Create VPC on AWS

This section will guide you through creating a VPC for your EKS cluster.

What You’ll Need

Procedure

  1. Decide on the VPC configuration you want to use. Here is how your VPC configuration will look like based on your choice:

    • The VPC will have three public subnets.
    • The Kubernetes endpoint will be publicly accessible and optionally behind firewall.
    • The EKS worker nodes will obtain public IPs.
    • You will use an internet-facing Load Balancer to expose your services.
    • The VPC will have two public subnets and two private subnets.
    • The Kubernetes endpoint will be publicly accessible and optionally behind firewall.
    • The EKS worker nodes will obtain private IPs.
    • You will use an internet-facing Load Balancer to expose your services.
    • The VPC will have three private subnets without internet access and one public subnet.
    • The VPC will have all the necessary VPC endpoints for the EKS workers and software running in the cluster.
    • The Kubernetes endpoint will not be publicly accessible.
    • The EKS worker nodes will obtain private IPs.
    • You will use an internal Load Balancer to expose services.
    • You will use the public subnet to launch a bastion host.
    • You will access the EKS cluster via the bastion host.

    Note

    We recommend you use a VPC configuration with Public and private subnets.

    Air Gapped

    Use a VPC configuration with Only private subnets.

  2. Download the CloudFormation template based on the VPC configuration you want to use.

    Download the CloudFormation template for a VPC with public subnets for EKS.

    Download the CloudFormation template for a VPC with public and private subnets for EKS.

    Download the CloudFormation template for a fully-private VPC for EKS.

  3. Go to the AWS CloudFormation console.

  4. Click Create stack and choose With new resources (standard).

  5. Select Upload template file and upload the CloudFormation template you downloaded in the first step as a template file.

  6. Click Next.

  7. Set Stack name to arrikto-cluster-vpc and click Next.

  8. In Configure stack options leave the defaults and click Next.

  9. Click Create and wait for it to complete.

  10. Obtain the VPC ID. Go to your CloudFormation stacks, select the arrikto-cluster-vpc Stack, click on the Outputs tab and obtain the VpcId.

  11. Go to your management environment.

  12. Specify your VPC ID:

    root@rok-tools:~# export VPCID=<VPCID>
    

    Replace <VPCID> with the ID of your VPC. For example:

    root@rok-tools:~# export VPCID=vpc-05dd9c31ee502b47d
    
  13. List the subnets of the VPC. You will inspect each one to determine whether it is public or private in later steps. Choose based on your VPC configuration.

    root@rok-tools:~# aws ec2 describe-subnets \
    >     --filter Name=vpc-id,Values=${VPCID?} \
    >     --query 'Subnets[].[SubnetId,Tags[?Key==`Name`]|[0].Value]' \
    >     --output table
    --------------------------------------------------------------
    |                       DescribeSubnets                      |
    +---------------------------+--------------------------------+
    |  subnet-05d5dd6c1087562f4 |  arrikto-cluster-vpc-Subnet01  |
    |  subnet-0e19732eab4a56996 |  arrikto-cluster-vpc-Subnet02  |
    |  subnet-0f3015565344174bd |  arrikto-cluster-vpc-Subnet03  |
    +---------------------------+--------------------------------+
    
    root@rok-tools:~# aws ec2 describe-subnets \
    >     --filter Name=vpc-id,Values=${VPCID?} \
    >     --query 'Subnets[].[SubnetId,Tags[?Key==`Name`]|[0].Value]' \
    >     --output table
    ---------------------------------------------------------------------
    |                          DescribeSubnets                          |
    +---------------------------+---------------------------------------+
    |  subnet-0b936cdc4fae6862a |  arrikto-cluster-vpc-PrivateSubnet02  |
    |  subnet-0110cc3509ed64a7e |  arrikto-cluster-vpc-PrivateSubnet01  |
    |  subnet-018e3b5b3ec930ccb |  arrikto-cluster-vpc-PublicSubnet02   |
    |  subnet-074cebd1b78c50066 |  arrikto-cluster-vpc-PublicSubnet01   |
    +---------------------------+---------------------------------------+
    
    root@rok-tools:~# aws ec2 describe-subnets \
    >     --filter Name=vpc-id,Values=${VPCID?} \
    >     --query 'Subnets[].[SubnetId,Tags[?Key==`Name`]|[0].Value]' \
    >     --output table
    ---------------------------------------------------------------------
    |                          DescribeSubnets                          |
    +---------------------------+---------------------------------------+
    |  subnet-0b0cc5705f0d59b45 |  arrikto-cluster-vpc-PublicSubnet01   |
    |  subnet-0866acfa93f46334c |  arrikto-cluster-vpc-PrivateSubnet01  |
    |  subnet-05bb5faadcdea51cc |  arrikto-cluster-vpc-PrivateSubnet03  |
    |  subnet-0d16fc5ab97eb48e8 |  arrikto-cluster-vpc-PrivateSubnet02  |
    +---------------------------+---------------------------------------+
    
  14. Identify the public and private subnets of the VPC. The public subnets are the ones whose associated route table has a default route to an internet gateway. The private subnets are the ones that are not public.

