🎉 I'm releasing 12 products in 12 months! If you love product, checkout my new blog workingoutloud.dev

Back to home

EKS Basics

    This is more of a basic theory section to understand how EKS works.


    USD$0.20 per hours for each EKS cluster you make. That's ~USD$144/month.

    You pay normally for all the other resources related to running your apps:

    • Worker nodes (EC2)
    • EBS volumes
    • Network traffic
    • Load balancers

    Check online for if pricing ever changes.

    EKS Control Place

    The control plane sets up the cluster to be highly available (in 3 availability zones).

    Each AZ will have a master node and etcd that is AWS managed. The workers nodes are what we supply.

    Our local kubectl will talk directly to EKS.

    Under the hood

    Under the hood

    Under the hood

    • Single tenant (you do not share it with other customers)
    • Made of native AWS component (EC2, ELB, ASG, NLB, VPC)

    EKS Networking



    Recommended to have:

    1. Private subnets: containers all the worker nodes to have application deployed. Must be large CIDR.
    2. Public subnets: Will contain any internet-facing load balancer to expose the applications.
    3. The VPC must have DNS hostname and DNS resolution support, otherwise nodes can't register.

    Security groups

    Security groups explored

    Security groups explored

    You have 2 security groups: Control Plane and Worker Nodes.

    Read up on https://github.com/freach/kubernetes-security-best-practice.

    EKS Pod Networking

    • Amazon VPC CNI plugin: each pod receivers 1 IP address (=ENI => Elastic Network Interface) in VPC.
    • Pods have the same IP address inside the EKS cluster and outside of it.
    • Subnet limitations: CIRD /24 is 254 IP, not enough to run a lot of pods. You'll need a way bigger CIDR. Recommended is a CIDR /18.
    • EC2 limitations: limited to amount of ENI/IP addresses it can have. Based on the network types, AWS has documentation on EC2 limits for ENIs, IPv4s and IPv6s.

    See https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-eni.html for more information on ENI limits.

    Network security with Calico

    • Security groups allow all worker nodes to communicate to each other on any ports.
    • This may be a problem if you want to segement applications, tenants or environments.
    • You can use the Calico project instead of AWS Security Groups in this case.
    • Network policies are directly assigned to pods (instead of worker nodes).
    • More granular.

    IAM and RBAC Integration

    IAM and RBAC in action

    IAM and RBAC in action

    Note: RBAC means "Role-Based-Access-Control".

    • When you talk to Kubernetes, authentication is held by IAM.
    • Authorization is done by Kubernetes RBAC (native auth for K8s).
    • Done through collaboration between AWS and Heptio.
    • You can assign RBAC directly through IAM entities.
    • By default, the role you assign to your K8s cluster has system:master permissions.

    K8s Worker Nodes

    K8s Worker Nodes

    K8s Worker Nodes

    • When the join the cluster, they are assigned an IAM role and authorized in RBAC to join system:bootstrappers and system: nodes in your ConfigMap.

    You can write your own rules in the ConfigMap.

    EKS Load Balancers

    • EKS support Classic Load Balancer, Application Load Balancer and Network Load Balancer.
    • Classic and Network Load Balancer is for Service of type LoadBalancer.
    • Application Load Balancer is for Ingress Controller.


    Through the service of type LoadBalancer, EKS will create a:

    • Classic Load Balancer by default.
    • Netword Load Balancer if this is specified: service.beta.kubernetes.io/aws-load-balancer-type:nlb.
    • There is also support for internal load balancers: service.beta.kubernetes.io//aws-load-balancer-internal:
    • You can control the configuration of LBs using annotations in your manifest.
    • All documentation for LoadBalancer on AWS is diretly on the Kubernetes project.
    • ALB Ingress is open source and found on GitHub.
    • Supports target group of instance mode (hooked into NodePort).
    • Supports target group of IP mode (directly communicating with the pod).
    • Supports Application Load Balancer listener rules.
    Personal image

    Dennis O'Keeffe

    • Melbourne, Australia

    Hi, I am a professional Software Engineer. Formerly of Culture Amp, UsabilityHub, Present Company and NightGuru.
    I am currently working on Visibuild.


    Get fresh posts + news direct to your inbox.

    No spam. We only send you relevant content.

    EKS Basics


    Share this post