Private Cluster Architecture for EKS

In regulated sectors like finance, healthcare, or defense, having the Kubernetes API server open to the internet (Public Endpoint) is unacceptable. To reduce the attack surface to zero, you must set up a Private-Only EKS Cluster.

What is a Private Cluster?

• API Server: Accessible only from within the VPC. Not accessible from the internet.
• Worker Nodes: Run only in Private Subnets. They have no Public IPs.

How Will You Connect?

If the API server is closed to the internet, how will you run the kubectl command?

1. VPN (AWS Client VPN): Developers first connect to the company VPN, thus becoming part of the VPC.
2. Bastion Host (Jump Server): You open a small EC2 server in the public subnet. You first connect here via SSH, then access the cluster from here.
3. SSM Session Manager: Provides secure access via AWS Console without opening SSH port (22) on the Bastion host.

Internet Access (Outbound)

If your pods need to download packages from the outside world (e.g., Docker Hub), you must connect NAT Gateway to Private Subnets. If full isolation (Air-gapped) is required, you must copy all necessary images to local ECR (via VPC Endpoint).

Private Cluster is the architecture we recommend most in AWS Consultancy security audits.