[*]
The Principle
To make an Amazon Elastic Kubernetes Service (EKS) cluster personal and permit nodes to hitch via a node group, it’s essential observe a number of steps. By default, EKS creates a public cluster, however you’ll be able to configure it to make it personal for enhanced safety. Right here’s an outline of the method:
- Create a VPC: Begin by making a Digital Personal Cloud (VPC) in your AWS account when you haven’t already. This VPC will likely be used to host your personal EKS cluster.
- Create personal subnets: Throughout the VPC, create a number of personal subnets. These subnets will present the community isolation required for a non-public cluster. Be certain that the subnets haven’t any direct web entry and that their route tables do not need an web gateway connected.
- Create safety teams: Create safety teams to outline the inbound and outbound site visitors guidelines on your EKS cluster and nodes. These safety teams ought to permit communication between the management airplane and the employee nodes, in addition to some other needed community site visitors.
- Create a NAT gateway: For the reason that personal subnets don’t have direct web entry, it’s essential arrange a Community Tackle Translation (NAT) gateway in a public subnet to allow outbound web connectivity for sources within the personal subnets.
- Configure VPC endpoints: Create VPC endpoints for EKS and EC2 to permit personal communication between your EKS cluster management airplane and the employee nodes. These endpoints will make sure that the management airplane and nodes can talk with out requiring entry to the general public web.
- Create a non-public EKS cluster: Now, create a non-public EKS cluster utilizing the AWS Administration Console, AWS CLI, or AWS SDKs. Through the cluster creation, specify the personal subnets, safety teams, and VPC endpoints you created earlier. This can make sure that the cluster is deployed inside the personal subnets and may talk with the nodes through the VPC endpoints.
- Create a node group: As soon as the cluster is created, you’ll be able to proceed to create a node group. When creating the node group, specify the personal subnets and safety teams that you just arrange earlier. The node group will likely be deployed within the personal subnets and be part of the personal EKS cluster.
Following these steps will lead to a non-public EKS cluster the place the management airplane and employee nodes talk privately via the VPC endpoints. The personal nature of the cluster enhances safety by decreasing publicity to the general public web.
Be aware that these steps present a high-level overview of the method, and there could also be further concerns or customizations based mostly in your particular necessities. For detailed directions and essentially the most up-to-date data, it’s really helpful to check with the official AWS EKS documentation.
How to do that in Terraform
To create a non-public Amazon EKS cluster and permit nodes to hitch via a node group utilizing Terraform, you’ll be able to observe the steps outlined under:
- Arrange the mandatory Terraform recordsdata: Create a brand new listing on your Terraform configuration and create the principle.tf file inside it.
- Configure the AWS supplier: In the principle.tf file, configure the AWS supplier to outline your AWS entry credentials and the specified area:
supplier "aws" {
area = "your_region"
}
- Create a VPC: Outline a VPC useful resource to create the Digital Personal Cloud:
useful resource "aws_vpc" "my_vpc" {
cidr_block = "10.0.0.0/16"
}
- Create personal subnets: Outline personal subnets inside the VPC to host your EKS cluster:
useful resource "aws_subnet" "private_subnet" {
rely = 2
vpc_id = aws_vpc.my_vpc.id
cidr_block = "10.0.${rely.index}.0/24"
}
- Create safety teams: Outline safety teams to permit inbound and outbound site visitors for the EKS cluster:
useful resource "aws_security_group" "eks_cluster_sg" {
vpc_id = aws_vpc.my_vpc.id
# Outline inbound and outbound guidelines as per your necessities
# Instance:
ingress {
from_port = 22
to_port = 22
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"]
}
egress {
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
}
}
- Create a NAT gateway: Configure a NAT gateway to offer outbound web entry to sources within the personal subnets:
useful resource "aws_eip" "nat_eip" {
vpc = true
}
useful resource "aws_nat_gateway" "nat_gateway" {
allocation_id = aws_eip.nat_eip.id
subnet_id = aws_subnet.private_subnet[0].id
}
# Create a route desk entry for the NAT gateway
useful resource "aws_route" "private_subnet_nat_route" {
route_table_id = aws_subnet.private_subnet[0].route_table_id
destination_cidr_block = "0.0.0.0/0"
nat_gateway_id = aws_nat_gateway.nat_gateway.id
}
- Configure VPC endpoints: Create VPC endpoints for EKS and EC2 to allow personal communication:
useful resource "aws_vpc_endpoint" "eks_endpoint" {
vpc_id = aws_vpc.my_vpc.id
service_name = "com.amazonaws.${var.area}.eks"
}
useful resource "aws_vpc_endpoint" "ec2_endpoint" {
vpc_id = aws_vpc.my_vpc.id
service_name = "com.amazonaws.${var.area}.ec2"
}
- Create a non-public EKS cluster: Outline the EKS cluster useful resource with the suitable settings:
useful resource "aws_eks_cluster" "my_eks_cluster" {
identify = "my-cluster"
role_arn = aws_iam_role.my_eks_role.arn
vpc_config {
subnet_ids = aws_subnet.private_subnet[*].id
security_group_ids = [aws_security_group.eks_cluster_sg.id]
endpoint_private_access = true
endpoint_public_access = false
}
depends_on = [
aws_vpc_endpoint.eks_endpoint,
aws_vpc_endpoint.ec2_endpoint
]
}
- Create a node group: Outline the EKS node group useful resource to hitch the personal EKS cluster:
useful resource "aws_eks_node_group" "my_eks_nodegroup" {
cluster_name = aws_eks_cluster.my_eks_cluster.identify
node_group_name = "my-nodegroup"
node_group_config {
instance_type = "your_instance_type"
desired_size = 1
min_size = 1
max_size = 1
subnet_ids = aws_subnet.private_subnet[*].id
ami_type = "AL2_x86_64"
}
}
- Apply the Terraform configuration: Initialize the Terraform working listing and apply the configuration:
terraform init
terraform apply
This configuration will create a non-public VPC, subnets, safety teams, NAT gateway, VPC endpoints, EKS cluster, and a node group that joins the personal cluster.
