AWS EKS Reference Architecture

Production Ready EKS Reference Architecture used while provisioning clusters through gopaddle

VPC Access Type Route Table Config Auto-assign public IP Endpoints AWS Loadbalancer Controller

VPC Access Type	Route Table Config	Auto-assign public IP	Endpoints	AWS Loadbalancer Controller
Public Only	Route table - outbound to 0.0.0.0/0	Yes		`kubernetes.io/role/elb=1`
Public/Private	Route table - outbound to NAT gateway, allow only outbound	No		`kubernetes.io/role/elb=1 kubernetes.io/role/internal-elb=1`
Private Only	NA	No	`com.amazonaws.your_region.ec2 com.amazonaws.your_region.ecr.api com.amazonaws.your_region.ecr.dkr` `com.amazonaws.your_region.s3` cloudwatch - `com.amazonaws.your_region.logs` sts - com.amazonaws.your_region.sts com.amazonaws.your_region.elasticloadbalancing K8s cluster autoscaler - `com.amazonaws.your_region.autoscaling` K8s App mesh (Envoy) - `com.amazonaws.your_region.appmesh- envoy-management` XRay - `com.amazonaws.your_region.xray`	`kubernetes.io/role/internal-elb=1`

Public Only

Route table - outbound to 0.0.0.0/0

Yes

kubernetes.io/role/elb=1

Public/Private

Route table - outbound to NAT gateway, allow only outbound

kubernetes.io/role/elb=1 kubernetes.io/role/internal-elb=1

Private Only

com.amazonaws.your_region.ec2 com.amazonaws.your_region.ecr.api com.amazonaws.your_region.ecr.dkr com.amazonaws.your_region.s3

cloudwatch -

com.amazonaws.your_region.logs

sts - com.amazonaws.your_region.sts

com.amazonaws.your_region.elasticloadbalancing

K8s cluster autoscaler -

com.amazonaws.your_region.autoscaling

K8s App mesh (Envoy) - com.amazonaws.your_region.appmesh- envoy-management

XRay - com.amazonaws.your_region.xray

kubernetes.io/role/internal-elb=1

Application Load Balancer and OIDC

OIDC Configuration and Sub-net configurations

Provision, manage and deploy SSL/TLS Certificates with AWS Services & User Applications

Associate managed certificate ARN as an annotation in the Application Loadbalancer Ingress controller

service.beta.kubernetes.io/aws-load-balancer-ssl-cert: arn:aws:acm:us-west-2:xxxxx:certificate/xxxxxxx

Bottlerocket - Linux Based AMIs - light weight and quick up time

CFT with custom instance profile

Define your own ASG

Last updated 13 days ago