If you specify a subnet ID in ingress.yaml, the AWS LoadBalancer Controller specifies a subnet, but otherwise the subnet is not found.
P.S. You have recently applied aws-nuke to that account.
Related
I created an private eks cluster by terraform, and I followed the guide at this page: https://tf-eks-workshop.workshop.aws/500_eks-terraform-workshop.html, and network architecture is below:
then I deployed my web application in the eks cluster, and the application only access aws resource, so it works as expected, but the problem is the eks is in private vpc, and internet alb can't attached to it, so I'm not able to access my application from public web browser, is there any idea to impliment it ?
I've setup the vpc peerring between eks vpc and cicd vpc.
For the application deploymetn part, I create a service, which type is NodePort
Unfortunately the guide link here doesn't open for me, it seems from the VPC Diagram that you have a private subnet within your VPC for EKS, you can do the following -
Create a Private Ingress resource Using ALB Ingress (For Routing traffic based on hostname within the services within the cluster) - https://docs.aws.amazon.com/eks/latest/userguide/alb-ingress.html
And then route traffic from Route53 to Internal LB, if its not reachable still, attach a LB in the default VPC and pass it on to the Internal Ingress Controller. Logically that should work.
EC2s in the same VPC can talk to each other if SGs are open, so by that logic forwarding traffic from Public Subnet to Private shouldn't be an issue.
I have installed a private EKS cluster where subnets attached are private subnet. What my requirement is "Private EKS with Istio installation" and create multiple microservices and expose them within the vpc.
For exposing them within VPC, i expected the 'istio-ingressgateway' would create an internal ALB but it is showing "Pending"
istio-ingressgateway LoadBalancer 1xx.x0x.xx.2xx <pending>
My need is to install multiple microservice within in different port using "NodePort" and expose them via Gateway.
Request any help or view in this.
Thanks!
You have 2 options, can use ALB ingress controller and create an internal ingress object and add the annotation:
alb.ingress.kubernetes.io/scheme: "internal"
or create a LoadBalancer service that will create an ELB. Add these annotations to the service:
service.beta.kubernetes.io/aws-load-balancer-internal: Used on the service to indicate that we want an internal ELB.
service.beta.kubernetes.io/aws-load-balancer-security-groups: Used to specify the security groups to be added to ELB created. This replaces all other security groups previously assigned to the ELB.
For example,
Also, you need these tags in the VPC subnets:
Key: kubernetes.io/role/internal-elb
Value: 1
For your case, take option 2.
I am trying to use CodeDeploy to deploy my revisions on private subnet instances using VPC endpoint.
VPC endpoint is having required subnet configured and security group applied on VPC endpoint is having all inbound and outbound allowed. Still my deployment is failing and I do not have any way to check logs on EC2 instance since it is private. Any help or guidance regarding this?
I am trying to follow the below link:
https://aws.amazon.com/about-aws/whats-new/2020/08/aws-codedeploy-now-supports-deployments-to-virtual-private-cloud-endpoints/
I am trying to expose a service to the outside world using the loadBalancer type service.
For that, i have followed this doc
https://aws.amazon.com/premiumsupport/knowledge-center/eks-kubernetes-services-cluster/
My loadbalancer.yaml looks like this
apiVersion: v1
kind: Service
metadata:
name: nginx-service
spec:
type: LoadBalancer
selector:
app: nginx
ports:
- protocol: TCP
port: 80
targetPort: 80
But the load balancer is not creating as expected I am getting the following error
Warning SyncLoadBalancerFailed 8s (x3 over 23s) service-controller Error syncing load balancer: failed to ensure load balancer: could not find any suitable subnets for creating the ELB
Seems like its because of some issues in the subnet tags to solve,but i have the required tags in my subnets
kubernetes.io/cluster/<cluster-name>. owned
kubernetes.io/role/elb 1
But still, I am getting the error could not find any suitable subnets for creating the ELB
By default AWS EKS only attaches load balancers to public subnets. In order to launch it in a private subnet you need to not only label your subnets (which it looks like you did) but also annotate your load balancer-
service.beta.kubernetes.io/aws-load-balancer-internal: "true"
You can find more information here.
For people that may reach this question, I have faced the same error, but the problem was really simple.
The tag with key kubernetes.io/cluster/<cluster-name> had the wrong cluster name as the automation that deployed it was wrong.
In EKS 1.16, I need internet-facing NLB.
The root cause in EKS is that you haven't selected a public subnet while creating the cluster.
After creating the cluster EKS will not allow to update subnets as of now here
To resolve the issue, I have performed the below steps
created a public subnet in the same vpc of EKS
Attached IGW in route tables in new created public subnets
Added below tags in public subnets
kubernetes.io/cluster/<EKSClusterName> : shared
Note: In a 4th step, Replace your EKS cluster name in placeholder EKSClusterName
Resolution This has resolved my issue.
To identify a cluster's subnets, the Kubernetes Cloud Controller
Manager (cloud-controller-manager) and AWS Load Balancer Controller
(aws-load-balancer-controller) query that cluster's subnets by using
the following tag as a filter:
Choose the appropriate option for tagging your subnets:
For public and private subnets used by load balancer resources
Tag all public and private subnets that your cluster uses for load balancer resources with the following key-value pair:
Key: kubernetes.io/cluster/cluster-name Value: shared
The cluster-name value is for your Amazon EKS cluster. The shared value allows more than one cluster to use the subnet.
For private subnets used by internal load balancers
To allow Kubernetes to use your private subnets for internal load balancers, tag all private subnets in your VPC with the following key-value pair:
Key: kubernetes.io/role/internal-elb Value: 1
For public subnets used by external load balancers
To allow Kubernetes to use only tagged subnets for external load balancers, tag all public subnets in your VPC with the following key-value pair:
Key: kubernetes.io/role/elb Value: 1
Note: Use the preceding tag instead of using a public subnet in each Availability Zone.
reference: https://aws.amazon.com/premiumsupport/knowledge-center/eks-vpc-subnet-discovery/
Possibly your subnet is not a public one, i.e. accessible from the internet. This will be required for your Loadbalancer to accept traffic from the outside world. In order to make it public, you need to attach an Internet Gateway to your VPC. Check here for more documentation.
Additional to Robert' answer, you can use the following kubectl command for annotating a service;
kubectl annotate svc <service-name> service.beta.kubernetes.io/aws-load-balancer-internal="true"
I want to add inbound rule to security group with my default VPC. I removed default VPC from a zone and added a default VPC. But I get fault below :
"[AmazonServiceException: Status Code: 400, AWS Service: AmazonEC2, AWS Request ID: c99a21bb-c798-4938-994f-ef8b89c64a72, AWS Error Code: VPCIdNotSpecified, AWS Error Message: No default VPC for this user]"
I can add ingress rule on AWS but I can't this on my project which is developed with AWS API.
How can I do?
I solved. While I am adding rule, I post security groupId instead of groupName.
If you are a “VPC Only” customer, and have your Default VPC deleted, then during ingress action , you need to specify the VPC ID (or subnet ID of another VPC). If you do not specify it, then default VPC will be presumed.
In your case, it seems like you have your default VPC deleted. OR You are not passing the VPC ID (or subnet ID of another VPC).
So Either pass the VPC ID (or subnet ID of another VPC) OR have AWS technical support create a new default VPC for you.