    Declare the arrays for holding public and private subnets:

    root@rok-tools:~# export VPC_PUBLIC_SUBNETS=()
    root@rok-tools:~# export VPC_PRIVATE_SUBNETS=()
    

    Repeat steps 1-8 below for each one of the subnets in the list shown in the previous step.

    1. Pick a subnet from the list:

      root@rok-tools:~# export SUBNET=<SUBNET>
      
    2. Find the internet gateway associated with the VPC:

      root@rok-tools:~# IGW=$(aws ec2 describe-internet-gateways \
      >     --filters Name=attachment.vpc-id,Values=${VPCID?} \
      >     --query InternetGateways[].InternetGatewayId \
      >     --output text)
      
    3. Find the main route table of the VPC:

      root@rok-tools:~# MRTB=$(aws ec2 describe-route-tables \
      >     --filters Name=vpc-id,Values=${VPCID?} \
      >               Name=association.main,Values=true \
      >     --query RouteTables[].RouteTableId \
      >     --output text)
      
    4. Check if the main route table of the VPC has a default route to the internet gateway of the VPC:

      root@rok-tools:~# MRTBP=$(aws ec2 describe-route-tables \
      >     --filters Name=route-table-id,Values=${MRTB} \
      >               Name=route.destination-cidr-block,Values=0.0.0.0/0 \
      >               Name=route.gateway-id,Values=${IGW} \
      >     --query RouteTables[].RouteTableId \
      >     --output text)
      
    5. Find the route table that the subnet is explicitly associated with:

      root@rok-tools:~# RTB=$(aws ec2 describe-route-tables \
      >     --filters Name=vpc-id,Values=${VPCID?} \
      >               Name=association.subnet-id,Values=${SUBNET?} \
      >     --query RouteTables[].RouteTableId \
      >     --output text)
      
    6. Check if the route table (if any) has a default route to the internet gateway of the VPC:

      root@rok-tools:~# RTBP=$(aws ec2 describe-route-tables \
      >     --filters Name=route-table-id,Values=${RTB} \
      >               Name=route.destination-cidr-block,Values=0.0.0.0/0 \
      >               Name=route.gateway-id,Values=${IGW} \
      >     --query RouteTables[].RouteTableId \
      >     --output text)
      
    7. Decide whether the subnet is public or private and append it to the corresponding list.

      root@rok-tools:~# [[ "${RTB}" ]] && [[ "${RTBP}" ]] && VPC_PUBLIC_SUBNETS+=(${SUBNET})
      root@rok-tools:~# [[ ! "${RTB}" ]] && [[ "${MRTBP}" ]] && VPC_PUBLIC_SUBNETS+=(${SUBNET})
      root@rok-tools:~# [[ "${RTB}" ]] && [[ ! "${RTBP}" ]] && VPC_PRIVATE_SUBNETS+=(${SUBNET})
      root@rok-tools:~# [[ ! "${RTB}" ]] && [[ ! "${MRTBP}" ]] && VPC_PRIVATE_SUBNETS+=(${SUBNET})
      
    8. Go back to step 1, and repeat the steps for the remaining subnets.

  15. Specify the subnets that the EKS control plane will use. These will reside within at least two availability zones. Choose based on your VPC configuration.

    Use all public subnets of the VPC:

    root@rok-tools:~# export EKS_CLUSTER_SUBNETS=${VPC_PUBLIC_SUBNETS[*]}
    

    Use all subnets (private and public) of the VPC:

    root@rok-tools:~# export EKS_CLUSTER_SUBNETS="${VPC_PUBLIC_SUBNETS[*]} ${VPC_PRIVATE_SUBNETS[*]}"
    

    Use all private subnets of the VPC:

    root@rok-tools:~# export EKS_CLUSTER_SUBNETS=${VPC_PRIVATE_SUBNETS[*]}
    

    Note

    We exclude the public subnet that the bastion host will use.

