K
Q

Communicating with a IP whitelisted service with EKS

7/10/2019

I have set up an EKS cluster using eksctl using all the default settings and now need to communicate with an external service which uses IP whitelisting. Obviously requests made to the service from my cluster come from whichever node the request was made from, but the list of nodes (and their ips) can and will change frequently so I cannot supply a single IP address for them to whitelist. After looking into this I found that I need to use a NAT Gateway.

I am having some trouble getting this to work, I have tried setting AWS_VPC_K8S_CNI_EXTERNALSNAT to true however doing so prevents all outgoing traffic on my cluster, I assume because the return packets do not know where to go so I never get the response. I've tried playing around with the route tables to no avail.

Any assistance is much appreciated.

-- JazzyP
amazon-eks
aws-eks
eks
kubernetes
networking

Similar Questions

How to change the IP and port of etcd listening
kibana 7.2 can't reach elasticsearch on kubernetes
What is the difference between ingress value as blank array and value - {}?
What is the best strategy to setup limits/requests in the kubernetes?

2 Answers

10/16/2019

Needed to do the same and I found that eksctl tool have flag --node-private-networking which is making all communication via NAT, so IP remains the same for all external calls.

eksctl create cluster \
    --name production \
    --version 1.14 \
    --nodegroup-name kube-workers \
    --node-type t3.medium \
    --nodes 3 \
    --nodes-min 1 \
    --nodes-max 5 \
    --node-ami auto \
    --node-private-networking \
    --ssh-access
-- h0x91B
Source: StackOverflow
7/12/2019

You can follow this guide to create public subnets and private subnets in your VPC.

Then create NAT gateways in public subnets. Also run all EKS nodes in private subnets. The pods in K8S will use NAT gateway to access the internet services.

-- Kane
Source: StackOverflow