How to launch EKS node group into a private subnet without a NAT gateway?

2/27/2021

I am using EKS and I want to enhance the security by keeping one out of the total two nodegroups into a private subnet. However, I have read few documents from AWS where it is a need that if a nodegroup has to be launched in private subnet then there has to be a NAT gateway connection so that the nodegroup can connect with the AWS Control plane VPC and communicate to the master. Putting up NAT will be too much because of its charges. If there is a workaround which I can use then I would be happy to know about it. I know using eksctl we can launch a nodegroup into private subnet without NAT. But I need something which can be done without eksctl. If I am wrong in my understanding then please do let me know.

-- Kaustubh
amazon-eks
amazon-vpc
amazon-web-services
kubernetes

1 Answer

2/27/2021

AWS provides an explanation and an VPC template (amazon-eks-fully-private-vpc.yaml) for EKS without NAT in a post titled:

Instead of NAT, VPC interface endpoints are used for:

  • ec2
  • logs
  • ecr.api
  • ecr.dkr
  • sts
-- Marcin
Source: StackOverflow