AWS EKS Reference Architecture

Production Ready EKS Reference Architecture used while provisioning clusters through gopaddle

VPC has public or private subnets

Configuring Subnets

VPC Access TypeRoute Table ConfigAuto-assign public IPEndpointsAWS Loadbalancer Controller

Public Only

Route table - outbound to 0.0.0.0/0

Yes

kubernetes.io/role/elb=1

Public/Private

Route table - outbound to NAT gateway, allow only outbound

No

kubernetes.io/role/elb=1 kubernetes.io/role/internal-elb=1

Private Only

NA

No

com.amazonaws.your_region.ec2 com.amazonaws.your_region.ecr.api com.amazonaws.your_region.ecr.dkr com.amazonaws.your_region.s3

cloudwatch -

com.amazonaws.your_region.logs

sts - com.amazonaws.your_region.sts

com.amazonaws.your_region.elasticloadbalancing

K8s cluster autoscaler -

com.amazonaws.your_region.autoscaling

K8s App mesh (Envoy) - com.amazonaws.your_region.appmesh- envoy-management

XRay - com.amazonaws.your_region.xray

kubernetes.io/role/internal-elb=1

Application Load Balancer and OIDC

OIDC Configuration and Sub-net configurations

Domain Certificate Manager

Provision, manage and deploy SSL/TLS Certificates with AWS Services & User Applications

Associate managed certificate ARN as an annotation in the Application Loadbalancer Ingress controller

service.beta.kubernetes.io/aws-load-balancer-ssl-cert: arn:aws:acm:us-west-2:xxxxx:certificate/xxxxxxx

Self-Managed Nodepools

Bottlerocket - Linux Based AMIs - light weight and quick up time

CFT with custom instance profile

Define your own ASG

Detailed overview of configuring production ready EKS Cluster.

Last updated