By using AWS re:Post, you agree to the Terms of Use
AWS re:Postre:Post
/Selectively exposing a REST endpoint publicly in an AWS EKS cluster in a private VPC/

Selectively exposing a REST endpoint publicly in an AWS EKS cluster in a private VPC

0

Cluster information:

Kubernetes version: 1.19

Cloud being used: AWS EKS

So here is my configuration. I have a private VPC on AWS within which is hosted an AWS EKS cluster. Now this VPC has public facing load balancers which are only accessible from only specific IP addresses. On this EKS cluster are hosted a number of micro services running in their own pods. Each of these pods exposes a REST endpoint.

Now here is my requirement. Out of all the REST endpoints that we have, i would like to make only one REST endpoint publicly available from the internet. The remainder of our REST endpoints should remain private accessible only from certain IP addresses.

What would be the best approach to achieve this?

So far,from what i have researched, here are my options: 1)Have another instance of Ingress controller which deploys a public facing load balancer to handle requests to this public facing REST endpoint. This will work. However, i am concerned with the security aspects here. An attacker might just get into our VPC and create havoc.

2)Have a completely new EKS cluster which is public facing where i deploy this single REST endpoint. This is something i would like to avoid.

3)Use something like AWS API gateway to achieve this. I am not sure if this is possible as i have to research more about it.

Anyone has any ideas on how this could be achieved securely?

Any advice would be very much appreciated.

Regards,

Kiran Hegde

Topics
Networking & Content DeliveryContainers
Tags
Amazon VPCAmazon Elastic Kubernetes Service
AWS-User-1971331
asked 4 months ago29 views
5 Answers
0

You can use ELB to expose the ingress controller to outside traffic. If you expose the public endpoint using AWS Load Balancer Controller, the load balancer in public subnet you created will handle the request as you expected while all other REST endpoints remain private accessible.

Please refer to links below. https://docs.aws.amazon.com/eks/latest/userguide/aws-load-balancer-controller.html https://aws.amazon.com/blogs/containers/introducing-aws-load-balancer-controller/

Eunsu_Shin
answered 4 months ago
0

Hello @Eunsu_Shin,

Thanks for responding back. So i would like to achieve all of this using Traefik as an ingress controller. We already have an Ingress controller(Traefik) right now which is only accessible from certain IP addresses. Now, this was all fine up until now.

What we would specifically like to do is to expose only one end point within our EKS cluster to the internet and the rest of the cluster should still be private. How would i go about doing this securely?

Kindly request you to provide more details.

Regards, Kiran Hegde

AWS-User-1971331
answered 4 months ago
0

As different answer on this thread, you can try to use ALB Ingress Controller which is formally known as aws-load-balancer-controller.

You can install aws-load-balancer-controller in the existing private subnet, and just create Ingress resource with alb.ingress.kubernetes.io/scheme: internal annotation. Then, it will create ALB in the public subnet. If you want to just use the existing public-facing ALB instance, then try TargetGroupBinding CRD feature of aws-load-balancer-controller. It will just link your running pods to the existing target group of the ALB.

You can check the detail for TargetGroupBinding in here.

posquit0
answered 4 months ago
0

Hello @posquit0 Thanks for responding back. I would like to know if there is a way to achieve this using Traefik as an Ingress controller. I am new to Kubernetes, so excuse my limited knowledge of the same.

Thanks, Kiran Hegde

AWS-User-1971331
answered 4 months ago
0

Hi @AWS-User-1971331, you can use your Traffik Ingress controller in private node group without any changes. Just expose your traffik with LoadBalancer type Service object with public facing Network Load Balancer. Then, only NLB is exposed to public. :)

posquit0
answered 4 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant questions