    Note

    Advanced Networking: We recommend you use all the available subnets based on your VPC configuration. However, if you have specific networking requirements, you can explicitly specify a subset of them with:

    root@rok-tools:~# export EKS_CLUSTER_SUBNETS="<SUBNET1> <SUBNET2>"
    
  16. Specify the subnet that the EKS node group will use. Choose based on your VPC configuration.

    Use the first public subnet of your VPC:

    root@rok-tools:~# export EKS_NODEGROUP_SUBNETS=${VPC_PUBLIC_SUBNETS[0]}
    

    Use the first private subnet of your VPC:

    root@rok-tools:~# export EKS_NODEGROUP_SUBNETS=${VPC_PRIVATE_SUBNETS[0]}
    

    Use the first private subnet of your VPC:

    root@rok-tools:~# export EKS_NODEGROUP_SUBNETS=${VPC_PRIVATE_SUBNETS[0]}
    

    Note

    Advanced Networking: We recommend you use one of the available subnets based on your VPC configuration. However, if you have specific networking requirements, you can explicitly specify a subset of them with:

    root@rok-tools:~# export EKS_NODEGROUP_SUBNETS="<SUBNET1> <SUBNET2>"
    

    These subnets must reside within a single availability zone so that EBS volumes that are in use are always available.

  17. Specify the subnets that internet-facing Load Balancers will use. These will reside within at least two availability zones and have the kubernetes.io/role/elb tag set. Choose based on your VPC configuration.

    Use all public subnets of your VPC:

    root@rok-tools:~# export ELB_SUBNETS=${VPC_PUBLIC_SUBNETS[*]}
    

    Use all public subnets of your VPC:

    root@rok-tools:~# export ELB_SUBNETS=${VPC_PUBLIC_SUBNETS[*]}
    

    You cannot not use an internet-facing Load Balancer so skip specifying any subnets.

    Note

    Advanced Networking: We recommend you use all of the available subnets based on your VPC configuration. However, if you have specific networking requirements, you can explicitly specify a subset of them with:

    root@rok-tools:~# export ELB_SUBNETS="<SUBNET1> <SUBNET2>"
    
  18. Specify the subnets that internal Load Balancers will use. These will reside within at least two availability zones and have the kubernetes.io/role/internal-elb tag set. Choose based on your VPC configuration.

    You cannot use and internal Load Balancer so skip specifying any subnets.

    Use all private subnets of your VPC:

    root@rok-tools:~# export INTERNAL_ELB_SUBNETS=${VPC_PRIVATE_SUBNETS[*]}
    

    Use all private subnets of your VPC:

    root@rok-tools:~# export INTERNAL_ELB_SUBNETS=${VPC_PRIVATE_SUBNETS[*]}
    

    Note

    Advanced Networking: We recommend you use all of the available subnets based on your VPC configuration. However, if you have specific networking requirements, you can explicitly specify a subset of them with:

    root@rok-tools:~# export INTERNAL_ELB_SUBNETS="<SUBNET1> <SUBNET2>"
    

Verify

  1. Go to your management environment.

  2. Ensure that your VPC exists.

    root@rok-tools:~# aws ec2 describe-vpcs \
    >    --vpc-ids ${VPCID?} \
    >    --query 'Vpcs[].[VpcId,Tags[?Key==`Name`]|[0].Value,IsDefault]' \
    >    --output table
    ---------------------------------------------------------------
    |                        DescribeVpcs                         |
    +------------------------+---------------------------+--------+
    |  vpc-05dd9c31ee502b47d |  arrikto-cluster-vpc-VPC  |  False |
    +------------------------+---------------------------+--------+
    
  3. Ensure that your VPC has DNS hostnames and DNS resolution enabled.

    1. Ensure that the enableDnsSupport VPC attribute is set:

      root@rok-tools:~# aws ec2 describe-vpc-attribute \
      >     --vpc-id ${VPCID?} \
      >     --attribute enableDnsSupport \
      >     --query EnableDnsSupport.Value
      true
      
    2. Ensure that the enableDnsHostnames VPC attribute is set:

      root@rok-tools:~# aws ec2 describe-vpc-attribute \
      >     --vpc-id ${VPCID?} \
      >     --attribute enableDnsHostnames \
      >     --query EnableDnsHostnames.Value
      true
      
  4. Verify that your VPC has the required endpoints. Choose based on your VPC configuration.

    No VPC endpoints are required. Proceed to the next step.

    No VPC endpoints are required. Proceed to the next step.

