Access container applications privately on Amazon EKS using AWS PrivateLink and a Network Load Balancer
Created by Kirankumar Chandrashekar (AWS)
Environment: Production | Technologies: Containers & microservices; DevOps; Modernization; Security, identity, compliance | Workload: All other workloads |
AWS services: Amazon EKS; Amazon VPC |
Summary
This pattern describes how to privately host a Docker container application on Amazon Elastic Kubernetes Service (Amazon EKS) behind a Network Load Balancer, and access the application by using AWS PrivateLink. You can then use a private network to securely access services on the Amazon Web Services (AWS) Cloud.
The Amazon EKS cluster running the Docker applications, with a Network Load Balancer at the front end, can be associated with a virtual private cloud (VPC) endpoint for access through AWS PrivateLink. This VPC endpoint service can then be shared with other VPCs by using their VPC endpoints.
The setup described by this pattern is a secure way to share application access among VPCs and AWS accounts. It requires no special connectivity or routing configurations, because the connection between the consumer and provider accounts is on the global AWS backbone and doesn’t traverse the public internet.
Prerequisites and limitations
Prerequisites
Docker
, installed and configured on Linux, macOS, or Windows. An application running on Docker.
An active AWS account.
AWS Command Line Interface (AWS CLI) version 2, installed and configured on Linux, macOS, or Windows.
An existing Amazon EKS cluster with tagged private subnets and configured to host applications. For more information, see Subnet tagging in the Amazon EKS documentation.
Kubectl, installed and configured to access resources on your Amazon EKS cluster. For more information, see Installing kubectl in the Amazon EKS documentation.
Architecture
Technology stack
Amazon EKS
AWS PrivateLink
Network Load Balancer
Automation and scale
Kubernetes manifests can be tracked and managed on a Git-based repository (for example, on AWS CodeCommit), and deployed by using continuous integration and continuous delivery (CI/CD) in AWS CodePipeline.
You can use AWS CloudFormation to create this pattern by using infrastructure as code (IaC).
Tools
AWS CLI – AWS Command Line Interface (AWS CLI) is an open-source tool that enables you to interact with AWS services using commands in your command-line shell.
Elastic Load Balancing – Elastic Load Balancing distributes incoming application or network traffic across multiple targets, such as Amazon Elastic Compute Cloud (Amazon EC2) instances, containers, and IP addresses, in one or more Availability Zones.
Amazon EKS – Amazon Elastic Kubernetes Service (Amazon EKS) is a managed service that you can use to run Kubernetes on AWS without needing to install, operate, and maintain your own Kubernetes control plane or nodes.
Amazon VPC – Amazon Virtual Private Cloud (Amazon VPC) helps you launch AWS resources into a virtual network that you've defined.
Kubectl
– Kubectl is a command line utility for running commands against Kubernetes clusters.
Epics
Task | Description | Skills required |
---|---|---|
Create the Kubernetes deployment manifest file. | Create a deployment manifest file by modifying the following sample file according to your requirements.
Note: This is a NGINX sample configuration file that is deployed by using the NGINX Docker image. For more information, see How to use the official NGINX Docker image | DevOps engineer |
Deploy the Kubernetes deployment manifest file. | Run the following command to apply the deployment manifest file to your Amazon EKS cluster:
| DevOps engineer |
Create the Kubernetes service manifest file. | Create a service manifest file by modifying the following sample file according to your requirements.
Important: Make sure that you included the following
| DevOps engineer |
Deploy the Kubernetes service manifest file. | Run the following command to apply the service manifest file to your Amazon EKS cluster:
| DevOps engineer |
Task | Description | Skills required |
---|---|---|
Record the Network Load Balancer’s name. | Run the following command to retrieve the name of the Network Load Balancer:
Record the Network Load Balancer’s name, which is required to create an AWS PrivateLink endpoint. | DevOps engineer |
Create an AWS PrivateLink endpoint. | Sign in to the AWS Management Console, open the Amazon VPC console, and then create an AWS PrivateLink endpoint. Associate this endpoint with the Network Load Balancer, this makes the application privately available to customers. For more information, see VPC endpoint services (AWS PrivateLink) in the Amazon VPC documentation. Important: If the consumer account requires access to the application, the consumer account’s AWS account ID must be added to the allowed principals list for the AWS PrivateLink endpoint configuration. For more information, see Adding and removing permissions for your endpoint service in the Amazon VPC documentation. | Cloud administrator |
Create a VPC endpoint. | On the Amazon VPC console, choose Endpoint Services, and then choose Create Endpoint Service. Create a VPC endpoint for the AWS PrivateLink endpoint. The VPC endpoint’s fully qualified domain name (FQDN) points to the FQDN for the AWS PrivateLink endpoint. This creates an elastic network interface to the VPC endpoint service that the DNS endpoints can access. | Cloud administrator |