway or NAT device for your VPC. The S3 gateway endpoints allow you to access Amazon S3 from your VPC at no additional cost. To patch the instance without internet access, create an S3 bucket and configure the Linux instance to access the updates from the private S3 bucket.

For instructions on how to set up S3 gateway endpoints for Amazon Linux packages, see How can I update yum or install packages without internet access on my EC2 instances running Amazon Linux 1, Amazon Linux 2, or Amazon Linux 2023?

Related information

EC2 instance cannot use yum inside private subnet on the Stack Overflow website

How to use PuTTY for forwarding keys on the Stack Exchange website

Manage package and operating system updates in AL2023

Kernel Live Patching on AL2023

AWS 官方
AWS 官方已更新 2 個月前