    1. List the service name of each endpoint in your VPC:

      root@rok-tools:~# aws ec2 describe-vpc-endpoints \
      >     --filter Name=vpc-id,Values=${VPCID?} \
      >     --query VpcEndpoints[].[ServiceName,State] \
      >     --output table
      ---------------------------------------------------------------
      |                    DescribeVpcEndpoints                     |
      +------------------------------------------------+------------+
      |  com.amazonaws.us-east-1.s3                    |  available |
      |  com.amazonaws.us-east-1.ecr.dkr               |  available |
      |  com.amazonaws.us-east-1.autoscaling           |  available |
      |  com.amazonaws.us-east-1.ecr.api               |  available |
      |  com.amazonaws.us-east-1.logs                  |  available |
      |  com.amazonaws.us-east-1.sts                   |  available |
      |  com.amazonaws.us-east-1.ec2                   |  available |
      |  com.amazonaws.us-east-1.elasticloadbalancing  |  available |
      +------------------------------------------------+------------+
      
    2. Ensure that VPC endpoints are available for the following services:

      • com.amazonaws.REGION.sts
      • com.amazonaws.REGION.ecr.api
      • com.amazonaws.REGION.logs
      • com.amazonaws.REGION.ecr.dkr
      • com.amazonaws.REGION.s3
      • com.amazonaws.REGION.ec2
      • com.amazonaws.REGION.elasticloadbalancing
      • com.amazonaws.REGION.autoscaling
  5. Verify the subnets that the EKS control plane will use. Choose based on your VPC configuration.

    1. List the given subnets:

      root@rok-tools:~# aws ec2 describe-subnets \
      >    --subnet-ids ${EKS_CLUSTER_SUBNETS?} \
      >    --filter Name=vpc-id,Values=${VPCID?} \
      >    --query 'Subnets[].[SubnetId,AvailabilityZone]' \
      >    --output table
      --------------------------------------------
      |             DescribeSubnets              |
      +---------------------------+--------------+
      |  subnet-0b936cdc4fae6862a |  us-east-1a  |
      |  subnet-0110cc3509ed64a7e |  us-east-1b  |
      |  subnet-018e3b5b3ec930ccb |  us-east-1c  |
      +---------------------------+--------------+
      
    2. Ensure that the subnets in the above list do not all belong to the same availability zone, that is, the second column refers to at least two AZs across all subnets.

    1. List the given subnets:

      root@rok-tools:~# aws ec2 describe-subnets \
      >    --subnet-ids ${EKS_CLUSTER_SUBNETS?} \
      >    --filter Name=vpc-id,Values=${VPCID?} \
      >    --query 'Subnets[].[SubnetId,AvailabilityZone]' \
      >    --output table
      --------------------------------------------
      |              DescribeSubnets             |
      +---------------------------+--------------+
      |  subnet-0b936cdc4fae6862a |  us-east-1b  |
      |  subnet-0110cc3509ed64a7e |  us-east-1a  |
      |  subnet-018e3b5b3ec930ccb |  us-east-1b  |
      |  subnet-074cebd1b78c50066 |  us-east-1a  |
      +---------------------------+--------------+
      
    2. Ensure that the subnets in the above list do not all belong to the same availability zone, that is, the second column refers to at least two AZs across all subnets.

    1. List the given subnets:

      root@rok-tools:~# aws ec2 describe-subnets \
      >    --subnet-ids ${EKS_CLUSTER_SUBNETS?} \
      >    --filter Name=vpc-id,Values=${VPCID?} \
      >    --query 'Subnets[].[SubnetId,AvailabilityZone]' \
      >    --output table
      --------------------------------------------
      |             DescribeSubnets              |
      +---------------------------+--------------+
      |  subnet-0b936cdc4fae6862a |  us-east-1a  |
      |  subnet-0110cc3509ed64a7e |  us-east-1b  |
      |  subnet-018e3b5b3ec930ccb |  us-east-1c  |
      +---------------------------+--------------+
      
    2. Ensure that the subnets in the above list do not all belong to the same availability zone, that is, the second column refers to at least two AZs across all subnets.

  6. Verify the subnets that the EKS node group will use. Choose based on your VPC configuration.

    1. List the given subnets:

      root@rok-tools:~# aws ec2 describe-subnets \
      >     --subnet-ids ${EKS_NODEGROUP_SUBNETS?} \
      >     --query 'Subnets[].[SubnetId,AvailabilityZone,MapPublicIpOnLaunch]' \
      >     --output table
      -----------------------------------------------------
      |                   DescribeSubnets                 |
      +---------------------------+--------------+--------+
      |  subnet-0110cc3509ed64a7e |  us-east-1a  |  True  |
      +---------------------------+--------------+--------+
      
    2. Ensure that the subnets in the above list all belong to the same availability zone, that is, the second column refers to a single AZ across all subnets.

    3. Ensure that the subnets in the list auto-assign public IP addresses, that is, the third column shows the value True for every single row.

    4. Ensure that the subnets in the list above are public.To do that, repeat steps 1-8 below for each one of the subnets in the list.

