By using AWS re:Post, you agree to the Terms of Use

Questions tagged with Amazon VPC

Sort by most recent

Browse through the questions and answers listed below or filter and sort to narrow down your results.

Unable to run kubectl & eks commands in a fully private cluster

I have created a VPC fully private (no direct internet access), let's call it VPC-A. This vpc is peer connected to another VPC, let's call it VPC-B. This VPC-B has internet connection and is being used as a gateway for VPC-A. I have deployed a fully private cluster noly (not any node) in the private subnet of the VPC-A using the [guide](https://eksctl.io/usage/eks-private-cluster/). The problem is I am not able to run any kubectl and eks command just like mentioned in the [guide](https://eksctl.io/usage/eks-private-cluster/). After digging a lot on the internet and I found few things to access the cluster. One thing is that I must create a machine in that private VPC and try to access the cluster from there. I also created many issues on github but did not get proper answer. Below are some experts' answers > You can communicate with the K8s API by deploying EC2 instance inside that VPC and defining the EKS K8s API to your kubectl. Well, I have deployed an instance within the vpc of my cluster but whenever I run the kubectl command from the instance inside the private vpc, I get the following error message `Unable to connect to the server: net/http: request canceled while waiting for connection (Client.Timeout exceeded while awaiting headers)` Also in the [EKS fully private cluster guide](https://eksctl.io/usage/eks-private-cluster/) it is mentioned that > If your setup can reach the EKS API server endpoint via its private address, and has outbound internet access (for EKS:DescribeCluster), all eksctl commands should work. Can please someone guide me properly that how can I create such setup? I ran a number of commands to check if anything is wrong with accessing the server address. ``` nmap -p 443 1E9057EC8C316E£D"@JY$J&G%1C94A.gr7.eu-west-*.eks.amazonaws.com Starting Nmap 7.80 ( https://nmap.org ) at 2022-09-09 11:11 UTC Nmap scan report for 1E9057EC8C316E£D"@JY$J&G%1C94A.gr7.eu-west-*.eks.amazonaws.com (192.168.*.*) Host is up (0.00031s latency). Other addresses for 1E9057EC8C316E£D"@JY$J&G%1C94A.gr7.eu-west-*.eks.amazonaws.com (not scanned): 192.168.*.* rDNS record for 192.168.*.*: ip-192-168-*-*.eu-west-*.compute.internal PORT STATE SERVICE 443/tcp open https Nmap done: 1 IP address (1 host up) scanned in 0.04 seconds ``` Another command is ``` nslookup 1E9057EC8C316E£D"@JY$J&G%1C94A.gr7.eu-west-*.eks.amazonaws.com Server: 127.0.0.53 Address: 127.0.0.53#53 Non-authoritative answer: Name: 1E9057EC8C316E£D"@JY$J&G%1C94A.gr7.eu-west-*.eks.amazonaws.com Address: 192.168.*.* Name: 1E9057EC8C316E£D"@JY$J&G%1C94A.gr7.eu-west-*.eks.amazonaws.com Address: 192.168.*.* ``` And another is ``` telnet 1E9057EC8C316E£D"@JY$J&G%1C94A.gr7.eu-west-*.eks.amazonaws.com 443 Trying 192.168.*.*... Connected to 1E9057EC8C316E£D"@JY$J&G%1C94A.gr7.eu-west-*.eks.amazonaws.com Escape character is '^]'. ^CConnection closed by foreign hos ``` It is clear that I can access the api server endpoints from my machine which is in the same vpc as the api server. But still when I run the kubectl command I am getting this output `Unable to connect to the server: net/http: request canceled while waiting for connection (Client.Timeout exceeded while awaiting headers)` When I ran the below command `kubectl cluster-info dump` I got the following error message `Unable to connect to the server: proxyconnect tcp: dial tcp: lookup socks5h on 127.0.0.53:53: server misbehaving` Thanks
1
answers
0
votes
52
views
asked 22 days ago

