Selectively exposing a REST endpoint publicly in an AWS EKS cluster in a private VPC

Question

**Cluster information:**

**Kubernetes version: 1.19**

**Cloud being used: AWS EKS**

So here is my configuration. I have a private VPC on AWS within which is hosted an AWS EKS cluster. Now this VPC has public facing load balancers which are only accessible from only specific IP addresses. On this EKS cluster are hosted a number of micro services running in their own pods. Each of these pods exposes a REST endpoint.

Now here is my requirement. Out of all the REST endpoints that we have, i would like to make only one REST endpoint publicly available from the internet. The remainder of our REST endpoints should remain private accessible only from certain IP addresses.

What would be the best approach to achieve this?

So far,from what i have researched, here are my options:
1)Have another instance of Ingress controller which deploys a public facing load balancer to handle requests to this public facing REST endpoint.
This will work. However, i am concerned with the security aspects here. An attacker might just get into our VPC and create havoc.

2)Have a completely new EKS cluster which is public facing where i deploy this single REST endpoint. This is something i would like to avoid.

3)Use something like AWS API gateway to achieve this. I am not sure if this is possible as i have to research more about it.

Anyone has any ideas on how this could be achieved securely?

Any advice would be very much appreciated.

Regards,

Kiran Hegde

Answer

Hello @posquit0 Thanks for responding back. I would like to know if there is a way to achieve this using Traefik as an Ingress controller. I am new to Kubernetes, so excuse my limited knowledge of the same.

Thanks, Kiran Hegde

Thanks,
Kiran Hegde

Answer

As different answer on this thread, you can try to use ALB Ingress Controller which is formally known as [aws-load-balancer-controller](https://kubernetes-sigs.github.io/aws-load-balancer-controller).

You can install `aws-load-balancer-controller` in the existing private subnet, and just create `Ingress` resource with `alb.ingress.kubernetes.io/scheme: internal` annotation. Then, it will create ALB in the public subnet.
If you want to just use the existing public-facing ALB instance, then try `TargetGroupBinding` CRD feature of `aws-load-balancer-controller`. It will just link your running pods to the existing target group of the ALB.

You can check the detail for `TargetGroupBinding` in [**here**](https://kubernetes-sigs.github.io/aws-load-balancer-controller/v2.2/guide/targetgroupbinding/targetgroupbinding/).

Answer

Hello @Eunsu_Shin,

Thanks for responding back. 
So i would like to achieve all of this using Traefik as an ingress controller.  We already have an Ingress controller(Traefik) right now which is only accessible from certain IP addresses.
Now, this was all fine up until now.

What we would specifically like to do is to expose only one end point within our EKS cluster to the internet and the rest of the cluster should still be private. 
How would i go about doing this securely?

Kindly request you to provide more details.

Regards,
Kiran Hegde

Answer

Hi @AWS-User-1971331, you can use your Traffik Ingress controller in private node group without any changes. Just expose your `traffik` with `LoadBalancer` type `Service` object with public facing Network Load Balancer. Then, only NLB is exposed to public. :)

Answer

You can use ELB to expose the ingress controller to outside traffic. If you expose the public endpoint using AWS Load Balancer Controller, the load balancer in public subnet you created will handle the request as you expected while all other REST endpoints remain private accessible.

Please refer to links below.
https://docs.aws.amazon.com/eks/latest/userguide/aws-load-balancer-controller.html
https://aws.amazon.com/blogs/containers/introducing-aws-load-balancer-controller/

Selectively exposing a REST endpoint publicly in an AWS EKS cluster in a private VPC

Relevant content