      1. Pick a subnet from the list:

        root@rok-tools:~# export SUBNET=<SUBNET>
        
      2. Find the internet gateway associated with the VPC:

        root@rok-tools:~# IGW=$(aws ec2 describe-internet-gateways \
        >     --filters Name=attachment.vpc-id,Values=${VPCID?} \
        >     --query InternetGateways[].InternetGatewayId \
        >     --output text)
        
      3. Find the main route table of the VPC:

        root@rok-tools:~# MRTB=$(aws ec2 describe-route-tables \
        >     --filters Name=vpc-id,Values=${VPCID?} \
        >               Name=association.main,Values=true \
        >     --query RouteTables[].RouteTableId \
        >     --output text)
        
      4. Check if the main route table of the VPC has a default route to the internet gateway of the VPC:

        root@rok-tools:~# MRTBP=$(aws ec2 describe-route-tables \
        >     --filters Name=route-table-id,Values=${MRTB} \
        >               Name=route.destination-cidr-block,Values=0.0.0.0/0 \
        >               Name=route.gateway-id,Values=${IGW} \
        >     --query RouteTables[].RouteTableId \
        >     --output text)
        
      5. Find the route table that the subnet is explicitly associated with:

        root@rok-tools:~# RTB=$(aws ec2 describe-route-tables \
        >     --filters Name=vpc-id,Values=${VPCID?} \
        >               Name=association.subnet-id,Values=${SUBNET?} \
        >     --query RouteTables[].RouteTableId \
        >     --output text)
        
      6. Check if the route table (if any) has a default route to the internet gateway of the VPC:

        root@rok-tools:~# RTBP=$(aws ec2 describe-route-tables \
        >     --filters Name=route-table-id,Values=${RTB} \
        >               Name=route.destination-cidr-block,Values=0.0.0.0/0 \
        >               Name=route.gateway-id,Values=${IGW} \
        >     --query RouteTables[].RouteTableId \
        >     --output text)
        
      7. Ensure that the subnet is public:

        root@rok-tools:~# [[ "${RTB}" ]] && [[ "${RTBP}" ]] && echo public
        root@rok-tools:~# [[ ! "${RTB}" ]] && [[ "${MRTBP}" ]] && echo public
        
      8. Go back to step 1, and repeat the steps for the remaining subnets.

    1. List the given subnets:

      root@rok-tools:~# aws ec2 describe-subnets \
      >     --subnet-ids ${EKS_NODEGROUP_SUBNETS?} \
      >     --query 'Subnets[].[SubnetId,AvailabilityZone,MapPublicIpOnLaunch]' \
      >     --output table
      -----------------------------------------------------
      |                   DescribeSubnets                 |
      +---------------------------+--------------+--------+
      |  subnet-0110cc3509ed64a7e |  us-east-1a  |  False |
      +---------------------------+--------------+--------+
      
    2. Ensure that the subnets in the above list all belong to the same availability zone, that is, the second column refers to a single AZ across all subnets.

    3. Ensure that the subnets in the list above are private. To do that, repeat steps 1-8 below for each one of the subnets in the list.

      1. Pick a subnet from the list:

        root@rok-tools:~# export SUBNET=<SUBNET>
        
      2. Find the internet gateway associated with the VPC:

        root@rok-tools:~# IGW=$(aws ec2 describe-internet-gateways \
        >     --filters Name=attachment.vpc-id,Values=${VPCID?} \
        >     --query InternetGateways[].InternetGatewayId \
        >     --output text)
        
      3. Find the main route table of the VPC:

        root@rok-tools:~# MRTB=$(aws ec2 describe-route-tables \
        >     --filters Name=vpc-id,Values=${VPCID?} \
        >               Name=association.main,Values=true \
        >     --query RouteTables[].RouteTableId \
        >     --output text)
        
      4. Check if the main route table of the VPC has a default route to the internet gateway of the VPC:

        root@rok-tools:~# MRTBP=$(aws ec2 describe-route-tables \
        >     --filters Name=route-table-id,Values=${MRTB} \
        >               Name=route.destination-cidr-block,Values=0.0.0.0/0 \
        >               Name=route.gateway-id,Values=${IGW} \
        >     --query RouteTables[].RouteTableId \
        >     --output text)
        
      5. Find the route table that the subnet is explicitly associated with:

        root@rok-tools:~# RTB=$(aws ec2 describe-route-tables \
        >     --filters Name=vpc-id,Values=${VPCID?} \
        >               Name=association.subnet-id,Values=${SUBNET?} \
        >     --query RouteTables[].RouteTableId \
        >     --output text)
        
      6. Check if the route table (if any) has a default route to the internet gateway of the VPC:

        root@rok-tools:~# RTBP=$(aws ec2 describe-route-tables \
        >     --filters Name=route-table-id,Values=${RTB} \
        >               Name=route.destination-cidr-block,Values=0.0.0.0/0 \
        >               Name=route.gateway-id,Values=${IGW} \
        >     --query RouteTables[].RouteTableId \
        >     --output text)
        
