Private Access

How to create private EKS clusters

This section helps you to enable private access for your Amazon EKS cluster’s Kubernetes API server endpoint and completely disable public access so that it’s not accessible from the internet.

Enable Private Access for your cluster’s API server endpoint

You can enable private access to the Kubernetes API server so that all communication between your worker nodes and the API server stays within your VPC. You can also completely disable public access to your API server so that it’s not accessible from the internet.

  1. aws eks update-cluster-config \
  2. --region region \
  3. --name <your_eks_cluster_name> \
  4. --resources-vpc-config endpointPublicAccess=true,endpointPrivateAccess=true

By default, this API server endpoint is public to the internet (endpointPublicAccess=true) , and access to the API server is secured using a combination of AWS Identity and Access Management (IAM) and native Kubernetes Role Based Access Control (endpointPrivateAccess=false).

You can enable private access to the Kubernetes API server so that all communication between your worker nodes and the API server stays within your VPC (endpointPrivateAccess=true). You can also completely disable public access to your API server so that it’s not accessible from the internet (endpointPublicAccess=false). In this case, you need to have an instance inside your VPC to talk with your Kubernetes API server.

Note: You may see InvalidParameterException if you have invalid combination.

Please check Amazon EKS Cluster Endpoint Access Control for more details.

Feedback

Was this page helpful?

Glad to hear it! Please tell us how we can improve.

Sorry to hear that. Please tell us how we can improve.

Last modified 21.02.2020: Deprecate Private Access and Logging - use awcli instead (#1715) (c7a69cb0)