Set up Clusters on AWS VPC based Private Subnets
Occasionally you need to create Kubernetes clusters on AWS such that they can not be reached from the public internet.
For example, if you are using site-to-site VPNs from your corporate network to AWS, you may want to deploy the Kubernetes hosts on the address space that matches what you use internally. In this case, the Kubernetes hosts would be reachable from the corporate network via the VPN or a dedicated AWS connection, but not from the public internet.
This can be achieved by deploying Kubernetes clusters using Amazon VPC based private subnets. Putting both master and worker nodes on private subnets prevents direct reachability to the nodes from the internet, and reduces the overall attack surface, thus improving the security of your clusters and applications deployed on them.
In this configuration, all master and worker nodes can still access the internet through a NAT gateway. The nodes can be reached via bastion host, if required.
The following diagram is a conceptual representation of an Amazon VPC with a public subnet and a private subnet.
Before you can create a Kubernetes cluster on an Amazon VPC based private subnet, you must have added AWS as your cloud provider. Refer to this article to add AWS as your cloud provider.
You can achieve this using one of the two following paths:
- Create a Kubernetes cluster on an existing private subnet on your Amazon VPC.
- Create a VPC with public and private subnets during the creation of a Kubernetes cluster, and then create the cluster on the newly created private subnet.
The sections that follow provide details to
- Create a VPC
- Create a Kubernetes Cluster
The following criteria must be satisfied by the Amazon VPC based private subnet on which you want to deploy your Kubernetes cluster.
- A private subnet and a public subnet must be provided for each availability zone selected from the Amazon VPC.
- The private subnet should have external connectivity through a NAT gateway.
- The NAT gateway itself should be in the public subnet in order to get external connectivity.
Follow the steps given below to create a VPC and configure public and private subnets required for the Kubernetes cluster.
Create a VPC with a /16 IPv4 CIDR block. Refer to Step 1-Create the VPC in http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/getting-started-ipv4.html for details.
Edit the VPC to enable DNS hostname. Refer to http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/vpc-dns.html to enable DNS hostname.
Create a subnet on the VPC that can be used by elastic load balancers(ELB). This is your public subnet. Refer to http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Subnets.html#AddaSubnet to add a subnet.
Enable auto-assignment of public IPv4 addresses for the public subnet created in the step above. Refer to http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/vpc-ip-addressing.html#subnet-public-ip to enable auto-assignment of IPv4 addresses.
Create and attach an Internet gateway to your VPC. Refer to the Attaching an Internet Gateway section at http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Internet_Gateway.html, to create and attach an internet gateway to the VPC.
Create a route table in your VPC and add a route with a destination of 0.0.0.0/0 for IPv4 traffic. Refer to http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Internet_Gateway.html for details.
Forward all traffic to the Internet gateway for this route.
Set the route table as the main route table. Refer to the Main Route Tables section in http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Route_Tables.html for details.
Create a subnet on the VPC. Ensure that the auto-assign IP address attribute is disabled so that this becomes a private subnet. Ensure that the availability zone for this subnet is the same as the one that is used in the public subnet.
Create a NAT gateway on the public subnet. While creating the NAT gateway, create an Elastic IP and assign it to the NAT gateway. Refer to http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/vpc-nat-gateway.html#nat-gateway-creating for details.
Create a route table for the private subnet. This is the NAT route table. Add a route for the NAT table and forward all traffic to the NAT gateway created on the VPC.
Edit the route table subnet association to associate the NAT route table with the private subnet.
Repeat the steps 3 to 12 for each availability zone to create public and private subnets for the availability zone.
The public subnet is accessible through the internet gateway and the private network is accessible through the NAT gateway.
You can now deploy your clusters on the private subnet.
Platform9 Managed Kubernetes simplified the process by automating the deployment of a lot of the above components. Refer to AWS specific network integrations for more details on different networking configurations supported by Managed Kubernetes.