I'm a bit confused about how aws EKS works, excuse me for my ignorance.
I have 4 VPC's one for shared services(gitlab ect..), one for dev, one for staging and one for prod.
There are multiple subnets on each vpc for different clients a,b,c.
Currently I just have pipelines that build images and deploy on an ec2 in a specific vpc/subnet. The pipeline ssh to the server based on gitlab-ci file.
I would like to change that and have a k8 cluster, where when the image updates the k8 deploys my image to the specified vpc and subnets. I know I can hook up my registry to the k8 and have it work on update thats not my question. My question is how does EKS work across VPC's and subnets.
Is this possible. It seems like the EKS cluster can only be in 1 vpc and can only deploy to those subnets?
Am I not understanding correctly?
You are correct.
EKS ControlPlane can only be running in a single VPC and can be associated with subnets in that VPC.
I have raised feature requests while back with AWS to support multi VPC and multi region EKS but no news about them so far.
Related
I've just created an ECS cluster via the AWS console. During that process, I specified the VPC I wanted it to use, as well as four subnets.
Now I can't find any indication--neither in the console, nor via the CLI--that this actually happened. I see that the cluster exists, but I cannot get any details regarding its network disposition.
I've tried using the aws client, with all of the arguments to --include that are accepted (SETTINGS, ATTACHMENTS, CONFIGURATION, et cetera), but aws ecs describe-clusters --cluster foocluster --include SETTINGS (for example) shows me nothing but the bare details.
Cluster is not specific to any VPC, thus there is no association between an ECS cluster and a VPC. VPC are specific to ECS tasks and services.
AWS console just helped you to create a VPC as a separate entity to cluster. This way you can lunch your tasks and services to that VPC. But you can lunch them to any other VPC as well.
I did not quite understand the configuring of VPC "CIDR block" while creating fargate cluster. Based on the link https://www.datadoghq.com/blog/aws-fargate-metrics/, there is a fleet that runs outside my VPC that has the infrastructure to run my fargate tasks.
What I dont understand if I configure a dedicated VPC for my fargate cluster. How does it connect with dedicated AWS managed infrastructure for fargate.
I did not find any documentation with some explaination.
After googling for sometime, found this https://thenewstack.io/aws-fargate-through-the-lens-of-kubernetes/
The author states the VPC configured during fargate cluster creation acts as proxy and requests are fwded to EC2 instance running in VPC owned/managed by AWS. Configuring VPC serves the purpose of controlling the IP range of ENI attached to containers. This is based on my observation, need something more to back it up.
i have a aws eks cluster with in the dev vpc now i have few ec2 instance in the test-vpc so now i need add the add test-vpc instance to the existing existing cluster. can we do. ?
FYI VPC peering i have done as well and peering also working
An Amazon EKS cluster is provisioned in a single VPC.
If you have a dev-VPC and a test-VPC, you need to use two different EKS clusters.
I have an AWS MSK cluster running inside a VPC with 3 subnets.
When I created my Elastic Beanstalk (Java) environment it asked for VPC and I configured the same VPC where my MSK cluster is running. I also selected all the three listed subsets in my Elastic Beanstalk Network configuration. I did not assigned a public IP as I don't require access from internet to Elastic Beanstalk instances.
I also assigned AWS MSK Full Access permissions to the IAM Instance Profile that I selected for my Elastic Beanstalk environment under Security configuration. Just for information completeness, I selected the AWSServiceRoleForElasticBeanstalk as a service role.
On a side note, when I configured my Lambda to access the MSK cluster, it asked me for VPC as well as Security Groups explicitly. But I don't see any such configuration options for Security Groups in case of Elastic Beanstalk. Am I overlooking something here? my Lambda is able to successfully access MSK cluster.
I don't understand why my Elastic Beanstalk instance is unable to access my AWS MSK cluster. Am I missing something?
With the help of AWS Support, I was able to resolve this issue.
First, you can configure Security Groups under 'Instances' configuration card.
But, it was a bit confusing for me because, the VPC and Subnets are under 'Networking' configuration card, which is stacked way after the 'Instances' configuration card. And the Security Groups listed under 'Instances' directly depends on the VPC and Subnets selected under 'Networking'. If you change your selection in 'Networking' then you should update/review your Security Groups selection under 'Instances' as well.
So, in my case, first I select my target VPC and related Subnets under 'Networking' and only then I was able to see my target Security Groups under 'Instances'.
I've created a new environment for my beanstalk app under a vpc.
I created a vpc with private and public subnets.
I've configured the security groups as outlined here:
http://docs.aws.amazon.com/elasticbeanstalk/latest/dg/AWSHowTo-vpc-basic.html
The environment seemed to setup correctly but the status is red.
Clicking on monitor reveals no data for latency or requests.
The website url returns error code 503.
Not sure what to do
This is almost certainly an issue with not being able to communicate with the NAT. The documentation is a little ambiguous when it comes to configuring your .ebextensions config files.
Don't mess with the Network ACLs for the VPC. The infrastructure needs to be able to talk to itself.
The NAT instance & Beanstalk ELB need to be in the Public subnet (10.0.0.0/24)
The Beanstalk instances themselves need to be in the Private subnet (10.0.1.0/24)
The Security Group that you apply to the instances needs to also apply to the NAT. That Security Group also needs to be on its own Inbound list so that everything inside that SG can talk to each other.
Using curl, try to make outbound calls. First on the Bastion Host, then on the NAT, then on a Beanstalk instance. Are any of them unable to make outbound calls?
I just recently spent a couple of weeks trying to develop a CloudFormation template that handles this stuff. I think that most of it is still in my brain. I think.
If these troubleshooting steps don't help, let me know and I'll dig a little deeper.
When you created the VPC, I assume you did it using the wizard. In this situation, the NAT is configured to accept calls from "default" security group.
When you created the Elastic beanstalk environment, did you specify that you want the new instances to be on "default" security group?
Check if the new instance belongs to the VPC's default security group in EC2 management area. If it is not a member of default Security group, add this security group to your NAT's inbound connections.
There is a good AWS CloudFormation template example to create VPC with public and private subnets and the NATs:
https://github.com/awsdocs/elastic-beanstalk-samples/blob/9720e38e9da155752dce132a31d8e13a27364b83/cfn-templates/vpc-privatepublic.yaml
May be very useful for those having issues with such VPC configuration.
To deploy it to your AWS using cli:
aws cloudformation deploy --stack-name mystackname --template-file path/to/vpc-privatepublic.yaml
Or you can deploy from CloudFormation UI dashboard.