Be certain that to customise the configuration in keeping with your particular necessities, equivalent to VPC CIDR blocks, safety group guidelines, EKS cluster identify, node group occasion sort, and so forth.
Be aware: It is a simplified instance, and there could also be further sources or configuration choices it’s essential take into account based mostly in your particular wants. It’s really helpful to check with the Terraform AWS supplier documentation for detailed data on every useful resource and its attributes.
How to do that in CloudFormation
To create a non-public Amazon EKS cluster and permit nodes to hitch via a node group utilizing AWS CloudFormation, you need to use AWS CloudFormation templates to outline the infrastructure as code. Right here’s an overview of the steps to perform this:
- Create an AWS CloudFormation template: Create a brand new CloudFormation template in YAML or JSON format. This template will outline the sources required on your personal EKS cluster.
- Outline the VPC and subnets: Specify the VPC and personal subnets the place your EKS cluster will reside:
Sources:
MyVPC:
Kind: AWS::EC2::VPC
Properties:
CidrBlock: 10.0.0.0/16
PrivateSubnet1:
Kind: AWS::EC2::Subnet
Properties:
VpcId: !Ref MyVPC
CidrBlock: 10.0.0.0/24
PrivateSubnet2:
Kind: AWS::EC2::Subnet
Properties:
VpcId: !Ref MyVPC
CidrBlock: 10.0.1.0/24
- Create safety teams: Outline the safety teams to regulate inbound and outbound site visitors on your EKS cluster:
Sources:
EKSSecurityGroup:
Kind: AWS::EC2::SecurityGroup
Properties:
GroupDescription: EKS safety group
VpcId: !Ref MyVPC
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: 22
ToPort: 22
CidrIp: 0.0.0.0/0
SecurityGroupEgress:
- IpProtocol: "-1"
FromPort: 0
ToPort: 0
CidrIp: 0.0.0.0/0
- Create a NAT gateway: Arrange a NAT gateway to allow outbound web entry for the personal subnets:
Sources:
MyEIP:
Kind: AWS::EC2::EIP
Properties:
Area: vpc
MyNATGateway:
Kind: AWS::EC2::NatGateway
Properties:
AllocationId: !GetAtt MyEIP.AllocationId
SubnetId: !Ref PrivateSubnet1
PrivateSubnet1RouteTable:
Kind: AWS::EC2::RouteTable
Properties:
VpcId: !Ref MyVPC
PrivateSubnet1Route:
Kind: AWS::EC2::Route
DependsOn: MyNATGateway
Properties:
RouteTableId: !Ref PrivateSubnet1RouteTable
DestinationCidrBlock: 0.0.0.0/0
NatGatewayId: !Ref MyNATGateway
PrivateSubnet1Association:
Kind: AWS::EC2::SubnetRouteTableAssociation
Properties:
SubnetId: !Ref PrivateSubnet1
RouteTableId: !Ref PrivateSubnet1RouteTable
- Configure VPC endpoints: Create VPC endpoints for EKS and EC2 to allow personal communication:
Sources:
EKSEndpoint:
Kind: AWS::EC2::VPCEndpoint
Properties:
VpcId: !Ref MyVPC
ServiceName: com.amazonaws.<area>.eks
EC2Endpoint:
Kind: AWS::EC2::VPCEndpoint
Properties:
VpcId: !Ref MyVPC
ServiceName: com.amazonaws.<area>.ec2
- Create a non-public EKS cluster: Outline the EKS cluster useful resource with the suitable settings:
Sources:
MyEKSCluster:
Kind: AWS::EKS::Cluster
Properties:
Title: my-cluster
ResourcesVpcConfig:
SecurityGroupIds:
- !Ref EKSSecurityGroup
SubnetIds:
- !Ref PrivateSubnet1
- !Ref PrivateSubnet2
Model: "1.21"
RoleArn: arn:aws:iam::123456789012:position/MyEKSClusterRole
KubernetesNetworkConfig:
ServiceIpv4Cidr: "10.100.0.0/16"
- Create a node group: Outline the EKS node group useful resource to hitch the personal EKS cluster:
Sources:
MyEKSNodeGroup:
Kind: AWS::EKS::Nodegroup
Properties:
ClusterName: !Ref MyEKSCluster
NodegroupName: my-nodegroup
ScalingConfig:
DesiredSize: 1
MinSize: 1
MaxSize: 3
Subnets:
- !Ref PrivateSubnet1
- !Ref PrivateSubnet2
InstanceTypes:
- t3.medium
RemoteAccess:
Ec2SshKey: my-key-pair
- Deploy the CloudFormation stack: Use the AWS Administration Console, AWS CLI, or AWS SDKs to deploy the CloudFormation stack along with your template.
Be sure that you customise the configuration based mostly in your particular necessities, equivalent to VPC CIDR blocks, safety group guidelines, EKS cluster identify, node group occasion sort, and so forth.
Please notice that this can be a simplified instance, and extra concerns and customization could also be required based mostly in your particular wants. For extra detailed data on every useful resource and its properties, seek the advice of the AWS CloudFormation documentation.
[*]