How do I configure my subnets for an Amazon EKS cluster?

Last updated: 2021-10-04

I want to configure my subnets to work with my Amazon Elastic Kubernetes Service (Amazon EKS) cluster.

Short description

Choose one of the following configuration options:

  • To get outbound and inbound internet access from your worker nodes, complete the steps in the Configure a public subnet section.
  • To get only outbound internet access from your worker nodes, complete the steps in the Configure a private subnet with outbound internet access section.
  • To restrict both outbound and inbound internet access from your worker nodes, complete the steps in the Configure a private subnet with no internet access section. For example, you choose this resolution for a private Amazon EKS cluster.

Resolution

Configure a public subnet

When you create a subnet for your Amazon EKS cluster, consider the following:

1.    Associate your subnet with a route table that's configured to route traffic to the 0.0.0.0/0 destination through an internet gateway. For example: igw-xxxxxxxx

2.    Enable the auto-assign public IPV4 address attribute for your subnet.

3.    Complete the steps in the Restrict deployment of load balancers with subnet tagging section.

Configure a private subnet with outbound internet access

When you create a subnet for your Amazon EKS cluster, consider the following:

1.    Associate your subnet with a route table that's configured to route traffic to a NAT gateway to allow only outbound connectivity to the internet.

2.    Verify that the auto-assign public IPv4 address for your subnet isn't enabled.

3.    Complete the steps in the Restrict deployment of load balancers with subnet tagging section.

Configure a private subnet with no internet access

1.    To block internet access to your worker nodes, verify that your subnet isn't associated with a route table. That is, a route table that's configured to route traffic to either a NAT gateway or internet gateway.

2.    Verify that the auto-assign public IPv4 address isn't enabled.

3.    Create Amazon Virtual Private Cloud (Amazon VPC) endpoints for your VPC. The following VPC endpoints are required for your worker nodes to join your Amazon EKS cluster:

com.amazonaws.your_region.ec2
com.amazonaws.your_region.ecr.api
com.amazonaws.your_region.ecr.dkr
com.amazonaws.your_region.s3

Note: Replace your_region with your AWS Region.

4.    (If required) Create additional VPC endpoints based on your application requirements. See the following examples.

For Amazon CloudWatch Logs:

com.amazonaws.your_region.logs

For a Kubernetes Cluster Autoscaler or AWS Identity and Access Management (IAM) roles for service accounts:

com.amazonaws.your_region.sts

For an Application Load Balancer:

com.amazonaws.your_region.elasticloadbalancing

For a Kubernetes Cluster Autoscaler:

com.amazonaws.your_region.autoscaling

For AWS App Mesh:

com.amazonaws.your_region.appmesh-envoy-management

For AWS X-Ray:

com.amazonaws.your_region.xray

Note: Replace your_region with your AWS Region.

5.    Complete the steps in the Restrict deployment of load balancers with subnet tagging section.

Restrict deployment of load balancers with subnet tagging

Subnet tagging tells the AWS Load Balancer Controller what subnet can be used to create the external or internal load balancer.

For public subnets:

To restrict the deployment of external load balancers using the AWS Load Balancer Controller on a specific public subnet on your VPC, tag that subnet as follows:

Key - kubernetes.io/role/elb
Value - 1

For private subnets:

To restrict the deployment of internal load balancers using the AWS Load Balancer Controller on a specific private subnet, tag that subnet as follows:

Key - kubernetes.io/role/internal-elb
Value - 1

Note: The number of pods that can run on a subnet depends on the number of free IP addresses available in the subnet. Confirm that the subnets that you specify during cluster creation have enough available IP addresses for the network interfaces created by Amazon EKS. It's a best practice to create small (that is, /28), dedicated subnets for network interfaces created by Amazon EKS. Then, you must only specify these subnets as part of cluster creation. Launch other resources, such as nodes and load balancers, in separate subnets from the subnets specified during cluster creation.