# AWS EKS Reference Architecture

<figure><img src="/files/sEhGHA1Vv51Zm5magwQd" alt=""><figcaption><p>EKS Reference Architecture provisioned through gopaddle</p></figcaption></figure>

### VPC has public or private subnets

### Configuring Subnets

<table><thead><tr><th>VPC Access Type</th><th width="172">Route Table Config</th><th>Auto-assign public IP</th><th>Endpoints</th><th>AWS Loadbalancer Controller</th></tr></thead><tbody><tr><td>Public Only</td><td>Route table - outbound to 0.0.0.0/0</td><td>Yes</td><td></td><td><code>kubernetes.io/role/elb=1</code></td></tr><tr><td>Public/Private</td><td>Route table - outbound to NAT gateway, allow only outbound</td><td>No</td><td></td><td><code>kubernetes.io/role/elb=1 kubernetes.io/role/internal-elb=1</code></td></tr><tr><td>Private Only</td><td>NA</td><td>No</td><td><p><code>com.amazonaws.your_region.ec2 com.amazonaws.your_region.ecr.api com.amazonaws.your_region.ecr.dkr</code> <code>com.amazonaws.your_region.s3</code><br></p><p><strong>cloudwatch</strong> - </p><p><code>com.amazonaws.your_region.logs</code> </p><p></p><p><strong>sts</strong> - com.amazonaws.your_region.sts</p><p>com.amazonaws.your_region.elasticloadbalancing</p><p><br><strong>K8s cluster autoscaler</strong> - </p><p><code>com.amazonaws.your_region.autoscaling</code> </p><p></p><p><strong>K8s App mesh (Envoy)</strong> - <code>com.amazonaws.your_region.appmesh- envoy-management</code><br></p><p><strong>XRay</strong> - <code>com.amazonaws.your_region.xray</code></p></td><td><code>kubernetes.io/role/internal-elb=1</code></td></tr></tbody></table>

Application Load Balancer and OIDC

<figure><img src="/files/sJGrSfioWbPmqj1jzRNF" alt=""><figcaption></figcaption></figure>

OIDC Configuration and Sub-net configurations

<figure><img src="/files/9Pl62pUubD9aq3EbNQDK" alt=""><figcaption></figcaption></figure>

### Domain Certificate Manager

Provision, manage and deploy SSL/TLS Certificates with AWS Services & User Applications

Associate managed certificate ARN as an annotation in the Application Loadbalancer Ingress controller

`service.beta.kubernetes.io/aws-load-balancer-ssl-cert: arn:aws:acm:us-west-2:xxxxx:certificate/xxxxxxx`

### Self-Managed Nodepools

Bottlerocket - Linux Based AMIs - light weight and quick up time

CFT with custom instance profile

Define your own ASG

### Detailed overview of configuring production ready EKS Cluster.

{% embed url="<https://www.youtube.com/live/XSDA01f0F54?feature=share>" %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://help.gopaddle.io/overview/provision-new-cluster/provision-clusters-on-cloud/aws-eks/aws-eks-reference-architecture.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.