Recently, we had a customer who wants to lock down API access to specific IP addresses in his Amazon EKS cluster.
Here, at Bobcares, we assist our customers with several AWS queries as part of our AWS Support Services.
Today, let us see how we can perform this task.
Lock down API access to specific IP addresses in EKS cluster
Generally, we can lock down access to two types of Amazon EKS API server access endpoints. They are:
- Public access endpoints
Access to the API server is open to the public by default. You can lock down access to specific CIDR blocks and IP addresses.
- Private access endpoints
The API server can be accessed only from within an Amazon Virtual Private Cloud (Amazon VPC). You can further lock down access to specific VPC CIDR blocks through cluster security groups.
Moving ahead, let us see the steps our Support Techs employ in order to lock public and private access endpoints.
Public access endpoints
- Initially, we open the Amazon EKS console.
- Then we select the Clusters, and then select the specific cluster.
- In the Networking section, we select the option, Update.
- After that, we expand Advanced Settings. To do so, we need to enable public access.
- Now, we enter a CIDR block that we want to allow access from.
- If necessary, to enter additional blocks, we seelct, Add Source.
- Finally, we go ahead and click, Update.
Private access endpoints
- First, we open the Amazon EKS console.
- As above, we select Clusters, and then the cluster.
- In the Networking section, we note the name of the cluster security group and any additional security groups.
- Then we add ingress rules to any one of those security groups.
For the ingress rule, we can set TCP as the protocol, 443 as the port and source IP from which we allow access.
In addition, our Support Techs recommend to keep in mind the following:
- If we fail to specify any CIDR blocks, then the public API server endpoint receives requests from all IP addresses.
- We have to enable private endpoint access for worker nodes and AWS Fargate pods to communicate with the cluster through the private endpoint.
- Without enabling the private endpoint, the public access endpoint CIDR sources must include the egress sources from the Amazon VPC.
[Need help with the lock down? We’d be happy to assist]
In short, we saw how our Support Techs Lock down API access to specific IP addresses in EKS cluster.