We proudly announce that we will publish the most comprehensive FREE AWS EKS tutorial. In this series of articles, you will learn how to work deeply with AWS EKS and deploy, manage, upgrade, and operate EKS clusters through the command line “also planned for CloudFormation, Terraform, OpenTofu, Pulumi and Ansible”. EKS stands for Elastic Kubernetes Service and is the AWS-managed Kubernetes you can deploy and use with ease. Easily? Although deploying and managing EKS clusters is easier than On-premises Kubernetes deployments, it has its own challenges. In this lesson, you will learn how to deploy all EKS requirements for both public and private environments.
To deploy an EKS cluster, we need a couple of other AWS resources:
An IAM user to deploy cluster and resources and be the cluster owner.
AWS CLI setup and configured to create required resources.
An AWS VPC in any EKS-supported region to act as the network infrastructure.
A couple of public and private subnets to deploy Kubernetes worker nodes.
An Internet Gateway to be able to connect to the internet from public subnets.
A NAT Gateway for private subnets to be able to access the internet.
A new Route Table and NAT Gateway route for private subnets.
An EC2 keypair to be able to connect to EC2 instances.
Step 1 – Create an IAM user:
Connect to your AWS account with the root user and create a new IAM user for the next steps. We use this IAM user to create, deploy, manage, etc., in this article and all future articles. Never delete this IAM user, as it will be the owner of the EKS cluster.
IAM > Users > Add users > Set username > Set AdministratorAccess policy.
After creating the user, create an access key from the Security credentials.
Note: I set the AdministratorAccess policy to avoid challenging permissions. You must create an IAM principal with the least privileges to avoid security pitfalls. AWS IAM service and permissions will be explained in a separate thread.
Step 2 – Setup AWS CLI:
There are many ways to install and use AWS CLI; as we love containers, we run it inside one using the lovely Docker. You can also use other methods.
By running the aws ec2 create-vpc command, you create a new VPC, giving you the VPC ID and some information. We need VPC ID for further steps.
aws ec2 describe-vpcs
This command also shows you the list of available VPCs in this region.
Note: You can ignore this step if you already have a VPC in your active region. Just run aws ec2 describe-vpcs and find the VPC ID for further steps.
Step 5 – Enable VPC DNS Hostnames feature:
Kubernetes worker nodes join the cluster control plane using their DNS hostname, and the control plane verifies them in the same way. So, we must enable the DNS Hostnames feature of VPC to make it possible to setup the EKS cluster.
Replace the VPC ID with your own VPC ID from the last command.
In each Availability Zone, we need at least two subnets, one public and one private. You can ignore creating any of them, but I will create both public and private subnets for future articles and explain how we can setup clusters in both cases.
To see all availability zones in the active region, run the following command:
aws ec2 describe-availability-zones
Setup public subnets, Internet gateway and route:
Replace the VPC ID and Availability Zone name with your own.
Running each command will show you the Subnet ID of the created subnet.
Important: To deploy worker nodes to a public subnet, the subnet must automatically assign a public IPv4 IP address to nodes. Without a public IP address, the process of joining worker nodes to the cluster will fail.
To enable it, run the following command for each public subnet:
AWS recommends deploying Kubernetes worker nodes in private subnets, and to access the internet, they must use NAT Gateway “for IPv4” and Egress-only Internet Gateway “for IPv6” Egress-only is free, but for NAT Gateway, you have to pay at least $1/day without any usage. You can ignore this step if you don’t want to pay for NAT Gateway, and you can come back to this step when I explain deploying clusters in Private subnets.
Setup private subnets, NAT Gateway, Route table and route:
Important: Now we have to create a NAT Gateway. NAT Gateway should be created in a public subnet with internet access through Internet Gateway. We have three public subnets in our example, and we can use one of them.
Before creating a NAT Gateway, we need an Elastic IP. To create one, run:
Here is the architecture diagram of what we did in the previous steps:
Step 8 – Import SSH Key pair:
Although we recommend not SSH to worker nodes and use the in-cluster method instead for debugging purposes which I will introduce in future articles, we can create or import SSH keypairs into our AWS account to access nodes through SSH. You can also create a keypair in the AWS Dashboard and download its private key.
To create a new key pair, run the following command:
rtb-0c418972dc98d43ed – VPC default for public subnets rtb-04e5f753ba648101f – Custom for private subnets
So far, we created all requirements to deploy EKS clusters in both public and private subnets. In the next articles, we will work on deploying the Kubernetes cluster.
If you like this series of articles, please share them and write your thoughts as comments here. Your feedback encourages me to complete this massively planned program. Just share them and provide feedback. I’ll make you an AWS EKS black belt.