So far, we deployed a cluster with a Public API Endpoint. Public Endpoint means kube-apiserver deployed by EKS can be accessed over the Internet. You can restrict access to API using publicAccessCidrs for Public Endpoint clusters. EKS also provides a way to deploy Private Endpoint clusters; in that case, the cluster API endpoint is not exposed to the Internet and can only be accessed within the AWS virtual private cloud.
In public endpoint mode, all requests to kube-apiserver go out of VPC but inside the AWS global network. In private mode, all traffic should go to kube-apiserver from within the VPC. In mix mode, all traffic from within the VPC will go through the VPC itself, and the cluster is also available over the Internet for kubectl communications.
Public vs Private with Kubectl:
In public and mixed modes, you can access your cluster over the Internet, and it can be restricted using publicAccessCidrs option. In private mode, you can connect to the cluster using a VPN, Connected network, EC2 bastion host, or any other way you can send requests from within the virtual private cloud.
Private API Endpoint vs Private Worker nodes:
As you realized, a Private cluster with a Private API Endpoint means kube-apiserver is not accessible over the Internet. On the other hand, we have other terminologies called Private-network cluster and Air-gapped cluster, which are related to worker nodes’ communication with the Internet. In private-network clusters, worker nodes are in private subnets without public IP addresses and have access to the Internet through a NAT gateway. In Air-gapped clusters, workers are in private subnets with no internet access. I will deeply explain these types in future articles with examples.
Private API Endpoint cluster deployment:
Enable enableDnsHostnames and enableDnsSupport VPC options.
Enable AmazonProvidedDNS DHCP option.
Create an EKS cluster with Private API Endpoint.
Deploy a bastion EC2 instance to connect to the cluster.
Confirm cluster installation with Kubectl.
Step 1 – Enable needed VPC options:
We enabled these options to be able to deploy EKS clusters in the first article, but to confirm and make sure, run the following commands:
Bastion Instance is a server used to manage access to an internal or private network from an external network. Imagine we are on the east side of a river and wanna go to the west side; to be able to go, we need a bridge. Bastion Instance is that bridge and lets us connect to resources within the VPC from external networks over the Internet.
Connect to the instance using SSH and install aws-cli and kubectl and confirm cluster installation with the following commands. To add worker nodes, you can deploy both public and private worker nodes. In previous articles, I explained how to deploy public-network worker nodes, and in future articles, I will explain how to deploy private-network and air-gapped worker nodes in AWS EKS as well.
Here are the results of the previous commands; we need them in the next articles:
Public Subnet ID
Security Group Name
Security Group ID
Cluster Security Group ID
Bastion Host AMI ID
So far, you learned how to deploy a cluster with Private API Endpoint. This is the first step to implementing EKS security best practices. In future articles, you will learn how to deploy a cluster with a Private API Endpoint and private network worker nodes.
If you like this series of articles, please share them and write your thoughts as comments here. Your feedback encourages me to complete this massively planned program. Just share them and provide feedback. I’ll make you an AWS EKS black belt.