# AWS EKS Reference Architecture

EKS Reference Architecture provisioned through gopaddle

### VPC has public or private subnets ### Configuring Subnets

VPC Access Type Route Table Config Auto-assign public IP Endpoints AWS Loadbalancer Controller

Public Only Route table - outbound to 0.0.0.0/0 Yes kubernetes.io/role/elb=1

Public/Private Route table - outbound to NAT gateway, allow only outbound No kubernetes.io/role/elb=1 kubernetes.io/role/internal-elb=1

Private Only

VPC Access Type	Route Table Config	Auto-assign public IP	Endpoints	AWS Loadbalancer Controller
Public Only	Route table - outbound to 0.0.0.0/0	Yes		`kubernetes.io/role/elb=1`
Public/Private	Route table - outbound to NAT gateway, allow only outbound	No		`kubernetes.io/role/elb=1 kubernetes.io/role/internal-elb=1`
Private Only	NA	No	`com.amazonaws.your_region.ec2 com.amazonaws.your_region.ecr.api com.amazonaws.your_region.ecr.dkr` `com.amazonaws.your_region.s3` cloudwatch - `com.amazonaws.your_region.logs` sts - com.amazonaws.your_region.sts com.amazonaws.your_region.elasticloadbalancing K8s cluster autoscaler - `com.amazonaws.your_region.autoscaling` K8s App mesh (Envoy) - `com.amazonaws.your_region.appmesh- envoy-management` XRay - `com.amazonaws.your_region.xray`	`kubernetes.io/role/internal-elb=1`

com.amazonaws.your_region.ec2 com.amazonaws.your_region.ecr.api com.amazonaws.your_region.ecr.dkr com.amazonaws.your_region.s3

cloudwatch -

com.amazonaws.your_region.logs

sts - com.amazonaws.your_region.sts

com.amazonaws.your_region.elasticloadbalancing

K8s cluster autoscaler -

com.amazonaws.your_region.autoscaling

K8s App mesh (Envoy) - com.amazonaws.your_region.appmesh- envoy-management

XRay - com.amazonaws.your_region.xray

kubernetes.io/role/internal-elb=1

Application Load Balancer and OIDC

OIDC Configuration and Sub-net configurations

### Domain Certificate Manager Provision, manage and deploy SSL/TLS Certificates with AWS Services & User Applications Associate managed certificate ARN as an annotation in the Application Loadbalancer Ingress controller `service.beta.kubernetes.io/aws-load-balancer-ssl-cert: arn:aws:acm:us-west-2:xxxxx:certificate/xxxxxxx` ### Self-Managed Nodepools Bottlerocket - Linux Based AMIs - light weight and quick up time CFT with custom instance profile Define your own ASG ### Detailed overview of configuring production ready EKS Cluster. {% embed url="" %}