By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Setting up an EKS Node Group on a private subnet

0

According to the EKS documentation, "Amazon EKS managed node groups can be launched in both public and private subnets." However, I failed to create managed node group in a private subnet.

I have a subnet whose routing table's 0.0.0.0/0 entry is pointing to an NAT gateway (with outbound access to the Internet). When I tried to create a node group in this subnet, the creation would be stuck at the state "creating" forever and fail eventually.

Enter image description here

Enter image description here

The creation would have been successful (and quick) if I just replace the NAT gateway with an Internet Gateway.

I can't figure out why inbound access to the subnet is needed for creating a node group.

Has anyone got any idea?

  • Deep
    5 months ago

    Did you manage to figure this out? I see similar issues when launch a node group in private subnet.

Topics
Networking & Content DeliveryContainers
Tags
Amazon VPCAmazon Elastic Kubernetes Service
Language
English
Xun
asked 7 months ago681 views
1 Answer
0

Hello.

  1. Please check if your nat gateway has a public IP an configured in a public subnet.
  2. Ensure that DNS resolution and DNS hostnames are enabled for your VPC.
  3. Check if your security groups are allowing traffic between the EKS control plane and worker nodes.

Regards, Andrii

profile picture
EXPERT
Andrii S
answered 6 months ago
  • Xun
    6 months ago

    Thanks, Andrii. All three are checked. However, the problem still persists.

    1. Yes
    $ aws ec2 describe-nat-gateways --nat-gateway-ids <my-nat-gateway-id> --query 'NatGateways[].NatGatewayAddresses[].PublicIp'
[
    "<correct-public-ip>"
]
    1. Yes
    $ aws ec2 describe-vpc-attribute --vpc-id <my-vpc-id> --attribute enableDnsSupport 
{
    "VpcId": "<my-vpc-id>",
    "EnableDnsSupport": {
        "Value": true
    }
}

$ aws ec2 describe-vpc-attribute --vpc-id <my-vpc-id> --attribute enableDnsHostnames
{
    "VpcId": "<my-vpc-id>",
    "EnableDnsHostnames": {
        "Value": true
    }
}
    1. Yes, the security group of the the autoscaling group associated with the node group has both inbound and outbound allowing 0.0.0.0/0 all protocol, all port range, all type.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content