      7. Ensure that the subnet is private:

        root@rok-tools:~# [[ "${RTB}" ]] && [[ ! "${RTBP}" ]] && echo private
        root@rok-tools:~# [[ ! "${RTB}" ]] && [[ ! "${MRTBP}" ]] && echo private
        
      8. Go back to step 1, and repeat the steps for the remaining subnets.

    1. List the given subnets:

      root@rok-tools:~# aws ec2 describe-subnets \
      >     --subnet-ids ${EKS_NODEGROUP_SUBNETS?} \
      >     --query 'Subnets[].[SubnetId,AvailabilityZone,MapPublicIpOnLaunch]' \
      >     --output table
      -----------------------------------------------------
      |                   DescribeSubnets                 |
      +---------------------------+--------------+--------+
      |  subnet-0110cc3509ed64a7e |  us-east-1a  |  False |
      +---------------------------+--------------+--------+
      
    2. Ensure that the subnets in the above list all belong to the same availability zone, that is, the second column refers to a single AZ across all subnets.

    3. Ensure that the subnets in the list above are private. To do that, repeat steps 1-8 below for each one of the subnets in the list.

      1. Pick a subnet from the list:

        root@rok-tools:~# export SUBNET=<SUBNET>
        
      2. Find the internet gateway associated with the VPC:

        root@rok-tools:~# IGW=$(aws ec2 describe-internet-gateways \
        >     --filters Name=attachment.vpc-id,Values=${VPCID?} \
        >     --query InternetGateways[].InternetGatewayId \
        >     --output text)
        
      3. Find the main route table of the VPC:

        root@rok-tools:~# MRTB=$(aws ec2 describe-route-tables \
        >     --filters Name=vpc-id,Values=${VPCID?} \
        >               Name=association.main,Values=true \
        >     --query RouteTables[].RouteTableId \
        >     --output text)
        
      4. Check if the main route table of the VPC has a default route to the internet gateway of the VPC:

        root@rok-tools:~# MRTBP=$(aws ec2 describe-route-tables \
        >     --filters Name=route-table-id,Values=${MRTB} \
        >               Name=route.destination-cidr-block,Values=0.0.0.0/0 \
        >               Name=route.gateway-id,Values=${IGW} \
        >     --query RouteTables[].RouteTableId \
        >     --output text)
        
      5. Find the route table that the subnet is explicitly associated with:

        root@rok-tools:~# RTB=$(aws ec2 describe-route-tables \
        >     --filters Name=vpc-id,Values=${VPCID?} \
        >               Name=association.subnet-id,Values=${SUBNET?} \
        >     --query RouteTables[].RouteTableId \
        >     --output text)
        
      6. Check if the route table (if any) has a default route to the internet gateway of the VPC:

        root@rok-tools:~# RTBP=$(aws ec2 describe-route-tables \
        >     --filters Name=route-table-id,Values=${RTB} \
        >               Name=route.destination-cidr-block,Values=0.0.0.0/0 \
        >               Name=route.gateway-id,Values=${IGW} \
        >     --query RouteTables[].RouteTableId \
        >     --output text)
        
      7. Ensure that the subnet is private:

        root@rok-tools:~# [[ "${RTB}" ]] && [[ ! "${RTBP}" ]] && echo private
        root@rok-tools:~# [[ ! "${RTB}" ]] && [[ ! "${MRTBP}" ]] && echo private
        
      8. Go back to step 1, and repeat the steps for the remaining subnets.

  7. Verify the subnets that internet-facing Load Balancers will use. Choose based on your VPC configuration.

    1. List the given subnets:

      root@rok-tools:~# aws ec2 describe-subnets \
      >    --subnet-ids ${ELB_SUBNETS?} \
      >    --filter Name=vpc-id,Values=${VPCID?} \
      >    --query 'Subnets[].[SubnetId,AvailabilityZone,Tags[?Key==`kubernetes.io/role/elb`]|[0].Value]' \
      >    --output table
      --------------------------------------------------
      |                  DescribeSubnets               |
      +---------------------------+--------------+-----+
      |  subnet-018e3b5b3ec930ccb |  us-east-1a  |  1  |
      |  subnet-074cebd1b78c50066 |  us-east-1b  |  1  |
      |  subnet-018e3b5b3ec930ccb |  us-east-1c  |  1  |
      +---------------------------+--------------+-----+
      
    2. Ensure that the subnets in the above list do not all belong to the same availability zone, that is, the second column refers to at least two AZs across all subnets.

    3. Ensure that the subnets in the list have the kubernetes.io/role/elb tag set, that is, the third column shows the value 1 for every single row.

    4. Ensure that the subnets in the list above are public. To do that, repeat steps 1-8 below for each one of the subnets in the list.