Enabling SNAT for eksclt created EKS cluster

I have an EKS cluster provisioned using eksctl. At the moment the any outbound traffic (to the Internet) from pods running in the cluster comes from the public IP address of the EC2 node that it is running on. I would like to implement SNAT so that the outbound connections appears to come from a fixed set of addresses (or address since I'm starting with a single NAT Gateway) no matter how many nodes we end up adding to the cluster. I have found the following in the documentation that appears to cover this situation: https://docs.aws.amazon.com/eks/latest/userguide/external-snat.html But I have some questions When provisioned eksctl appears to have created 2 Subnets for each Availability Zone - eksctl-[cluster name]-cluster/SubnetPublic[AZ Name] - eksctl-[cluster name]-cluster/SubnetPrivate[AZ Name] Each node only appears to have interfaces linked to the SubnetPublic and the attached routing table default route is via a Internet Gateway. By contrast the SubnetPrivate default route is via a NAT Gateway. Questions: 1. I assume that if I use `kubectl set env daemonset -n kube-system aws-node AWS_VPC_K8S_CNI_EXTERNALSNAT=true` I can roll that back by running `kubectl set env daemonset -n kube-system aws-node AWS_VPC_K8S_CNI_EXTERNALSNAT=false`? 2. Once I apply the change above the I would also need to change the default route on the SubnetPublic to point to the NAT Gateway instead of the Internet Gateway? 3. The SubnetPrivate is not actually being used for anything?
1
answers
0
votes
46
views
asked a month ago

Fully private eks cluster

Hi, I have a fully private VPC named HSCN without any internet access containing 2 public and 2 private subnets. This VPC is peered with another VPC let's say internet-vpc. I want to deploy my fully private eks cluster in the private subnet of HSCN-VPC. I have followed the [private cluster requirements](https://docs.aws.amazon.com/eks/latest/userguide/private-clusters.html). I am not deploying any pod so I don't need the repository yet. For the 2nd and 3rd requirement, eksctl takes care of it by itself. The problem is when I deploy the cluster my node instances are failing to join. Secondly, my kubectl and eksctl commands time out. Which means I am not able to get cluster info or any node information. Blow is my cluster config ``` apiVersion: eksctl.io/v1alpha5 kind: ClusterConfig metadata: name: test-cluster region: eu-west-2 version: "1.23" privateCluster: enabled: true additionalEndpointServices: - "autoscaling" vpc: id: vpc-id subnets: private: hscn-1-subnet: id: subnet-id hscn-2-subnet: id: subnet-id managedNodeGroups: - name: serv-test-1 instanceType: m5.xlarge desiredCapacity: 1 volumeType: gp2 volumeSize: 50 privateNetworking: true amiFamily: Ubuntu2004 subnets: - hscn-2-subnet ssh: allow: true labels: role: role tags: nodegroup-role: testing ``` It is clear that my nodes and kubectl commands are not able to communicate to kubernetes api server endpoints. Is there even a way to deploy a cluster in the setup like mentioned above? If yes, then please someone guide me how can I deploy fully functional cluster in this setup? Thanks
2
answers
0
votes
92
views
asked a month ago

Slowness within the AWS (EC2 and Workspaces) in Internet browsing itself, sometimes almost impossible to access a simple website.

Hello, We are experiencing browsing internet related slowness within the AWS (EC2 and Workspaces), browsing in simple websites itself is slow. We had the same problem on 03/2022, we hired support business, but they didn't solve the problem and it went back to normal on its own. Monitoring via CloudWatch, we noticed that the slowness is related to the NAT Gateway, as the documentation says the following: "If the value of ConnectionEstablishedCount is less than the value of ConnectionAttemptCount, clients behind the NAT gateway tried to establish new connections for which there was no response." And as you can see in the attached graphs, whenever there is a slowdown, the ConnectionEstablishedCount metric is lower than the ConnectionAttemptCount metric ![Enter image description here](/media/postImages/original/IMC0Zk8ExYSuC6nJVZkwPIWw) Internet browsing itself is slow, sometimes almost impossible to access a simple website, and this is directly impacting our internal use and customer service, as all our internal and support applications require the internet. It is also worth mentioning that we migrated our entire On-Premise structure to AWS in October/2021, and this is the second time this has happened. We even set up a new NAT Gateway in another AZ but it didn't work and it was still slow. Today we have 6 EC2 servers and 20 Workspaces in the same VPC and using the same NAT Gateway, and at night I transfer backups from EC2 to S3. Has anyone ever experienced this? Do you know what it could be and how to fix it? Thanks
1
answers
0
votes
22
views
asked a month ago