Selectively exposing a REST endpoint publicly in an AWS EKS cluster in a private VPC
Kubernetes version: 1.19
Cloud being used: AWS EKS
So here is my configuration. I have a private VPC on AWS within which is hosted an AWS EKS cluster. Now this VPC has public facing load balancers which are only accessible from only specific IP addresses. On this EKS cluster are hosted a number of micro services running in their own pods. Each of these pods exposes a REST endpoint.
Now here is my requirement. Out of all the REST endpoints that we have, i would like to make only one REST endpoint publicly available from the internet. The remainder of our REST endpoints should remain private accessible only from certain IP addresses.
What would be the best approach to achieve this?
So far,from what i have researched, here are my options: 1)Have another instance of Ingress controller which deploys a public facing load balancer to handle requests to this public facing REST endpoint. This will work. However, i am concerned with the security aspects here. An attacker might just get into our VPC and create havoc.
2)Have a completely new EKS cluster which is public facing where i deploy this single REST endpoint. This is something i would like to avoid.
3)Use something like AWS API gateway to achieve this. I am not sure if this is possible as i have to research more about it.
Anyone has any ideas on how this could be achieved securely?
Any advice would be very much appreciated.
You can use ELB to expose the ingress controller to outside traffic. If you expose the public endpoint using AWS Load Balancer Controller, the load balancer in public subnet you created will handle the request as you expected while all other REST endpoints remain private accessible.
Thanks for responding back. So i would like to achieve all of this using Traefik as an ingress controller. We already have an Ingress controller(Traefik) right now which is only accessible from certain IP addresses. Now, this was all fine up until now.
What we would specifically like to do is to expose only one end point within our EKS cluster to the internet and the rest of the cluster should still be private. How would i go about doing this securely?
Kindly request you to provide more details.
Regards, Kiran Hegde
As different answer on this thread, you can try to use ALB Ingress Controller which is formally known as aws-load-balancer-controller.
You can install
aws-load-balancer-controller in the existing private subnet, and just create
Ingress resource with
alb.ingress.kubernetes.io/scheme: internal annotation. Then, it will create ALB in the public subnet.
If you want to just use the existing public-facing ALB instance, then try
TargetGroupBinding CRD feature of
aws-load-balancer-controller. It will just link your running pods to the existing target group of the ALB.
You can check the detail for
TargetGroupBinding in here.
Hello @posquit0 Thanks for responding back. I would like to know if there is a way to achieve this using Traefik as an Ingress controller. I am new to Kubernetes, so excuse my limited knowledge of the same.
Thanks, Kiran Hegde
Hi @AWS-User-1971331, you can use your Traffik Ingress controller in private node group without any changes. Just expose your
Service object with public facing Network Load Balancer. Then, only NLB is exposed to public. :)
How EKS Control Plane is communicate with worker nodeasked 5 months ago
Create a subdomain pointing to RedShit (Route53)asked 2 months ago
VPC Peering and DNS resolution of a public Amazon Redshift clusterAccepted Answerasked 2 years ago
[Bug] Invalid k8s resource for EKSCluster created through Clouformationasked 10 months ago
Problem adding nodegroup in EKS cluster with GW NATasked a month ago
Mixed Fleet configuration for Elastic memcache Clusterasked 15 days ago
Cannot delete because cluster <cluster name> currently has an update in progressAccepted Answerasked 3 months ago
Selectively exposing a REST endpoint publicly in an AWS EKS cluster in a private VPCasked 4 months ago
Calling Private API from Lambda in VPCAccepted Answerasked 2 years ago
Amazon EKS service IP addressesasked 3 months ago