      1. Pick a subnet from the list:

        root@rok-tools:~# export SUBNET=<SUBNET>
        
      2. Find the internet gateway associated with the VPC:

        root@rok-tools:~# IGW=$(aws ec2 describe-internet-gateways \
        >     --filters Name=attachment.vpc-id,Values=${VPCID?} \
        >     --query InternetGateways[].InternetGatewayId \
        >     --output text)
        
      3. Find the main route table of the VPC:

        root@rok-tools:~# MRTB=$(aws ec2 describe-route-tables \
        >     --filters Name=vpc-id,Values=${VPCID?} \
        >               Name=association.main,Values=true \
        >     --query RouteTables[].RouteTableId \
        >     --output text)
        
      4. Check if the main route table of the VPC has a default route to the internet gateway of the VPC:

        root@rok-tools:~# MRTBP=$(aws ec2 describe-route-tables \
        >     --filters Name=route-table-id,Values=${MRTB} \
        >               Name=route.destination-cidr-block,Values=0.0.0.0/0 \
        >               Name=route.gateway-id,Values=${IGW} \
        >     --query RouteTables[].RouteTableId \
        >     --output text)
        
      5. Find the route table that the subnet is explicitly associated with:

        root@rok-tools:~# RTB=$(aws ec2 describe-route-tables \
        >     --filters Name=vpc-id,Values=${VPCID?} \
        >               Name=association.subnet-id,Values=${SUBNET?} \
        >     --query RouteTables[].RouteTableId \
        >     --output text)
        
      6. Check if the route table (if any) has a default route to the internet gateway of the VPC:

        root@rok-tools:~# RTBP=$(aws ec2 describe-route-tables \
        >     --filters Name=route-table-id,Values=${RTB} \
        >               Name=route.destination-cidr-block,Values=0.0.0.0/0 \
        >               Name=route.gateway-id,Values=${IGW} \
        >     --query RouteTables[].RouteTableId \
        >     --output text)
        
      7. Ensure that the subnet is public:

        root@rok-tools:~# [[ "${RTB}" ]] && [[ "${RTBP}" ]] && echo public
        root@rok-tools:~# [[ ! "${RTB}" ]] && [[ "${MRTBP}" ]] && echo public
        
      8. Go back to step 1, and repeat the steps for the remaining subnets.

    1. List the given subnets:

      root@rok-tools:~# aws ec2 describe-subnets \
      >    --subnet-ids ${ELB_SUBNETS?} \
      >    --filter Name=vpc-id,Values=${VPCID?} \
      >    --query 'Subnets[].[SubnetId,AvailabilityZone,Tags[?Key==`kubernetes.io/role/elb`]|[0].Value]' \
      >    --output table
      --------------------------------------------------
      |                  DescribeSubnets               |
      +---------------------------+--------------+-----+
      |  subnet-018e3b5b3ec930ccb |  us-east-1a  |  1  |
      |  subnet-074cebd1b78c50066 |  us-east-1b  |  1  |
      +---------------------------+--------------+-----+
      
    2. Ensure that the subnets in the above list do not all belong to the same availability zone, that is, the second column refers to at least two AZs across all subnets.

    3. Ensure that the subnets in the list have the kubernetes.io/role/elb tag set, that is, the third column shows the value 1 for every single row.

    4. Ensure that the subnets in the list above are public. To do that, repeat steps 1-8 below for each one of the subnets in the list.

      1. Pick a subnet from the list:

        root@rok-tools:~# export SUBNET=<SUBNET>
        
      2. Find the internet gateway associated with the VPC:

        root@rok-tools:~# IGW=$(aws ec2 describe-internet-gateways \
        >     --filters Name=attachment.vpc-id,Values=${VPCID?} \
        >     --query InternetGateways[].InternetGatewayId \
        >     --output text)
        
      3. Find the main route table of the VPC:

        root@rok-tools:~# MRTB=$(aws ec2 describe-route-tables \
        >     --filters Name=vpc-id,Values=${VPCID?} \
        >               Name=association.main,Values=true \
        >     --query RouteTables[].RouteTableId \
        >     --output text)
        
      4. Check if the main route table of the VPC has a default route to the internet gateway of the VPC:

        root@rok-tools:~# MRTBP=$(aws ec2 describe-route-tables \
        >     --filters Name=route-table-id,Values=${MRTB} \
        >               Name=route.destination-cidr-block,Values=0.0.0.0/0 \
        >               Name=route.gateway-id,Values=${IGW} \
        >     --query RouteTables[].RouteTableId \
        >     --output text)
        
      5. Find the route table that the subnet is explicitly associated with:

        root@rok-tools:~# RTB=$(aws ec2 describe-route-tables \
        >     --filters Name=vpc-id,Values=${VPCID?} \
        >               Name=association.subnet-id,Values=${SUBNET?} \
        >     --query RouteTables[].RouteTableId \
        >     --output text)
        
