This guide provides step-by-step instructions for establishing a private connection to an Amazon EKS cluster using Endpoint Service. Endpoint Service allows secure communication between your Amazon VPC and EKS cluster without exposing your cluster to the public internet.
1. Enable private access for your EKS Control Plane API
Follow the instructions in the official Amazon EKS documentation to enable private access for your EKS Control Plane API.
Ensure the EKS endpoint has private access by navigating to the EKS cluster dashboard. Click on "Manage Networking" and then "Manage Cluster Endpoint Access."
2. Create an internal target group
Step 1. Specify Group Details
- Set target type to be IP addresses
- Give your target group a name
- Set Port to 443 over TCP
- Select the VPC which contains your EKS Cluster
You can just use the default values for the rest of the fields.
Step 2. Register Targets
The second step requires you to register your targets to ensure that your Load Balancer actually routes traffic to this target group.To actually get the IP addresses for your EKS Endpoint, you can run the dig command against your EKS endpoint address, which you can find in the "Overview" tab of your EKS Dashboard.
3. Create Load Balancer
Navigate to the EC2 Dashboard, into Load Balancers and create a Network Load Balancer. This Load Balancer must be in the same VPC as your EKS Cluster, and set the default action to forward to the target group you just created.4. Allow inbound access to the EKS endpoint
Now, we need to allow inbound access from the Load Balancer to the EKS endpoint. Navigate to Security Groups in the VPC Dashboard, and find the security group for your cluster. Here, click on "Edit Inbound Rules" and add a new rule with the following:
- Type - Custom TCP
- Protocol - TCP
- Port range - 443
- Source - Custom (Endpoint Service SG)
5. Verify Healthy Targets
Navigate back to the Target Groups page in the EC2 Dashboard. Click on the new target group you created, and verify that the Registered Targets are healthy.
6. Create a VPC Endpoint Service
Access the VPC Endpoint Services page to create a VPC endpoint service with your Load Balancer.
For more information, read the Create an Endpoint Service section in the AWS Docs.
7. Share Endpoint
By default, your endpoint service is not available to service consumers. You must add permissions that allow specific AWS principals to create an interface VPC endpoint to connect to your endpoint service.
8. Lambda
Create a VPC Lambda that fetches the latest IP addresses for your EKS Endpoint and updates the NLB target group.