Help improve this page
Want to contribute to this user guide? Choose the Edit this page on GitHub link that is located in the right pane of every page. Your contributions will help make our user guide better for everyone.
Access the Amazon EKS using Amazon PrivateLink
You can use Amazon PrivateLink to create a private connection between your VPC and Amazon Elastic Kubernetes Service. You can access Amazon EKS as if it were in your VPC, without the use of an internet gateway, NAT device, VPN connection, or Amazon Direct Connect connection. Instances in your VPC don’t need public IP addresses to access Amazon EKS.
You establish this private connection by creating an interface endpoint powered by Amazon PrivateLink. We create an endpoint network interface in each subnet that you enable for the interface endpoint. These are requester-managed network interfaces that serve as the entry point for traffic destined for Amazon EKS.
For more information, see Access Amazon services through Amazon PrivateLink in the Amazon PrivateLink Guide.
Considerations for Amazon EKS
-
Before you set up an interface endpoint for Amazon EKS, review Considerations in the Amazon PrivateLink Guide.
-
Amazon EKS supports making calls to all of its API actions through the interface endpoint, but not to the Kubernetes APIs. The Kubernetes API server already supports a private endpoint. The Kubernetes API server private endpoint creates a private endpoint for the Kubernetes API server that you use to communicate with your cluster (using Kubernetes management tools such as
kubectl
). You can enable private access to the Kubernetes API server so that all communication between your nodes and the API server stays within your VPC. Amazon PrivateLink for the Amazon EKS API helps you call the Amazon EKS APIs from your VPC without exposing traffic to the public internet. -
You can’t configure Amazon EKS to only be accessed through an interface endpoint.
-
Standard pricing for Amazon PrivateLink applies for interface endpoints for Amazon EKS. You are billed for every hour that an interface endpoint is provisioned in each Availability Zone and for data processed through the interface endpoint. For more information, see Amazon PrivateLink pricing
. -
VPC endpoint policies are not supported for Amazon EKS. By default, full access to Amazon EKS is allowed through the interface endpoint. Alternatively, you can associate a security group with the endpoint network interfaces to control traffic to Amazon EKS through the interface endpoint.
-
You can use VPC flow logs to capture information about IP traffic going to and from network interfaces, including interface endpoints. You can publish flow log data to Amazon CloudWatch or Amazon S3. For more information, see Logging IP traffic using VPC Flow Logs in the Amazon VPC User Guide.
-
You can access the Amazon EKS APIs from an on-premises data center by connecting it to a VPC that has an interface endpoint. You can use Amazon Direct Connect or Amazon Site-to-Site VPN to connect your on-premises sites to a VPC.
-
You can connect other VPCs to the VPC with an interface endpoint using an Amazon Transit Gateway or VPC peering. VPC peering is a networking connection between two VPCs. You can establish a VPC peering connection between your VPCs, or with a VPC in another account. The VPCs can be in different Amazon Regions. Traffic between peered VPCs stays on the Amazon network. The traffic doesn’t traverse the public internet. A Transit Gateway is a network transit hub that you can use to interconnect VPCs. Traffic between a VPC and a Transit Gateway remains on the Amazon global private network. The traffic isn’t exposed to the public internet.
-
Before August 2024, VPC interface endpoints for Amazon EKS were only accessible over
IPv4
usingeks.
. New VPC interface endpoints that are made after August 2024 use dual-stack ofregion
.amazonaws.comIPv4
andIPv6
IP addresses and both DNS names:eks.
andregion
.amazonaws.comeks.
.region
.api.aws -
Amazon PrivateLink support for the EKS API isn’t available in the Asia Pacific (Malaysia) (
ap-southeast-5
), Asia Pacific (Thailand) (ap-southeast-7
), and Mexico (Central) (mx-central-1
) Amazon Regions. Amazon PrivateLink support foreks-auth
for EKS Pod Identity is available in the the Asia Pacific (Malaysia) (ap-southeast-5
) Region.
Create an interface endpoint for Amazon EKS
You can create an interface endpoint for Amazon EKS using either the Amazon VPC console or the Amazon Command Line Interface (Amazon CLI). For more information, see Create a VPC endpoint in the Amazon PrivateLink Guide.
Create an interface endpoint for Amazon EKS using the following service names:
-
EKS API
com.amazonaws.region-code.eks
-
EKS Auth API (EKS Pod Identity)
com.amazonaws.region-code.eks-auth
The private DNS feature is enabled by default when creating an interface endpoint for Amazon EKS and other Amazon services. To use the private DNS feature, you must ensure that the following VPC attributes are set to true
: enableDnsHostnames
and enableDnsSupport
. For more information, see View and update DNS attributes for your VPC in the Amazon VPC User Guide. With the private DNS feature enabled for the interface endpoint:
-
You can make any API request to Amazon EKS using its default Regional DNS name. After August 2024, any new VPC interface endpoint for the Amazon EKS API have two default Regional DNS names and you can choose the
dualstack
for the IP address type. The first DNS name iseks.
which is dual-stack. It resolves to bothregion
.api.awsIPv4
addresses andIPv6
addresses. Before August 2024, Amazon EKS only usedeks.
which resolved toregion
.amazonaws.comIPv4
addresses only. If you want to useIPv6
and dual-stack IP addresses with an existing VPC interface endpoint, you can update the endpoint to use thedualstack
type of IP address, but it will only have theeks.
DNS name. In this configuration, the existing endpoint updates to point that name to bothregion
.amazonaws.comIPv4
andIPv6
IP addresses. For a list of APIs, see Actions in the Amazon EKS API Reference. -
You don’t need to make any changes to your applications that call the EKS APIs.
However, To use the dual-stack endpoints with the Amazon CLI, see the Dual-stack and FIPS endpoints configuration in the Amazon SDKs and Tools Reference Guide.
-
Any call made to the Amazon EKS default service endpoint is automatically routed through the interface endpoint over the private Amazon network.