Enabling SNAT for eksclt created EKS cluster


I have an EKS cluster provisioned using eksctl.

At the moment the any outbound traffic (to the Internet) from pods running in the cluster comes from the public IP address of the EC2 node that it is running on. I would like to implement SNAT so that the outbound connections appears to come from a fixed set of addresses (or address since I'm starting with a single NAT Gateway) no matter how many nodes we end up adding to the cluster.

I have found the following in the documentation that appears to cover this situation:


But I have some questions

When provisioned eksctl appears to have created 2 Subnets for each Availability Zone

  • eksctl-[cluster name]-cluster/SubnetPublic[AZ Name]
  • eksctl-[cluster name]-cluster/SubnetPrivate[AZ Name]

Each node only appears to have interfaces linked to the SubnetPublic and the attached routing table default route is via a Internet Gateway.

By contrast the SubnetPrivate default route is via a NAT Gateway.


  1. I assume that if I use kubectl set env daemonset -n kube-system aws-node AWS_VPC_K8S_CNI_EXTERNALSNAT=true I can roll that back by running kubectl set env daemonset -n kube-system aws-node AWS_VPC_K8S_CNI_EXTERNALSNAT=false?
  2. Once I apply the change above the I would also need to change the default route on the SubnetPublic to point to the NAT Gateway instead of the Internet Gateway?
  3. The SubnetPrivate is not actually being used for anything?
asked 2 years ago1553 views
1 Answer


The use case which you are looking for where all the outbound connections from the cluster should appears from a specific IP can be achieved using NAT gateway.

Currently as you have mentioned your nodes are in public subnet with internet gateway in the route table. Launch nodes into Private subnets which have NAT gateway in route table. This will make sure any outbound connection from the pods will appear to be from the IP of the NAT gateway.

Refer to https://docs.aws.amazon.com/eks/latest/userguide/creating-a-vpc.html, which give more information on this.

Irrespective of SNAT status, this will make sure the outbound traffic to internet will appear from NAT gateway IP.

To answer your specific queries:

  1. Yes it can be reverted back to "false" by executing "kubectl set env daemonset -n kube-system aws-node AWS_VPC_K8S_CNI_EXTERNALSNAT=false"
  2. No do not make any change to public subnet, instead use private subnet to launch nodes.
  3. Ideally Private subnet should be used to launch nodes.
answered 2 years ago
  • If I want to do this without having to restart/recreate my running nodes is that possible?

  • That is possible but you will have to make modifications at the VPC and Subnet level which includes recreation of the NAT gateway. This can make the things complex. So the recommended solution will be to recreate the nodes in existing private subnet and deleting the public subnet nodes.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions