Beginner in aws achitecture

Question

Hello,

I have to deploy a managed kubernetes cluster on AWS and I have few questions to put the best architecture for me. I'd like to secure all worker nodes into a private subnet.

Needs are simple:
- 1 auto scaler group with minimum 3 workers in different AZ in the same region in a private network
- These workers need to connect to internet to get all images from docker hub, gitlab, github
- I need a loadbalancer to route all requests to the ingress components (nginx)
- Persistent storage for some pods in RWX (replicas)
- RDS Postgres
- Mongodb Atlas

I have found a lot of documentations, however I have some trouble to understand how nat gateway and load balancers work and how its billed.

-> I have understood that the nat gateway is generally used to connect the private ec2 instances (in my case the worker nodes) to the internet using the internet gateway plugged in the public subnet. Is that right ?
What are the cost when a worker pull from internet an image ?

-> For Load balancer, I plan to use a Network Load Balancer because of performance and limits on number of certificates to store. I will have may certificates to store, so the best option for me is to store theses certificates directly into kubernetes (certmanager + nginx ingress). Nginx service will listen on 32080 and 32443 NodePort, and the NLB will work as L4 layer. What do you think about this ? Is the SNI will work in this configuration ?

-> Last question is about pricing of the NLB. How the NLB will work with all worker nodes ? Do I need to use a NAT gateway to follow all requests to workers or the NLB will follow directly all requests to workers, regardless of security group ?

Thanls for your help.

Answer

thanks. I have finnaly created all infrastructure using terraform aws modules, and all is working with NLB. I plan to have more thant 25+1 certificates, so the best solution is to use a NLB in passthrough mode (L4) and let cert-manager to deal with public issuers.

Actually I have one problem: The NLB is multi-az so I have one IP + fqdn per az, and one cname with all other fqdn on the top. I'd like to have just one IP to access to my service that I can configure on a root domain (xxxx.com). I'm reading about global accelerator but I don't know if another solutions exists ?

Answer

1. NAT gateway so that instances in a private subnet can connect to services outside your VPC but external services cannot initiate a connection with those instances. Please check here https://docs.aws.amazon.com/vpc/latest/userguide/vpc-nat-gateway.html for public and private connectivity. Pricing: When you provision a NAT gateway, you are charged for each hour that your NAT gateway is available and each Gigabyte of data that it processes. Please check the link above for cost considerations. 
2. Both Application Load Balancer and Network Load balancer supports multiple certs, you can associate up to 25 certificates to a load balancer in addition to a default certificate per listener. You have different use cases to select ALB vs NLB, so suggest you pick the right one https://aws.amazon.com/elasticloadbalancing/features/ . If you are using EKS, then when you create a Kubernetes ingress, an AWS Application Load Balancer (ALB) is provisioned that load balances application traffic.  Refer here: https://docs.aws.amazon.com/eks/latest/userguide/alb-ingress.html 
3. Here is the detailed documentation on using NLB on EKS (if you use EKS) https://docs.aws.amazon.com/eks/latest/userguide/network-load-balancing.html and the NLB pricing is here: https://aws.amazon.com/elasticloadbalancing/pricing/

Beginner in aws achitecture

Relevant content