I have set up an EKS cluster using eksctl using all the default settings and now need to communicate with an external service which uses IP whitelisting. Obviously requests made to the service from my cluster come from whichever node the request was made from, but the list of nodes (and their ips) can and will change frequently so I cannot supply a single IP address for them to whitelist. After looking into this I found that I need to use a NAT Gateway.
I am having some trouble getting this to work, I have tried setting AWS_VPC_K8S_CNI_EXTERNALSNAT to true however doing so prevents all outgoing traffic on my cluster, I assume because the return packets do not know where to go so I never get the response. I've tried playing around with the route tables to no avail.
Any assistance is much appreciated.
Needed to do the same and I found that eksctl
tool have flag --node-private-networking
which is making all communication via NAT, so IP remains the same for all external calls.
eksctl create cluster \
--name production \
--version 1.14 \
--nodegroup-name kube-workers \
--node-type t3.medium \
--nodes 3 \
--nodes-min 1 \
--nodes-max 5 \
--node-ami auto \
--node-private-networking \
--ssh-access
You can follow this guide to create public subnets and private subnets in your VPC.
Then create NAT gateways in public subnets. Also run all EKS nodes in private subnets. The pods in K8S will use NAT gateway to access the internet services.