Securely Provide Public Access to Applications Hosted on an Amazon EKS Cluster

Introduction

In modern cloud-based environments, hosting applications on Kubernetes clusters like Amazon Elastic Kubernetes Service (EKS) is preferred for managing scalability, reliability, and deployment efficiency. However, securely exposing these applications to the public is critical to mitigate potential threats while maintaining seamless access.

In this blog, we will explore how to securely grant public access to your application running on an Amazon EKS cluster by leveraging a bastion host architecture. We will break down the architecture, components, and step-by-step flow for a secure deployment.

Understanding the Architecture

The diagram illustrates a secure access flow that enables public access to an application running on an Amazon EKS cluster while maintaining tight security controls.

1. Shared Service Account:
   • Amazon VPC in the shared services account hosts the bastion server in a private subnet.
   • AWS Systems Manager (SSM) is configured to manage secure connections without exposing the bastion server to the internet.
2. Transit Gateway (TGW):
   • The TGW securely bridges the shared services VPC and the production VPC.
3. Production Account:
   • The production VPC contains the Amazon EKS cluster hosting the application within a private subnet.
   • Amazon EKS is integrated with private networking to ensure the Kubernetes API and node communication occur securely.

Key Security Enhancements

1. No Direct Internet Access: The bastion server resides in a private subnet and is accessible only through SSM, eliminating the need for public IPs.
2. Fine-Grained Access Control: Role-based access policies are applied to ensure that only authorized users from the operations team can access the bastion host.
3. Encrypted Communication: All communication between the bastion host, TGW, and the Amazon EKS cluster is encrypted using AWS’s default and custom security groups and Amazon VPC configurations.
4. Private Subnet for Amazon EKS: The Amazon EKS cluster is deployed in a private subnet, ensuring no direct exposure of application pods to the public internet.

Step-by-Step Deployment

1. Configure the Bastion Host

• Launch a bastion server in the shared services Amazon VPC’s private subnet.

• Creating subnets and Amazon VPC in shared service account.

• Attach an SSM agent to the server to enable remote access using AWS Systems Manager Session Manager.

2. Set Up Transit Gateway (TGW)

• Establish a TGW connection between the shared services VPC and the production VPC.

• Configure routing tables to allow traffic only between the bastion host and the Amazon EKS cluster.

3. Deploy the Application on Amazon EKS

• Set up your Amazon EKS cluster in the production VPC’s private subnet.

• Use an Ingress controller, such as AWS ALB Ingress Controller or NGINX, to route external traffic to your application.

4. Secure Application Access

• Configure the ALB or NGINX ingress to expose the application using HTTPS.
• Use a public-facing Application Load Balancer (ALB) with security groups restricting access to required IP ranges.

5. Enable Secure Bastion Access

• Use the AWS Systems Manager console or CLI to initiate a session with the bastion host.
• Forward traffic from the bastion host to the Amazon EKS cluster for operational tasks like debugging or management.

Benefits of the Architecture

1. Enhanced Security: This design minimizes the attack surface by eliminating public IPs for the bastion server and the Amazon EKS cluster.
2. Scalability: Using a TGW allows for seamless scaling across multiple VPCs.
3. Simplified Access: The SSM-managed bastion host provides a secure and straightforward access point for operational tasks without VPN complexities.
4. Cost Efficiency: Private networking and serverless tools reduce infrastructure costs while providing security.

Conclusion

The combination of a bastion host, Transit Gateway, and private subnets ensures secure public access to applications running on Amazon EKS.

Drop a query if you have any questions regarding Amazon EKS and we will get back to you quickly.

About CloudThat

CloudThat is a leading provider of Cloud Training and Consulting services with a global presence in India, the USA, Asia, Europe, and Africa. Specializing in AWS, Microsoft Azure, GCP, VMware, Databricks, and more, the company serves mid-market and enterprise clients, offering comprehensive expertise in Cloud Migration, Data Platforms, DevOps, IoT, AI/ML, and more.

CloudThat is the first Indian Company to win the prestigious Microsoft Partner 2024 Award and is recognized as a top-tier partner with AWS and Microsoft, including the prestigious ‘Think Big’ partner award from AWS and the Microsoft Superstars FY 2023 award in Asia & India. Having trained 650k+ professionals in 500+ cloud certifications and completed 300+ consulting projects globally, CloudThat is an official AWS Advanced Consulting Partner, Microsoft Gold Partner, AWS Training Partner, AWS Migration Partner, AWS Data and Analytics Partner, AWS DevOps Competency Partner, AWS GenAI Competency Partner, Amazon QuickSight Service Delivery Partner, Amazon EKS Service Delivery Partner,  AWS Microsoft Workload Partners, Amazon EC2 Service Delivery Partner, Amazon ECS Service Delivery Partner, AWS Glue Service Delivery Partner, Amazon Redshift Service Delivery Partner, AWS Control Tower Service Delivery Partner, AWS WAF Service Delivery Partner, Amazon CloudFront and many more.

To get started, go through our Consultancy page and Managed Services Package, CloudThat’s offerings.