Setting up an EKS Node Group on a private subnet
According to the EKS documentation, "Amazon EKS managed node groups can be launched in both public and private subnets." However, I failed to create managed node group in a private subnet.
I have a subnet whose routing table's 0.0.0.0/0 entry is pointing to an NAT gateway (with outbound access to the Internet). When I tried to create a node group in this subnet, the creation would be stuck at the state "creating" forever and fail eventually.
The creation would have been successful (and quick) if I just replace the NAT gateway with an Internet Gateway.
I can't figure out why inbound access to the subnet is needed for creating a node group.
Has anyone got any idea?
- Más nuevo
- Más votos
- Más comentarios
Hello.
- Please check if your nat gateway has a public IP an configured in a public subnet.
- Ensure that DNS resolution and DNS hostnames are enabled for your VPC.
- Check if your security groups are allowing traffic between the EKS control plane and worker nodes.
Regards, Andrii
Thanks, Andrii. All three are checked. However, the problem still persists.
- Yes
$ aws ec2 describe-nat-gateways --nat-gateway-ids <my-nat-gateway-id> --query 'NatGateways[].NatGatewayAddresses[].PublicIp' [ "<correct-public-ip>" ]- Yes
$ aws ec2 describe-vpc-attribute --vpc-id <my-vpc-id> --attribute enableDnsSupport { "VpcId": "<my-vpc-id>", "EnableDnsSupport": { "Value": true } } $ aws ec2 describe-vpc-attribute --vpc-id <my-vpc-id> --attribute enableDnsHostnames { "VpcId": "<my-vpc-id>", "EnableDnsHostnames": { "Value": true } }- Yes, the security group of the the autoscaling group associated with the node group has both inbound and outbound allowing 0.0.0.0/0 all protocol, all port range, all type.
Contenido relevante
OFICIAL DE AWSActualizada hace un año- OFICIAL DE AWSActualizada hace un año
- OFICIAL DE AWSActualizada hace 3 años
Did you manage to figure this out? I see similar issues when launch a node group in private subnet.