- Newest
- Most votes
- Most comments
Likely Cause
The "Bad gateway" error from the DevOps Agent (not from your local machine) typically means the agent's outbound request to the EKS API server is being intercepted or blocked before it reaches the cluster. Since your local machine works fine with the same IAM role, the issue is not permissions — it's network path.
A few things to check:
1. Region Support
Confirm that the AWS DevOps Agent supports ap-east-1 (Hong Kong). Not all AWS services and features are available in every region on day one. Hong Kong is an opt-in region — some newer services roll out there later. Check the AWS Regional Services List to confirm.
2. Public Endpoint Access
You mentioned the cluster has public endpoint access. Verify there are no CIDR restrictions on it:
aws eks describe-cluster --name your-cluster --region ap-east-1 --query "cluster.resourcesVpcConfig.publicAccessCidrs"
If this returns anything other than ["0.0.0.0/0"], the DevOps Agent's IP range may be blocked. The agent runs from AWS-managed infrastructure whose IP ranges may not be in your allowlist.
3. Authentication Mode
You're using "EKS API and ConfigMap". The DevOps Agent likely authenticates via the EKS API (access entries), not the ConfigMap. Verify the agent's IAM role has an access entry:
aws eks list-access-entries --cluster-name your-cluster --region ap-east-1
If the agent's role ARN is not listed, create one:
aws eks create-access-entry --cluster-name your-cluster --principal-arn arn:aws:iam::ACCOUNT:role/AGENT_ROLE --region ap-east-1
4. VPC Endpoint / Proxy
If your cluster's API server is behind a VPC endpoint (private access enabled alongside public), the "Bad gateway" could mean the agent is hitting the private DNS name but can't resolve it from outside the VPC. Check:
aws eks describe-cluster --name your-cluster --region ap-east-1 --query "cluster.resourcesVpcConfig.[endpointPublicAccess,endpointPrivateAccess]"
If both are true, the DNS resolution may return the private IP when queried from within AWS infrastructure (which the agent runs on), causing the bad gateway.
Fix: Either disable private endpoint access (if not needed), or ensure the agent can reach the private endpoint through proper networking.
5. Cluster Health
You mentioned the cluster is healthy, but double-check the API server specifically:
aws eks describe-cluster --name your-cluster --region ap-east-1 --query "cluster.[status,health]"
Summary
Most likely cause is either:
- Public access CIDR restriction blocking the agent's IP
- Private + public endpoint causing DNS to resolve to the private IP for the agent
- Region support gap for the DevOps Agent in ap-east-1
Start with checking the public access CIDRs and the endpoint configuration.
Based on the "Bad gateway" errors you're experiencing with AWS DevOps Agent connecting to your EKS cluster in ap-east-1, this appears to be a connectivity issue between the agent and the cluster's API server rather than a permissions problem, since you've confirmed the IAM role and access policies are correctly configured.
Here are several troubleshooting steps to consider:
Verify Authentication Mode and Access Entry: Ensure your EKS cluster's authentication mode includes the EKS API. You can check this on the Access tab in the Amazon EKS console. The cluster must be configured with an authentication mode that includes the EKS API for the DevOps Agent to connect properly.
Confirm the Correct IAM Role: Verify that the DevOps Agent is using the primary cloud source IAM role ARN and that the access entry was created with this exact ARN. Double-check that the AmazonAIOpsAssistantPolicy access policy is properly attached to the access entry.
Check API Server Connectivity: The "Bad gateway" error suggests the agent cannot communicate with the API server on port 443. This could be due to:
- Network connectivity issues between the agent's location and the Hong Kong region
- Security group configurations blocking the connection
- Network access control lists (NACLs) preventing traffic
Regional Considerations: If you're experiencing high latency or intermittent connectivity to the Hong Kong region, this could cause connection failures. Consider whether there are any regional network issues or if the agent's location has poor connectivity to ap-east-1.
Verification Steps:
After ensuring the setup is correct, start a new investigation in the Operator App and ask the agent a question about the cluster to verify the connection is working. If issues persist, review the agent's logs for more specific error details about the connection failure.
Sources
Troubleshoot Amazon EKS Connector issues - Amazon EKS
AWS EKS access setup - AWS DevOps Agent
Troubleshoot issues with kubectl cluster connection | AWS re:Post
Relevant content
- asked 2 years ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 9 months ago
Hi Mohamad, thanks for your reply!
I’ve already done this check before, and I’m still not able to find the issue. I’ve checked every point you mentioned.
Region Support: I’m running the AWS DevOps Agent in the ap-northeast-1 region because DevOps Agent isn’t available in the ap-east-1 region yet.
No CIDR restrictions on my side.
The EKS API is active, and the DevOps Agent role is already attached to EKS.
VPC Endpoint/Proxy: I got this result: [true, false].
The Cluster Status health is “ACTIVE”.
Let me know if you have any other suggestions!