K
Q

Is there a way to use a NAT instance instead of NAT gateway as egress in the kubernetes cluster on aws for private subnets?

8/25/2017

I created a kubernetes cluster using Kops on aws in private subnet. When using NAT gateway as a point of egress in the cluster, everything just works fine. But when i try to deploy a NAT instance as a point of egress in my cluster, it does not work. I cannot figure out a way to use nat instance as egress in my cluster nor able to figure the issue. Any guidance or tutorial that can help in this case is most welcome.

-- Aditya Kumar Ghosh
amazon-web-services
kops
kubectl
kubernetes
nat

Similar Questions

Domain URL is not resolving Openshift router
PVC volume mount on Azure kubernetes takes over an hour
GKE Ingress not respecting rewrite rule
Can I share a single file between containers in a pod?

1 Answer

8/25/2017

A few gotchas that are easy to miss:

  • The NAT instance needs to be deployed into a public subnet (i.e. one with an internet gateway attached and a route out through that internet gateway).
  • The NAT instance needs the Source/Destination check disabled (in the AWS console, you can get to this via Actions -> Networking -> Change Source/Dest. Check).
  • The private subnet's routing table needs a route to the NAT instance (presumably for 0.0.0.0/0 but you could scope it narrower if you need less).

See the AWS NAT Instance docs, or this AWS tutorial on NAT with public/private subnets, for more details.

My understanding is that NAT instances are potentially a scalability bottleneck, so if you have a lot of outgoing traffic you may ultimately need to move back to a NAT gateway, upgrade the NAT instance, or do some fancier things with a group of NAT instances.

-- trptcolin
Source: StackOverflow