By using AWS re:Post, you agree to the Terms of Use
/Selectively exposing a REST endpoint publicly in an AWS EKS cluster in a private VPC/

Selectively exposing a REST endpoint publicly in an AWS EKS cluster in a private VPC


Cluster information:

Kubernetes version: 1.19

Cloud being used: AWS EKS

So here is my configuration. I have a private VPC on AWS within which is hosted an AWS EKS cluster. Now this VPC has public facing load balancers which are only accessible from only specific IP addresses. On this EKS cluster are hosted a number of micro services running in their own pods. Each of these pods exposes a REST endpoint.

Now here is my requirement. Out of all the REST endpoints that we have, i would like to make only one REST endpoint publicly available from the internet. The remainder of our REST endpoints should remain private accessible only from certain IP addresses.

What would be the best approach to achieve this?

So far,from what i have researched, here are my options: 1)Have another instance of Ingress controller which deploys a public facing load balancer to handle requests to this public facing REST endpoint. This will work. However, i am concerned with the security aspects here. An attacker might just get into our VPC and create havoc.

2)Have a completely new EKS cluster which is public facing where i deploy this single REST endpoint. This is something i would like to avoid.

3)Use something like AWS API gateway to achieve this. I am not sure if this is possible as i have to research more about it.

Anyone has any ideas on how this could be achieved securely?

Any advice would be very much appreciated.


Kiran Hegde

5 Answers

You can use ELB to expose the ingress controller to outside traffic. If you expose the public endpoint using AWS Load Balancer Controller, the load balancer in public subnet you created will handle the request as you expected while all other REST endpoints remain private accessible.

Please refer to links below.

answered 4 months ago

Hello @Eunsu_Shin,

Thanks for responding back. So i would like to achieve all of this using Traefik as an ingress controller. We already have an Ingress controller(Traefik) right now which is only accessible from certain IP addresses. Now, this was all fine up until now.

What we would specifically like to do is to expose only one end point within our EKS cluster to the internet and the rest of the cluster should still be private. How would i go about doing this securely?

Kindly request you to provide more details.

Regards, Kiran Hegde

answered 4 months ago

As different answer on this thread, you can try to use ALB Ingress Controller which is formally known as aws-load-balancer-controller.

You can install aws-load-balancer-controller in the existing private subnet, and just create Ingress resource with internal annotation. Then, it will create ALB in the public subnet. If you want to just use the existing public-facing ALB instance, then try TargetGroupBinding CRD feature of aws-load-balancer-controller. It will just link your running pods to the existing target group of the ALB.

You can check the detail for TargetGroupBinding in here.

answered 4 months ago

Hello @posquit0 Thanks for responding back. I would like to know if there is a way to achieve this using Traefik as an Ingress controller. I am new to Kubernetes, so excuse my limited knowledge of the same.

Thanks, Kiran Hegde

answered 4 months ago

Hi @AWS-User-1971331, you can use your Traffik Ingress controller in private node group without any changes. Just expose your traffik with LoadBalancer type Service object with public facing Network Load Balancer. Then, only NLB is exposed to public. :)

answered 4 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions