1 Answer
- Newest
- Most votes
- Most comments
0
Hey,
The use case which you are looking for where all the outbound connections from the cluster should appears from a specific IP can be achieved using NAT gateway.
Currently as you have mentioned your nodes are in public subnet with internet gateway in the route table. Launch nodes into Private subnets which have NAT gateway in route table. This will make sure any outbound connection from the pods will appear to be from the IP of the NAT gateway.
Refer to https://docs.aws.amazon.com/eks/latest/userguide/creating-a-vpc.html, which give more information on this.
Irrespective of SNAT status, this will make sure the outbound traffic to internet will appear from NAT gateway IP.
To answer your specific queries:
- Yes it can be reverted back to "false" by executing "kubectl set env daemonset -n kube-system aws-node AWS_VPC_K8S_CNI_EXTERNALSNAT=false"
- No do not make any change to public subnet, instead use private subnet to launch nodes.
- Ideally Private subnet should be used to launch nodes.
Relevant content
- Accepted Answerasked 6 months ago
- asked 3 months ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 9 months ago
- AWS OFFICIALUpdated 3 months ago
If I want to do this without having to restart/recreate my running nodes is that possible?
That is possible but you will have to make modifications at the VPC and Subnet level which includes recreation of the NAT gateway. This can make the things complex. So the recommended solution will be to recreate the nodes in existing private subnet and deleting the public subnet nodes.