Create Clusters on AWS VPC based Private Subnets

Occasionally you need to create Kubernetes clusters on AWS such that they can not be reached from the public internet.

For example, if you are using site-to-site VPNs from your corporate network to AWS, you may want to deploy the Kubernetes hosts on the address space that matches what you use internally. In this case, the Kubernetes hosts would be reachable from the corporate network via the VPN or a dedicated AWS connection, but not from the public internet.

This can be achieved by deploying Kubernetes clusters using Amazon VPC based private subnets. Putting both master and worker nodes on private subnets prevents direct reachability to the nodes from the internet, and reduces the overall attack surface, thus improving the security of your clusters and applications deployed on them.

In this configuration, all master and worker nodes can still access the internet through a NAT gateway. The nodes can be reached via bastion host, if required.

The following diagram is a conceptual representation of an Amazon VPC with a public subnet and a private subnet.

Before you can create a Kubernetes cluster on an Amazon VPC based private subnet, you must have added AWS as your cloud provider. Refer to this article to add AWS as your cloud provider.

You can achieve this using one of the two following paths:

  • Create a Kubernetes cluster on an existing private subnet on your Amazon VPC.
  • Create a VPC with public and private subnets during the creation of a Kubernetes cluster, and then create the cluster on the newly created private subnet.

The sections that follow provide details to

  • Create a VPC
  • Create a Kubernetes Cluster

Create VPC

The following criteria must be satisfied by the Amazon VPC based private subnet on which you want to deploy your Kubernetes cluster.

  • A private subnet and a public subnet must be provided for each availability zone selected from the Amazon VPC.
  • The private subnet should have external connectivity through a NAT gateway.
  • The NAT gateway itself should be in the public subnet in order to get external connectivity.

Follow the steps given below to create a VPC and configure public and private subnets required for the Kubernetes cluster.

The public subnet is accessible through the internet gateway and the private network is accessible through the NAT gateway.

You can now deploy your clusters on the private subnet.

Platform9 Managed Kubernetes simplified the process by automating the deployment of a lot of the above components. Refer to AWS specific network integrations for more details on different networking configurations supported by Managed Kubernetes.