K
Q

How to launch EKS node group into a private subnet without a NAT gateway?

2/27/2021

I am using EKS and I want to enhance the security by keeping one out of the total two nodegroups into a private subnet. However, I have read few documents from AWS where it is a need that if a nodegroup has to be launched in private subnet then there has to be a NAT gateway connection so that the nodegroup can connect with the AWS Control plane VPC and communicate to the master. Putting up NAT will be too much because of its charges. If there is a workaround which I can use then I would be happy to know about it. I know using eksctl we can launch a nodegroup into private subnet without NAT. But I need something which can be done without eksctl. If I am wrong in my understanding then please do let me know.

-- Kaustubh
amazon-eks
amazon-vpc
amazon-web-services
kubernetes

Similar Questions

Prometheus: Better Option to monitor external K8s Cluster
Static files not loading when using Kubernetes ingress with HAProxy (net::ERR_ABORTED 503)
Configure Google Cloud Build to deploy to private GKE cluster via proxy
How to delete persistent volumes in Kubernetes
Using input function with remote files in snakemake

1 Answer

2/27/2021

AWS provides an explanation and an VPC template (amazon-eks-fully-private-vpc.yaml) for EKS without NAT in a post titled:

Instead of NAT, VPC interface endpoints are used for:

  • ec2
  • logs
  • ecr.api
  • ecr.dkr
  • sts
-- Marcin
Source: StackOverflow