      6. Check if the route table (if any) has a default route to the internet gateway of the VPC:

        root@rok-tools:~# RTBP=$(aws ec2 describe-route-tables \
        >     --filters Name=route-table-id,Values=${RTB} \
        >               Name=route.destination-cidr-block,Values=0.0.0.0/0 \
        >               Name=route.gateway-id,Values=${IGW} \
        >     --query RouteTables[].RouteTableId \
        >     --output text)
        
      7. Ensure that the subnet is public:

        root@rok-tools:~# [[ "${RTB}" ]] && [[ "${RTBP}" ]] && echo public
        root@rok-tools:~# [[ ! "${RTB}" ]] && [[ "${MRTBP}" ]] && echo public
        
      8. Go back to step 1, and repeat the steps for the remaining subnets.

    You will not use an internet-facing Load Balancer so skip this check.

  8. Verify the subnets that internal Load Balancers will use. Choose based on your VPC configuration.

    You will not use an internal Load Balancer so skip this check.

    You will not use an internal Load Balancer so skip this check.

    1. List the given subnets:

      root@rok-tools:~# aws ec2 describe-subnets \
      >    --subnet-ids ${INTERNAL_ELB_SUBNETS?} \
      >    --filter Name=vpc-id,Values=${VPCID?} \
      >    --query 'Subnets[].[SubnetId,AvailabilityZone,Tags[?Key==`kubernetes.io/role/internal-elb`]|[0].Value]' \
      >    --output table
      --------------------------------------------------
      |                DescribeSubnets                 |
      +---------------------------+--------------+-----+
      |  subnet-0b936cdc4fae6862a |  us-east-1b  |  1  |
      |  subnet-0110cc3509ed64a7e |  us-east-1a  |  1  |
      +---------------------------+--------------+-----+
      
    2. Ensure that the subnets in the above list do not all belong to the same availability zone, that is, the second column refers to at least two AZs across all subnets.

    3. Ensure that the subnets in the list have the kubernetes.io/role/internal-elb tag set, that is, the third column shows the value 1 for every single row.

    4. Ensure that the subnets in the list above are private. To do that, repeat steps 1-8 below for each one of the subnets in the list.

      1. Pick a subnet from the list:

        root@rok-tools:~# export SUBNET=<SUBNET>
        
      2. Find the internet gateway associated with the VPC:

        root@rok-tools:~# IGW=$(aws ec2 describe-internet-gateways \
        >     --filters Name=attachment.vpc-id,Values=${VPCID?} \
        >     --query InternetGateways[].InternetGatewayId \
        >     --output text)
        
      3. Find the main route table of the VPC:

        root@rok-tools:~# MRTB=$(aws ec2 describe-route-tables \
        >     --filters Name=vpc-id,Values=${VPCID?} \
        >               Name=association.main,Values=true \
        >     --query RouteTables[].RouteTableId \
        >     --output text)
        
      4. Check if the main route table of the VPC has a default route to the internet gateway of the VPC:

        root@rok-tools:~# MRTBP=$(aws ec2 describe-route-tables \
        >     --filters Name=route-table-id,Values=${MRTB} \
        >               Name=route.destination-cidr-block,Values=0.0.0.0/0 \
        >               Name=route.gateway-id,Values=${IGW} \
        >     --query RouteTables[].RouteTableId \
        >     --output text)
        
      5. Find the route table that the subnet is explicitly associated with:

        root@rok-tools:~# RTB=$(aws ec2 describe-route-tables \
        >     --filters Name=vpc-id,Values=${VPCID?} \
        >               Name=association.subnet-id,Values=${SUBNET?} \
        >     --query RouteTables[].RouteTableId \
        >     --output text)
        
      6. Check if the route table (if any) has a default route to the internet gateway of the VPC:

        root@rok-tools:~# RTBP=$(aws ec2 describe-route-tables \
        >     --filters Name=route-table-id,Values=${RTB} \
        >               Name=route.destination-cidr-block,Values=0.0.0.0/0 \
        >               Name=route.gateway-id,Values=${IGW} \
        >     --query RouteTables[].RouteTableId \
        >     --output text)
        
      7. Ensure that the subnet is private:

        root@rok-tools:~# [[ "${RTB}" ]] && [[ ! "${RTBP}" ]] && echo private
        root@rok-tools:~# [[ ! "${RTB}" ]] && [[ ! "${MRTBP}" ]] && echo private
        
      8. Go back to step 1, and repeat the steps for the remaining subnets.

Summary

You have successfully created a VPC to host your Arrikto EKF deployment.

What’s Next

The next steps is to create a Kubernetes cluster.