Summary Prerequisites and limitations Architecture Tools Epics Related resources

Access container applications privately on Amazon EKS using AWS PrivateLink and a Network Load Balancer

Created by Kirankumar Chandrashekar (AWS)

Environment: Production	Technologies: Containers & microservices; DevOps; Modernization; Security, identity, compliance	Workload: All other workloads
AWS services: Amazon EKS; Amazon VPC

Summary

This pattern describes how to privately host a Docker container application on Amazon Elastic Kubernetes Service (Amazon EKS) behind a Network Load Balancer, and access the application by using AWS PrivateLink. You can then use a private network to securely access services on the Amazon Web Services (AWS) Cloud.

The Amazon EKS cluster running the Docker applications, with a Network Load Balancer at the front end, can be associated with a virtual private cloud (VPC) endpoint for access through AWS PrivateLink. This VPC endpoint service can then be shared with other VPCs by using their VPC endpoints.

The setup described by this pattern is a secure way to share application access among VPCs and AWS accounts. It requires no special connectivity or routing configurations, because the connection between the consumer and provider accounts is on the global AWS backbone and doesn’t traverse the public internet.

Prerequisites and limitations

Prerequisites

Docker, installed and configured on Linux, macOS, or Windows.
An application running on Docker.
An active AWS account.
AWS Command Line Interface (AWS CLI) version 2, installed and configured on Linux, macOS, or Windows.
An existing Amazon EKS cluster with tagged private subnets and configured to host applications. For more information, see Subnet tagging in the Amazon EKS documentation.
Kubectl, installed and configured to access resources on your Amazon EKS cluster. For more information, see Installing kubectl in the Amazon EKS documentation.

Architecture

Use PrivateLink and a Network Load Balancer to access an application in an Amazon EKS container.

Technology stack

Amazon EKS
AWS PrivateLink
Network Load Balancer

Automation and scale

Kubernetes manifests can be tracked and managed on a Git-based repository (for example, on AWS CodeCommit), and deployed by using continuous integration and continuous delivery (CI/CD) in AWS CodePipeline.
You can use AWS CloudFormation to create this pattern by using infrastructure as code (IaC).

Tools

AWS CLI – AWS Command Line Interface (AWS CLI) is an open-source tool that enables you to interact with AWS services using commands in your command-line shell.
Elastic Load Balancing – Elastic Load Balancing distributes incoming application or network traffic across multiple targets, such as Amazon Elastic Compute Cloud (Amazon EC2) instances, containers, and IP addresses, in one or more Availability Zones.

Amazon EKS – Amazon Elastic Kubernetes Service (Amazon EKS) is a managed service that you can use to run Kubernetes on AWS without needing to install, operate, and maintain your own Kubernetes control plane or nodes.
Amazon VPC – Amazon Virtual Private Cloud (Amazon VPC) helps you launch AWS resources into a virtual network that you've defined.
Kubectl – Kubectl is a command line utility for running commands against Kubernetes clusters.

Epics

Task	Description	Skills required
Create the Kubernetes deployment manifest file.	Create a deployment manifest file by modifying the following sample file according to your requirements. `apiVersion: apps/v1 kind: Deployment metadata: name: sample-app spec: replicas: 3 selector: matchLabels: app: nginx template: metadata: labels: app: nginx spec: containers: - name: nginx image: public.ecr.aws/z9d2n7e1/nginx:1.19.5 ports: - name: http containerPort: 80` Note: This is a NGINX sample configuration file that is deployed by using the NGINX Docker image. For more information, see How to use the official NGINX Docker image in the Docker documentation.	DevOps engineer
Deploy the Kubernetes deployment manifest file.	Run the following command to apply the deployment manifest file to your Amazon EKS cluster: `kubectl apply –f <your_deployment_file_name>`	DevOps engineer
Create the Kubernetes service manifest file.	Create a service manifest file by modifying the following sample file according to your requirements. `apiVersion: v1 kind: Service metadata: name: sample-service annotations: service.beta.kubernetes.io/aws-load-balancer-type: nlb service.beta.kubernetes.io/aws-load-balancer-internal: "true" spec: ports: - port: 80 targetPort: 80 protocol: TCP type: LoadBalancer selector: app: nginx` Important: Make sure that you included the following `annotations` to define an internal Network Load Balancer: `service.beta.kubernetes.io/aws-load-balancer-type: nlb service.beta.kubernetes.io/aws-load-balancer-internal: "true"`	DevOps engineer
Deploy the Kubernetes service manifest file.	Run the following command to apply the service manifest file to your Amazon EKS cluster: `kubectl apply -f <your_service_file_name>`	DevOps engineer

Task Description Skills required

Task	Description	Skills required
Record the Network Load Balancer’s name.	Run the following command to retrieve the name of the Network Load Balancer: `kubectl get svc sample-service -o wide` Record the Network Load Balancer’s name, which is required to create an AWS PrivateLink endpoint.	DevOps engineer
Create an AWS PrivateLink endpoint.	Sign in to the AWS Management Console, open the Amazon VPC console, and then create an AWS PrivateLink endpoint. Associate this endpoint with the Network Load Balancer, this makes the application privately available to customers. For more information, see VPC endpoint services (AWS PrivateLink) in the Amazon VPC documentation. Important: If the consumer account requires access to the application, the consumer account’s AWS account ID must be added to the allowed principals list for the AWS PrivateLink endpoint configuration. For more information, see Adding and removing permissions for your endpoint service in the Amazon VPC documentation.	Cloud administrator
Create a VPC endpoint.	On the Amazon VPC console, choose Endpoint Services, and then choose Create Endpoint Service. Create a VPC endpoint for the AWS PrivateLink endpoint. The VPC endpoint’s fully qualified domain name (FQDN) points to the FQDN for the AWS PrivateLink endpoint. This creates an elastic network interface to the VPC endpoint service that the DNS endpoints can access.	Cloud administrator

Record the Network Load Balancer’s name.

Run the following command to retrieve the name of the Network Load Balancer:

kubectl get svc sample-service -o wide

Record the Network Load Balancer’s name, which is required to create an AWS PrivateLink endpoint.

DevOps engineer

Create an AWS PrivateLink endpoint.

Sign in to the AWS Management Console, open the Amazon VPC console, and then create an AWS PrivateLink endpoint. Associate this endpoint with the Network Load Balancer, this makes the application privately available to customers. For more information, see VPC endpoint services (AWS PrivateLink) in the Amazon VPC documentation.

Important: If the consumer account requires access to the application, the consumer account’s AWS account ID must be added to the allowed principals list for the AWS PrivateLink endpoint configuration. For more information, see Adding and removing permissions for your endpoint service in the Amazon VPC documentation.

Cloud administrator

Create a VPC endpoint.

On the Amazon VPC console, choose Endpoint Services, and then choose Create Endpoint Service. Create a VPC endpoint for the AWS PrivateLink endpoint.

The VPC endpoint’s fully qualified domain name (FQDN) points to the FQDN for the AWS PrivateLink endpoint. This creates an elastic network interface to the VPC endpoint service that the DNS endpoints can access.

Cloud administrator

Related resources

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Access container applications on Amazon ECS with an AWS Fargate launch type

Activate mTLS in App Mesh on Amazon EKS