<aside>

Before going to Step 2 & 3 - Food for thought

• This project will try to implement the EKS cluster to be fully private (no public cluster endpoints, only private) → the cluster API server can only be accessible inside the VPC

• Bastion host (or managing instance) will be used to access the cluster from outside the VPC

• Instead of placing the bastion host in a public subnet, we can use SSM Session Manager to SSH into that bastion host BUT in a private subnet, reducing public availability. There are two ways to connect the private bastion host to AWS services on the Internet: NAT Gateway and VPC Endpoints

  *https://docs.aws.amazon.com/eks/latest/userguide/cluster-endpoint.html*

</aside>

<aside>

• NAT Gateway allows private instances to establish connections with services outside VPC, but those instances cannot be connected (one-way)
• NAT Gateway + Elastic IP = $0.05/hour ~ $36/month
• VPC Endpoint provides internal AWS network communication between private instances to AWS services and its partners (fully private)
• Each VPC Endpoint = $0.01 /hour ~ $7.2/month

While using VPC Endpoints is a faster and more secure way to communicate with AWS services, NAT Gateway is more cost-efficient and easier to implement when using multiple services.

The bastion host requires two things:

• Connecting the bastion host to SSM: 3 VPC endpoints (ssm, ssmmessages, ec2messages)
• Requiring for eksctl commands: 2+ VPC endpoints (eks,cloudformation, …)

→ Require more than 5 VPC endpoints, minimal cost = $36/month = a NAT gateway

→ Also, low-latency traffic is not needed for cluster management purpose & installing software outside AWS (kubectland eksctl) becomes much easier

⇒ NAT Gateway will be used in this project for bastion hosts

</aside>

• From the console, create a VPC (I prefer no subnet option for easy customization)

  • After the VPC is created, edit VPC settings > DNS settings, enable both DNS resolution and DNS hostnames

• Create the subnets for the VPC:

  • Create 4 private subnets into 2 sets: each set in each AZ, containing a subnet for EKS nodes and a subnet for RDS instances
    • us-east-1a: EKS subnet 1, RDS subnet 1
    • us-east-1b: EKS subnet 2, RDS subnet 2
  • Create 2 public subnets for the ALB, in the AZs where the EKS nodes belong to
    • us-east-1a: ALB subnet 1
    • us-east-1b: ALB subnet 2
  • Create a private subnet for the bastion hosts, for managing EKS cluster and RDS databases: Bastion subnet (any AZ)
  • Create a public subnet for the NAT Gateway: NAT Gateway subnet (preferably same AZ as Bastion subnet)

  

• Create an Internet Gateway, then attach it to the VPC

• Create a NAT Gateway:

  • Subnet: the NAT Gateway subnet
  • Connectivity type: Public
  • Allocate a new Elastic IP (AWS will create one at a click of a button)

• Create the route tables, associate them with the correct subnets

  • Private route table for EKS and RDS subnets: local
  • Bastion route table for Bastion subnet: local + NAT Gateway at 0.0.0.0/0
  • Public route table for ALB and NAT Gateway subnets: local +Internet Gateway at 0.0.0.0/0

• The VPC should look something like this after the initial setup: