All Posts
2024-09-10Hünkar Döner

How to Setup AWS EKS Architecture? Step-by-Step Guide

AWSEKSArchitectureSetupVPC
H

How to Setup AWS EKS Architecture?

Running a "Hello World" application on Kubernetes is easy, but setting up an Amazon EKS cluster to host a critical application with thousands of users requires engineering. A wrong network configuration or security setting can lead to major problems down the line.

In this article, based on our AWS Consultancy experience, we will explain step-by-step how to set up a production-ready EKS architecture.

1. Network (VPC) Design

The foundation of EKS is the network. The most common and secure design is:

  • Public Subnets: Only Load Balancers (ALB/NLB) and NAT Gateways reside here. Open to the internet.
  • Private Subnets: EKS Worker Nodes and Pods run here. They have no direct internet access and are secure.
  • Tagging: Don't forget to add kubernetes.io/role/elb (public) and kubernetes.io/role/internal-elb (private) tags so the AWS Load Balancer Controller can find the subnets.

2. IAM Roles and Authorization (IRSA)

Your EKS cluster will need to access AWS services (S3, DynamoDB).

  • Past: A broadly privileged IAM role was given to Nodes (EC2). This is a security vulnerability.
  • Now (Best Practice): IAM Roles for Service Accounts (IRSA) is used. A specific IAM role granting only the necessary permissions is assigned to each Pod (microservice). This is the "Least Privilege" principle.

3. Worker Node Strategy

  • Managed Node Groups: EC2 groups managed by AWS. AWS simplifies OS updates.
  • Spot Instances: Run your stateless applications on Spot instances to reduce costs.
  • Taint & Tolerations: Separate Node groups to isolate critical system pods (CoreDNS, metrics-server) from application pods.

4. Add-ons

EKS is not enough in its bare state. You must install the following components:

  • AWS Load Balancer Controller: To manage Ingress resources.
  • ExternalDNS: To automate Route53 DNS records.
  • Metrics Server: For Horizontal Pod Autoscaler (HPA).
  • Cluster Autoscaler / Karpenter: To increase or decrease the node count based on traffic.

5. Security Layer

  • Security Groups: Restrict traffic between Nodes and between Control Plane and Nodes.
  • KMS Envelope Encryption: Encrypt Kubernetes Secrets (passwords) with an AWS KMS key.

Setup Tool: Terraform

Setting up this architecture manually (ClickOps) is prone to errors. We strongly recommend managing the entire infrastructure as code (IaC) with Terraform. This way, in a disaster scenario (Disaster Recovery), you can set up the same infrastructure in another region in minutes.

A correctly set up EKS architecture offers you a self-healing and scaling system instead of sleepless nights.