Back to Details

aws-infrastructure

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

AWS Infrastructure Expert

AWS基础设施专家

Overview

概述

This skill enables AI assistants to help set up and configure AWS infrastructure for micro startups, including EC2 instances, VPCs, security groups, load balancers, DNS, and SSL certificates.
该技能可让AI助手帮助微型初创企业搭建和配置AWS基础设施,包括EC2实例、VPC、安全组、负载均衡器、DNS和SSL证书。

When to Use This Skill

适用场景

This skill activates when users need:
  • EC2 instance setup and configuration
  • VPC and networking setup
  • Security group configuration
  • Application Load Balancer setup
  • Route53 DNS configuration
  • SSL/TLS certificate management (ACM)
  • Auto-scaling groups
  • CloudWatch monitoring
当用户需要以下服务时,将激活该技能:
  • EC2实例搭建与配置
  • VPC与网络设置
  • 安全组配置
  • 应用负载均衡器(ALB)搭建
  • Route53 DNS配置
  • SSL/TLS证书管理(ACM)
  • 自动扩展组配置
  • CloudWatch监控

EC2 Setup

EC2搭建

Instance Types

实例类型

  • Development: t3.medium (2 vCPU, 4GB RAM)
  • Production (small): t3.large (2 vCPU, 8GB RAM)
  • Production (medium): m5.large (2 vCPU, 8GB RAM)
  • 开发环境: t3.medium(2个vCPU,4GB内存)
  • 小型生产环境: t3.large(2个vCPU,8GB内存)
  • 中型生产环境: m5.large(2个vCPU,8GB内存)

Storage

存储

  • Use gp3 SSD volumes
  • Development: 20GB minimum
  • Production: 100GB+ based on needs
  • Enable EBS snapshots for backups
  • 使用gp3 SSD卷
  • 开发环境:最小20GB
  • 生产环境:根据需求分配100GB以上
  • 启用EBS快照进行备份

Key Pairs

密钥对

  • Generate or import SSH key pairs
  • Store private keys securely
  • Use IAM roles instead of access keys when possible
  • 生成或导入SSH密钥对
  • 安全存储私钥
  • 尽可能使用IAM角色而非访问密钥

VPC Configuration

VPC配置

Basic Setup

基础设置

  • Create VPC with CIDR block (e.g., 10.0.0.0/16)
  • Create public and private subnets
  • Set up Internet Gateway
  • Configure route tables
  • Set up NAT Gateway for private subnets (if needed)
  • 创建带CIDR块的VPC(例如:10.0.0.0/16)
  • 创建公有子网和私有子网
  • 设置互联网网关
  • 配置路由表
  • 为私有子网设置NAT网关(如有需要)

Subnets

子网规划

  • Public subnets: For load balancers, bastion hosts
  • Private subnets: For application servers, databases
  • Multi-AZ for high availability
  • 公有子网:用于负载均衡器、堡垒机
  • 私有子网:用于应用服务器、数据库
  • 多可用区部署以实现高可用性

Security Groups

安全组

Application Security Group

应用安全组

Inbound:
- HTTP (80) from ALB security group
- HTTPS (443) from ALB security group
- SSH (22) from bastion/your IP only

Outbound:
- All traffic (0.0.0.0/0)
Inbound:
- HTTP (80) from ALB security group
- HTTPS (443) from ALB security group
- SSH (22) from bastion/your IP only

Outbound:
- All traffic (0.0.0.0/0)

Database Security Group

数据库安全组

Inbound:
- MongoDB (27017) from application security group only
- Redis (6379) from application security group only
- SSH (22) from bastion/your IP only

Outbound:
- All traffic (0.0.0.0/0)
Inbound:
- MongoDB (27017) from application security group only
- Redis (6379) from application security group only
- SSH (22) from bastion/your IP only

Outbound:
- All traffic (0.0.0.0/0)

