Configuring VPC Peering for Secure EKS Cluster Connectivity
TypeScriptTo create a secure and private network for your Amazon EKS (Elastic Kubernetes Service) cluster, you can leverage VPC peering to connect your EKS cluster’s VPC with another VPC in your AWS environment. This enables resources in one VPC to communicate with resources in another VPC through a direct network route, using private IP addresses.
In this program, we will create two VPCs and establish a VPC peering connection between them. We will also create an EKS cluster in one of the VPCs. This setup will allow you to manage your Kubernetes infrastructure in a secure environment, with connectivity to other VPC resources if needed.
Let's go through the Pulumi program to achieve this:
-
Define Two VPCs: We'll define two separate VPCs, one which will host the EKS cluster and another one which might host other resources you want to connect with your EKS cluster.
-
Create an EKS Cluster: We will then set up an EKS cluster in one of the VPCs with suitable configuration, including setting up networking for your pods and services.
-
Setup VPC Peering Connection: After setting up the VPCs and the EKS cluster, we'll establish a VPC peering connection between the two VPCs to allow secure communications between them.
-
Configure Route Tables: Finally, we'll update the route tables in both VPCs to enable network traffic to flow between them through the peering connection.
Let's start with our Pulumi TypeScript program:
import * as aws from "@pulumi/aws"; import * as eks from "@pulumi/eks"; import * as pulumi from "@pulumi/pulumi"; // Create the first VPC for our EKS cluster. const eksVpc = new aws.ec2.Vpc("eksVpc", { cidrBlock: "10.0.0.0/16", enableDnsHostnames: true, enableDnsSupport: true, tags: { Name: "eks-vpc", }, }); // Create a second VPC that we will peer with the first one. const peerVpc = new aws.ec2.Vpc("peerVpc", { cidrBlock: "10.1.0.0/16", enableDnsHostnames: true, enableDnsSupport: true, tags: { Name: "peer-vpc", }, }); // Create an EKS cluster in the first VPC. const cluster = new eks.Cluster("eksCluster", { vpcId: eksVpc.id, privateSubnetIds: eksVpc.privateSubnets.map(subnet => subnet.id), // Subnets for the worker nodes }); // Set up VPC peering between the two VPCs. const vpcPeeringConnection = new aws.ec2.VpcPeeringConnection("vpcPeering", { vpcId: eksVpc.id, peerVpcId: peerVpc.id, autoAccept: true, tags: { Name: "eks-peer-vpc-peering", }, }); // Route traffic from the EKS VPC to the peer VPC. const eksRoutes = eksVpc.publicSubnets.map((subnet, index) => { return new aws.ec2.Route(`eks-route-${index}`, { routeTableId: subnet.routeTableId, destinationCidrBlock: peerVpc.cidrBlock, vpcPeeringConnectionId: vpcPeeringConnection.id, }); }); // Route traffic from the peer VPC to the EKS VPC. const peerRoutes = peerVpc.publicSubnets.map((subnet, index) => { return new aws.ec2.Route(`peer-route-${index}`, { routeTableId: subnet.routeTableId, destinationCidrBlock: eksVpc.cidrBlock, vpcPeeringConnectionId: vpcPeeringConnection.id, }); }); // Export the cluster's kubeconfig and VPC peering connection ID. export const kubeconfig = cluster.kubeconfig; export const vpcPeeringConnectionId = vpcPeeringConnection.id;
In the above program, we're using the aws.ec2.Vpc resource to create two different VPCs. The eks.Cluster is a Pulumi EKS component that simplifies EKS cluster deployment. The aws.ec2.VpcPeeringConnection establishes a peering connection between the two VPCs, and aws.ec2.Route creates route table entries to enable cross-VPC communication.
With this setup, resources in both VPCs will be able to communicate with each other using private IP addresses, which is more secure than exposing services to the public internet. Moreover, your EKS cluster will have connectivity to other AWS services that reside in the peered VPC without crossing over the public network.
After deploying this Pulumi program using
pulumi up
, you will get a kubeconfig file which you can use to interact with your EKS cluster viakubectl
. The peering connection is established automatically, and routing is set up so that the services in different VPCs can communicate seamlessly.Remember to ensure that your EKS cluster’s networking configuration (like security groups and network access controls) is properly configured to allow for the necessary inbound and outbound traffic you need for your applications.
-