By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

NLB using private subnet with direct connect

0

I have an EKS application running on two private nodes in two private subnets, each in different AZ. The account has a VPC that has Direct Connect setup to the VPC using a private LIF and no Direct Connect Gateway. This connects an external corporate data center to this AWS account. The VPC is using 10.188.48.0/21. The two private subnets are 10.188.48.0/24 and 10.188.49.0/24. I also have two public subnets configured in the VPC, each also in one of the two same AZs as the private subnets.

I currently am running an NLB for UDP traffic that is configured as follows using a CSV list of two $EIP_ALLOCATIONS that I allocated and am able to fully access my EKS backend services via the NLB over the public internet with this configuration.

apiVersion: v1
kind: Service
metadata:
  name: my-service
  namespace: my-namespace
  annotations:
    service.beta.kubernetes.io/aws-load-balancer-type: external
    service.beta.kubernetes.io/aws-load-balancer-nlb-target-type: ip
    service.beta.kubernetes.io/aws-load-balancer-scheme: internet-facing
    service.beta.kubernetes.io/aws-load-balancer-healthcheck-protocol: "HTTP"
    service.beta.kubernetes.io/aws-load-balancer-healthcheck-path: "/healthz"
    service.beta.kubernetes.io/aws-load-balancer-healthcheck-port: "8080"
    service.beta.kubernetes.io/aws-load-balancer-cross-zone-load-balancing-enabled: "true"
    service.beta.kubernetes.io/aws-load-balancer-eip-allocations: "${EIP_ALLOCATIONS}"

Now that there is a Direct Connect setup, I need to transition the NLB to accept UDP traffic only from the private subnets via the Direct Connect so I "believe" I need to reconfigure it away from using the two EIPs on the frontend to instead, using two of the IPs from the private subnets on the front end. I am not quite sure if this is the correct approach nor how to implement it. Some of the questions I have are:

  1. Could I leave it using EIPs and somehow setup a PriviateLink in the VPC that will allow me to still reach the NLB using public IPs?
  2. If using EIPs is not the right approach, then how to I assign a private IP from each subnet to the NLB and reserve it so that is never changes. I have to configure the corporate service that has to access my EKS services via this NLB with IP addresses. It does not support host names - I know, lame but that's what I have to work with, unfortunately. I believe the configuration is something like the following with a CSV list of IPs and subnets. Not sure how to pick the IPs here:
    service.beta.kubernetes.io/aws-load-balancer-private-ipv4-addresses: "${PRIVATE_IPS}"
    service.beta.kubernetes.io/aws-load-balancer-subnets: "${PRIVATE_SUBNETS}"
  1. If I statically configure two IPs from the two subnets in the NLB and restart the EKS nodes, will I be ensured that the nodes will not end up trying to select the same IPs? How does that work?

Appreciate any expert insights to help me get over the knowledge gap.

Topics
Networking & Content DeliveryContainers
Tags
Amazon VPCAWS Direct ConnectAmazon Elastic Kubernetes ServiceAWS PrivateLinkNetwork Load Balancer
Language
English
Mark Petronic
asked 9 months ago606 views
2 Answers
0

Yes, you could use AWS PrivateLink to expose your service via a Network Interface (ENI) in your VPC that can be accessed over Direct Connect. This approach is useful if you want to restrict access to your service to specific IP addresses in your corporate network. However, PrivateLink is typically used for secure, private communication between different services within AWS, and may not be necessary if you're already using Direct Connect.

If you want to use an internal NLB, you can specify the subnets to associate with the NLB using the service.beta.kubernetes.io/aws-load-balancer-subnets annotation. To specify a static IP for each subnet, you can use the service.beta.kubernetes.io/aws-load-balancer-private-ipv4-addresses annotation. To choose these IP addresses, you can simply pick any unused IP address within the CIDR block of each subnet. However, you must ensure that these IP addresses are not used by any other resources within the subnet.

AWS EKS manages the IP addresses of your worker nodes independently of the IP addresses associated with your NLB. When you specify a static IP for your NLB, AWS ensures that this IP is not used by any other resources within the subnet. Therefore, restarting your EKS nodes should not affect the IP addresses associated with your NLB.

Here's how you could modify your existing service definition to create an internal NLB with static IP addresses:

apiVersion: v1
kind: Service
metadata:
  name: my-service
  namespace: my-namespace
  annotations:
    service.beta.kubernetes.io/aws-load-balancer-type: external
    service.beta.kubernetes.io/aws-load-balancer-nlb-target-type: ip
    service.beta.kubernetes.io/aws-load-balancer-scheme: internal
    service.beta.kubernetes.io/aws-load-balancer-healthcheck-protocol: "HTTP"
    service.beta.kubernetes.io/aws-load-balancer-healthcheck-path: "/healthz"
    service.beta.kubernetes.io/aws-load-balancer-healthcheck-port: "8080"
    service.beta.kubernetes.io/aws-load-balancer-cross-zone-load-balancing-enabled: "true"
    service.beta.kubernetes.io/aws-load-balancer-private-ipv4-addresses: "${PRIVATE_IPS}"
    service.beta.kubernetes.io/aws-load-balancer-subnets: "${PRIVATE_SUBNETS}"

This configuration creates an internal NLB that uses the specified static IP addresses and is associated with the specified subnets. The NLB will route traffic to the backend pods of your EKS service, and can be accessed over Direct Connect from your corporate data center.

Please note that you need to replace ${PRIVATE_IPS} and ${PRIVATE_SUBNETS} with a comma-separated list of IP addresses and subnet IDs, respectively. The order of the IP addresses and subnet IDs should match, i.e., the first IP address should be in the first subnet, the second IP address should be in the second subnet, etc.

profile picture
Ercan -flightlesstux-
answered 9 months ago
  • Mark Petronic
    9 months ago

    Thank you for your thorough insights. One concern I have is, since the NLB is created AFTER the nodes, a node "might" take the static private IP that I want to use for the NLB. I cannot really easily change the IP configured in the off-site client that hits this NLB so I really want the front-end NLB IPs to never change. Any thoughts on how to accomplish that? I would prefer to NOT use EIPs as this "is" a private network with Direct Connect. Additionally, the client can ONLY be configured with IPs - does not work with host names. :(

0

The best way to achieve what you need is to delete the existing public-facing NLB and create it as a private NLB. That will give you an NLB with only private IP addresses that will not change for the lifetime of the load balancer.

I would not go with option (1) - you might be able to make that work (I've not tested it and there are some subtleties there) and in any case it would increase the cost of your solution for no particular gain.

For (3): Most things in a VPC that don't have static IP addresses (such as NLB) get their addresses from DHCP so there should never be a conflict like that.

profile pictureAWS
EXPERT
Brettski-AWS
answered 9 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content