Load Balancer Security Group

负载均衡器安全组

Inbound:
- HTTP (80) from 0.0.0.0/0
- HTTPS (443) from 0.0.0.0/0

Outbound:
- HTTP (80) to application security group
- HTTPS (443) to application security group
Inbound:
- HTTP (80) from 0.0.0.0/0
- HTTPS (443) from 0.0.0.0/0

Outbound:
- HTTP (80) to application security group
- HTTPS (443) to application security group

Application Load Balancer

应用负载均衡器(ALB)

Setup

搭建步骤

  1. Create ALB in public subnets
  2. Configure target groups (EC2 instances)
  3. Set up health checks
  4. Configure listeners (HTTP → HTTPS redirect)
  5. Attach SSL certificate from ACM
  1. 在公有子网中创建ALB
  2. 配置目标组(EC2实例)
  3. 设置健康检查
  4. 配置监听器(HTTP → HTTPS重定向)
  5. 附加来自ACM的SSL证书

Health Checks

健康检查配置

  • Path: 
    /health
    or 
    /api/health
  • Protocol: HTTP
  • Port: 3001 (backend) or 3000 (frontend)
  • Healthy threshold: 2
  • Unhealthy threshold: 2
  • Timeout: 5 seconds
  • Interval: 30 seconds
  • 路径:
    /health
    /api/health
  • 协议:HTTP
  • 端口:3001(后端)或3000(前端)
  • 健康阈值:2
  • 不健康阈值:2
  • 超时时间:5秒
  • 间隔时间:30秒

Route53 DNS

Route53 DNS

Domain Setup

域名设置

  1. Create hosted zone for domain
  2. Create A record (alias) pointing to ALB
  3. Create CNAME for www subdomain
  4. Update nameservers at domain registrar
  1. 为域名创建托管区域
  2. 创建指向ALB的A记录(别名)
  3. 为www子域名创建CNAME记录
  4. 在域名注册商处更新域名服务器

SSL/TLS (ACM)

SSL/TLS(ACM)

  1. Request certificate in ACM (us-east-1 for CloudFront/ALB)
  2. Validate via DNS (add CNAME records)
  3. Attach certificate to ALB listener
  4. Certificate auto-renews
  1. 在ACM中申请证书(CloudFront/ALB需在us-east-1区域申请)
  2. 通过DNS验证(添加CNAME记录)
  3. 将证书附加到ALB监听器
  4. 证书自动续期

CloudWatch Monitoring

CloudWatch监控

Metrics

监控指标

  • EC2: CPU, Memory, Disk, Network
  • ALB: Request count, Target response time, HTTP errors
  • Custom metrics for application-specific data
  • EC2:CPU、内存、磁盘、网络
  • ALB:请求数、目标响应时间、HTTP错误
  • 应用特定数据的自定义指标

Alarms

告警设置

  • High CPU utilization
  • Low disk space
  • Application errors (via CloudWatch Logs)
  • Unhealthy target instances
  • CPU利用率过高
  • 磁盘空间不足
  • 应用错误(通过CloudWatch日志)
  • 目标实例不健康

Best Practices

最佳实践

  • Use IAM roles instead of access keys
  • Enable CloudTrail for audit logging
  • Use VPC endpoints for AWS service access
  • Implement least privilege security groups
  • Use private subnets for databases
  • Enable encryption at rest for EBS volumes
  • Set up automated backups (EBS snapshots)
  • Monitor costs with AWS Cost Explorer
  • 使用IAM角色而非访问密钥
  • 启用CloudTrail进行审计日志记录
  • 使用VPC终端节点访问AWS服务
  • 实现最小权限原则的安全组
  • 为数据库使用私有子网
  • 启用EBS卷的静态加密
  • 设置自动化备份(EBS快照)
  • 使用AWS成本资源管理器监控成本

Integration

集成

This skill integrates with 
/db-setup
for MongoDB on EC2 and 
/deploy
for deployment workflows.
该技能可与
/db-setup
(用于EC2上的MongoDB搭建)和
/deploy
(用于部署工作流)集成。