# Fully Private Amazon EKS Cluster This examples demonstrates how to deploy an Amazon EKS cluster that is deployed on the AWS Cloud, but doesn't have outbound internet access. For that your cluster must pull images from a container registry that's in your VPC, and also must have endpoint private access enabled. This is required for nodes to register with the cluster endpoint. Please see this [document](https://docs.aws.amazon.com/eks/latest/userguide/private-clusters.html) for more details on configuring fully private EKS Clusters. For fully Private EKS clusters requires the following VPC endpoints to be created to communicate with AWS services. This example solution will provide these endpoints if you choose to create VPC. If you are using an existing VPC then you may need to ensure these endpoints are created. com.amazonaws.region.aps-workspaces - For AWS Managed Prometheus Workspace com.amazonaws.region.ssm - Secrets Management com.amazonaws.region.ec2 com.amazonaws.region.ecr.api com.amazonaws.region.ecr.dkr com.amazonaws.region.logs – For CloudWatch Logs com.amazonaws.region.sts – If using AWS Fargate or IAM roles for service accounts com.amazonaws.region.elasticloadbalancing – If using Application Load Balancers com.amazonaws.region.autoscaling – If using Cluster Autoscaler com.amazonaws.region.s3 – Creates S3 gateway ## Prerequisites: Ensure that you have the following tools installed locally: 1. [aws cli](https://docs.aws.amazon.com/cli/latest/userguide/install-cliv2.html) 2. [kubectl](https://Kubernetes.io/docs/tasks/tools/) 3. [terraform](https://learn.hashicorp.com/tutorials/terraform/install-cli) ## Deploy Since this is a Fully Private Amazon EKS Cluster, make sure that you'll have access to the Amazon VPC where the cluster will be deployed, otherwise you won't be able to access it. See the [`privatelink-access`](https://github.com/aws-ia/terraform-aws-eks-blueprints/tree/main/examples/privatelink-access) pattern for using AWS PrivateLink to access the private cluster from another VPC. To provision this example: ```sh terraform init terraform apply ``` Enter `yes` at command prompt to apply ## Validate The following command will update the `kubeconfig` on your local machine and allow you to interact with your EKS Cluster using `kubectl` to validate the CoreDNS deployment for Fargate. 1. Check the Terraform provided Output, to update your `kubeconfig` ```hcl Apply complete! Resources: 63 added, 0 changed, 0 destroyed. Outputs: configure_kubectl = "aws eks --region us-west-2 update-kubeconfig --name fully-private-cluster" ``` 2. Run `update-kubeconfig` command, using the Terraform provided Output, replace with your `$AWS_REGION` and your `$CLUSTER_NAME` variables. ```sh aws eks --region <$AWS_REGION> update-kubeconfig --name <$CLUSTER_NAME> ``` 3. Test by listing Nodes in in the Cluster. ```sh kubectl get nodes NAME STATUS ROLES AGE VERSION ip-10-0-19-90.us-west-2.compute.internal Ready 8m34s v1.26.2-eks-a59e1f0 ip-10-0-44-110.us-west-2.compute.internal Ready 8m36s v1.26.2-eks-a59e1f0 ip-10-0-9-147.us-west-2.compute.internal Ready 8m35s v1.26.2-eks-a59e1f0 ``` 4. Test by listing all the Pods running currently. All the Pods should reach a status of `Running` after approximately 60 seconds: ```sh kubectl $ kubectl get pods -A NAMESPACE NAME READY STATUS RESTARTS AGE kube-system aws-node-jvn9x 1/1 Running 0 7m42s kube-system aws-node-mnjlf 1/1 Running 0 7m45s kube-system aws-node-q458h 1/1 Running 0 7m49s kube-system coredns-6c45d94f67-495rr 1/1 Running 0 14m kube-system coredns-6c45d94f67-5c8tc 1/1 Running 0 14m kube-system kube-proxy-47wfh 1/1 Running 0 8m32s kube-system kube-proxy-f6chz 1/1 Running 0 8m30s kube-system kube-proxy-xcfkc 1/1 Running 0 8m31s ``` ## Destroy To teardown and remove the resources created in this example: ```sh terraform destroy -auto-approve ```