Accessing EKS service privately within AWS infra

7/31/2020

I have a service in K8S which I want to access from another EKS cluster's POD privately.

service.yaml

apiVersion: v1
kind: Service
metadata:
  name: test
  namespace: test
spec:
  type: LoadBalancer
  selector:
    app: test
  ports:
    - name: http
      protocol: TCP
      port: 80
      targetPort: 8888

In LoadBalancer's Security Group I have removed 0.0.0.0/0 and enabled only client's worker node IP and POD IP

Worker Node IP

Type: All traffic
Protocol: All	
Port range: All	
Source: 10.x.0.0/16

POD IP

Type: All traffic
Protocol: All
Port range: All
Source: 10.x.x.x/32

Now when I telnet to the service from the client's POD, telnet hangs at Trying state

telnet xxxx-xxxxx.us-west-1.elb.amazonaws.com 80
Trying xx.xxx.xxx.xxx...

If I enable all source in security group like below, everything works fine. Which is not intended behavior because this resource must be accessed privately.

Type: HTTP
Protocol: TCP
Port range: 80
Source: 0.0.0.0/0

I tried other options in service, nothing worked

....
annotations:
    service.beta.kubernetes.io/aws-load-balancer-type: "nlb"
	service.beta.kubernetes.io/aws-load-balancer-internal: "true"

spec:
  externalTrafficPolicy: Local # Tried both Cluster and Local
....
-- sravis
amazon-eks
amazon-web-services
kubernetes

0 Answers