You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Due to this behavior:
- Your Pods can communicate with internet resources only if the node that they're running on has a public or elastic IP address assigned to it and is in a public subnet. A public subnet's associated route table has a route to an internet gateway. We recommend deploying nodes to private subnets, whenever possible.
However, in my experience this is not fully correct. I am running EKS 1.28 with VPC CNI plugin at v1.15.1. Correct me if I'm wrong:
Pod which is deployed on node running on private subnet (without public IP address) can still communicate with resources on the internet via NAT Gateway, even when AWS_VPC_K8S_CNI_EXTERNALSNAT is set to false (default). What happen is:
Pod private IP is translated to node primary private IP of primary ENI
The traffic is routed to NAT Gateway.
NAT Gateway will then translate the node primary private IP into NAT Gateway private IP, and then into NAT Gateway public IP routed via Internet Gateway
I believe, it is best to rephrase the statement in the doc into what AWS recommends in terms of AWS_VPC_K8S_CNI_EXTERNALSNAT configurations to enable outbound internet access for pods as per docs title.
For example:
AWS_VPC_K8S_CNI_EXTERNALSNAT is set to false by default to allows pods deployed on nodes running in public subnet to be able to access the internet. If the nodes are deployed on public subnets, the recommendations is to set AWS_VPC_K8S_CNI_EXTERNALSNAT to false.
If the nodes are deployed on private subnets with route to internet via NAT Gateway, the recommendations is to set AWS_VPC_K8S_CNI_EXTERNALSNAT to true.
Thank you.
The text was updated successfully, but these errors were encountered:
Hi team,
The external snat documentation mentioned the following: (Quoted 1 point for brevity)
However, in my experience this is not fully correct. I am running EKS 1.28 with VPC CNI plugin at v1.15.1. Correct me if I'm wrong:
Pod which is deployed on node running on private subnet (without public IP address) can still communicate with resources on the internet via NAT Gateway, even when
AWS_VPC_K8S_CNI_EXTERNALSNAT
is set tofalse
(default). What happen is:I believe, it is best to rephrase the statement in the doc into what AWS recommends in terms of
AWS_VPC_K8S_CNI_EXTERNALSNAT
configurations to enable outbound internet access for pods as per docs title.For example:
AWS_VPC_K8S_CNI_EXTERNALSNAT
is set tofalse
by default to allows pods deployed on nodes running in public subnet to be able to access the internet. If the nodes are deployed on public subnets, the recommendations is to setAWS_VPC_K8S_CNI_EXTERNALSNAT
to false.AWS_VPC_K8S_CNI_EXTERNALSNAT
to true.Thank you.
The text was updated successfully, but these errors were encountered: