Configure Subnets

This section will guide you through selecting and configuring the subnets that you want to use. You will export a list of public subnets and a list of private subnets, then validate them and tag them properly.

Choose one of the following options to configure your subnets:

Option 1: Configure Subnets Automatically (preferred)

Configure your subnets by following the on-screen instructions on the rok-deploy user interface.

If rok-deploy is not already running, start it with:

root@rok-tools:~# rok-deploy --run-from aws-subnets
../../../_images/aws-subnets.png

Proceed to the Summary section.

Option 2: Configure Subnets Manually

If you want to configure your subnets manually, follow the instructions below.

Procedure

  1. Go to your GitOps repository, inside your rok-tools management environment:

    root@rok-tools:~# cd ~/ops/deployments
  2. Restore the required context from previous sections:

    root@rok-tools:~/ops/deployments# source <(cat deploy/env.aws-vpc)
    root@rok-tools:~/ops/deployments# export AWS_VPC_ID
  3. List the subnets of the VPC. Choose one of the following options based on your VPC configuration.

    root@rok-tools:~/ops/deployments# aws ec2 describe-subnets \ > --filter Name=vpc-id,Values=${AWS_VPC_ID?} \ > --query 'Subnets[].[SubnetId,AvailabilityZone,Tags[?Key==`Name`]|[0].Value]' \ > --output table --------------------------------------------------------------------------- | DescribeSubnets | +---------------------------+-------------+-------------------------------+ | subnet-05d5dd6c1087562f4 | us-east-1a | arrikto-cluster-vpc-Subnet01 | | subnet-0e19732eab4a56996 | us-east-1b | arrikto-cluster-vpc-Subnet02 | | subnet-0f3015565344174bd | us-east-1c | arrikto-cluster-vpc-Subnet03 | +---------------------------+-------------+-------------------------------+
    root@rok-tools:~/ops/deployments# aws ec2 describe-subnets \ > --filter Name=vpc-id,Values=${AWS_VPC_ID?} \ > --query 'Subnets[].[SubnetId,AvailabilityZone,Tags[?Key==`Name`]|[0].Value]' \ > --output table ---------------------------------------------------------------------------------- | DescribeSubnets | +---------------------------+-------------+--------------------------------------+ | subnet-0b936cdc4fae6862a | us-east-1a | arrikto-cluster-vpc-PublicSubnet01 | | subnet-0110cc3509ed64a7e | us-east-1b | arrikto-cluster-vpc-PublicSubnet02 | | subnet-018e3b5b3ec930ccb | us-east-1a | arrikto-cluster-vpc-PrivateSubnet01 | | subnet-074cebd1b78c50066 | us-east-1b | arrikto-cluster-vpc-PrivateSubnet02 | +---------------------------+-------------+--------------------------------------+
    root@rok-tools:~/ops/deployments# aws ec2 describe-subnets \ > --filter Name=vpc-id,Values=${AWS_VPC_ID?} \ > --query 'Subnets[].[SubnetId,AvailabilityZone,Tags[?Key==`Name`]|[0].Value]' \ > --output table ---------------------------------------------------------------------------------- | DescribeSubnets | +---------------------------+-------------+--------------------------------------+ | subnet-0866acfa93f46334c | us-east-1a | arrikto-cluster-vpc-PrivateSubnet01 | | subnet-05bb5faadcdea51cc | us-east-1b | arrikto-cluster-vpc-PrivateSubnet02 | | subnet-0d16fc5ab97eb48e8 | us-east-1c | arrikto-cluster-vpc-PrivateSubnet03 | +---------------------------+-------------+--------------------------------------+
  4. Select the VPC subnets that you will use. You will be able to only choose among the selected subnets to configure your EKS cluster and load balancers in later guides. The subnets should reside within at least two availability zones:

    root@rok-tools:~/ops/deployments# AWS_SUBNETS=$(aws ec2 describe-subnets \ > --filter Name=vpc-id,Values=${AWS_VPC_ID?} \ > --query 'Subnets[].[SubnetId]' \ > --output text) && echo ${AWS_SUBNETS?} subnet-0b936cdc4fae6862a subnet-0110cc3509ed64a7e subnet-018e3b5b3ec930ccb subnet-074cebd1b78c50066

    Note

    Advanced Networking: We recommend you use all the available subnets. However, if you have specific networking requirements, you can explicitly specify a subset of them with:

    root@rok-tools:~/ops/deployments# AWS_SUBNETS="<SUBNET1> <SUBNET2>"
  5. Find the internet gateway associated with the VPC:

    root@rok-tools:~/ops/deployments# IGW=$(aws ec2 describe-internet-gateways \ > --filters Name=attachment.vpc-id,Values=${AWS_VPC_ID?} \ > --query InternetGateways[].InternetGatewayId \ > --output text)
  6. Find the main route table of the VPC:

    root@rok-tools:~/ops/deployments# MRTB=$(aws ec2 describe-route-tables \ > --filters Name=vpc-id,Values=${AWS_VPC_ID?} \ > Name=association.main,Values=true \ > --query RouteTables[].RouteTableId \ > --output text)
  7. Check if the main route table of the VPC has a default route to the internet gateway of the VPC:

    root@rok-tools:~/ops/deployments# MRTBP=$(aws ec2 describe-route-tables \ > --filters Name=route-table-id,Values=${MRTB} \ > Name=route.destination-cidr-block,Values=0.0.0.0/0 \ > Name=route.gateway-id,Values=${IGW} \ > --query RouteTables[].RouteTableId \ > --output text)
  8. Identify the public and private subnets of the VPC. The public subnets are the ones whose associated route table has a default route to an internet gateway. The private subnets are the ones that are not public.

    Declare the variables for holding public and private subnets:

    root@rok-tools:~/ops/deployments# export AWS_SUBNETS_PUBLIC="" root@rok-tools:~/ops/deployments# export AWS_SUBNETS_PRIVATE=""

    Repeat steps a-h below for each one of the subnets in the list shown in step 4.

    1. Pick a subnet from the AWS_SUBNETS list of step 4:

      root@rok-tools:~/ops/deployments# SUBNET=<SUBNET>
    2. Find the route table that the subnet is explicitly associated with:

      root@rok-tools:~/ops/deployments# RTB=$(aws ec2 describe-route-tables \ > --filters Name=vpc-id,Values=${AWS_VPC_ID?} \ > Name=association.subnet-id,Values=${SUBNET?} \ > --query RouteTables[].RouteTableId \ > --output text)
    3. Check if the route table (if any) has a default route to the internet gateway of the VPC:

      root@rok-tools:~/ops/deployments# RTBP=$(aws ec2 describe-route-tables \ > --filters Name=route-table-id,Values=${RTB} \ > Name=route.destination-cidr-block,Values=0.0.0.0/0 \ > Name=route.gateway-id,Values=${IGW} \ > --query RouteTables[].RouteTableId \ > --output text)
    4. Decide whether the subnet is public or private:

      root@rok-tools:~/ops/deployments# [[ ( "${RTB}" && "${RTBP}" ) || ( ! "${RTB}" && "${MRTBP}" ) ]] \ > && IS_PUBLIC=true || IS_PUBLIC=false
    5. Append the subnet to the corresponding list:

      root@rok-tools:~/ops/deployments# $IS_PUBLIC && AWS_SUBNETS_PUBLIC+="${SUBNET?} " root@rok-tools:~/ops/deployments# ! $IS_PUBLIC && AWS_SUBNETS_PRIVATE+="${SUBNET?} "
    6. Format the corresponding load balacner tag for the subnet:

      root@rok-tools:~/ops/deployments# $IS_PUBLIC && TAG_KEY="kubernetes.io/role/elb" root@rok-tools:~/ops/deployments# ! $IS_PUBLIC && TAG_KEY="kubernetes.io/role/internal-elb"
    7. Tag the subnet so that it can later be used from a load balancer:

      root@rok-tools:~/ops/deployments# aws ec2 create-tags \ > --resources ${SUBNET?} \ > --tags Key="${TAG_KEY?}",Value="1"
    8. Go back to step a, and repeat the steps for the remaining subnets.

  9. Export the variables holding the public and private subnets:

    root@rok-tools:~/ops/deployments# export AWS_SUBNETS_PUBLIC="${AWS_SUBNETS_PUBLIC% }" root@rok-tools:~/ops/deployments# export AWS_SUBNETS_PRIVATE="${AWS_SUBNETS_PRIVATE% }"
  10. Save your state:

    root@rok-tools:~/ops/deployments# rok-j2 deploy/env.aws-subnets.j2 \ > -o deploy/env.aws-subnets
  11. Commit your changes:

    root@rok-tools:~/ops/deployments# git commit -am "Configure Subnets on AWS"
  12. Mark your progress:

    root@rok-tools:~/ops/deployments# export DATE=$(date -u "+%Y-%m-%dT%H.%M.%SZ")
    root@rok-tools:~/ops/deployments# git tag \ > -a deploy/${DATE?}/release-2.0/aws-subnets \ > -m "Configure Subnets on AWS"

Verify

  1. Go to your GitOps repository, inside your rok-tools management environment:

    root@rok-tools:~# cd ~/ops/deployments
  2. Restore the required context from previous sections:

    root@rok-tools:~/ops/deployments# source <(cat deploy/env.{aws-vpc,aws-subnets})
    root@rok-tools:~/ops/deployments# export AWS_VPC_ID AWS_SUBNETS_PUBLIC AWS_SUBNETS_PRIVATE
  3. Find the internet gateway associated with the VPC:

    root@rok-tools:~/ops/deployments# IGW=$(aws ec2 describe-internet-gateways \ > --filters Name=attachment.vpc-id,Values=${AWS_VPC_ID?} \ > --query InternetGateways[].InternetGatewayId \ > --output text)
  4. Find the main route table of the VPC:

    root@rok-tools:~/ops/deployments# MRTB=$(aws ec2 describe-route-tables \ > --filters Name=vpc-id,Values=${AWS_VPC_ID?} \ > Name=association.main,Values=true \ > --query RouteTables[].RouteTableId \ > --output text)
  5. Check if the main route table of the VPC has a default route to the internet gateway of the VPC:

    root@rok-tools:~/ops/deployments# MRTBP=$(aws ec2 describe-route-tables \ > --filters Name=route-table-id,Values=${MRTB} \ > Name=route.destination-cidr-block,Values=0.0.0.0/0 \ > Name=route.gateway-id,Values=${IGW} \ > --query RouteTables[].RouteTableId \ > --output text)
  6. Ensure that the subnets in the AWS_SUBNETS_PUBLIC list are public and properly tagged.

    List the public subnets:

    root@rok-tools:~/ops/deployments# echo ${AWS_SUBNETS_PUBLIC?} subnet-0b936cdc4fae6862a subnet-0110cc3509ed64a7e

    Repeat steps a-f below for each one of the subnets in the list.

    1. Pick a subnet from the list:

      root@rok-tools:~/ops/deployments# SUBNET=<SUBNET>
    2. Find the route table that the subnet is explicitly associated with:

      root@rok-tools:~/ops/deployments# RTB=$(aws ec2 describe-route-tables \ > --filters Name=vpc-id,Values=${AWS_VPC_ID?} \ > Name=association.subnet-id,Values=${SUBNET?} \ > --query RouteTables[].RouteTableId \ > --output text)
    3. Check if the route table (if any) has a default route to the internet gateway of the VPC:

      root@rok-tools:~/ops/deployments# RTBP=$(aws ec2 describe-route-tables \ > --filters Name=route-table-id,Values=${RTB} \ > Name=route.destination-cidr-block,Values=0.0.0.0/0 \ > Name=route.gateway-id,Values=${IGW} \ > --query RouteTables[].RouteTableId \ > --output text)
    4. Ensure that the subnet is public:

      root@rok-tools:~/ops/deployments# [[ ( "${RTB}" && "${RTBP}" ) || \ > ( ! "${RTB}" && "${MRTBP}" ) ]] && echo OK OK
    5. Ensure that the subnet is correctly tagged:

      root@rok-tools:~/ops/deployments# aws ec2 describe-subnets --subnet-id ${SUBNET?} \ > --filters=Name="tag:kubernetes.io/role/elb",Values="1" \ > --query "Subnets[].SubnetId" --output text \ > | grep -q ${SUBNET?} && echo OK OK
    6. Go back to step a, and repeat the steps for the remaining subnets.

  7. Ensure that the subnets in the AWS_SUBNETS_PRIVATE list are private and properly tagged.

    List the private subnets:

    root@rok-tools:~/ops/deployments# echo ${AWS_SUBNETS_PRIVATE?} subnet-018e3b5b3ec930ccb subnet-074cebd1b78c50066

    Repeat steps a-f below for each one of the subnets in the list.

    1. Pick a subnet from the list:

      root@rok-tools:~/ops/deployments# SUBNET=<SUBNET>
    2. Find the route table that the subnet is explicitly associated with:

      root@rok-tools:~/ops/deployments# RTB=$(aws ec2 describe-route-tables \ > --filters Name=vpc-id,Values=${AWS_VPC_ID?} \ > Name=association.subnet-id,Values=${SUBNET?} \ > --query RouteTables[].RouteTableId \ > --output text)
    3. Check if the route table (if any) has a default route to the internet gateway of the VPC:

      root@rok-tools:~/ops/deployments# RTBP=$(aws ec2 describe-route-tables \ > --filters Name=route-table-id,Values=${RTB} \ > Name=route.destination-cidr-block,Values=0.0.0.0/0 \ > Name=route.gateway-id,Values=${IGW} \ > --query RouteTables[].RouteTableId \ > --output text)
    4. Ensure that the subnet is private:

      root@rok-tools:~/ops/deployments# [[ ( "${RTB}" && ! "${RTBP}" ) || \ > ( ! "${RTB}" && ! "${MRTBP}" ) ]] && echo OK OK
    5. Ensure that the subnet is correctly tagged:

      root@rok-tools:~/ops/deployments# aws ec2 describe-subnets --subnet-id ${SUBNET?} \ > --filters=Name="tag:kubernetes.io/role/internal-elb",Values="1" \ > --query "Subnets[].SubnetId" --output text \ > | grep -q ${SUBNET?} && echo OK OK
    6. Go back to step a, and repeat the steps for the remaining subnets.

  8. Ensure that the public and private subnets accumulatively reside within at least two availability zones, that is the second column refers to at least two AZs across all subnets:

    root@rok-tools:~/ops/deployments# aws ec2 describe-subnets \ > --subnet-ids ${AWS_SUBNETS_PUBLIC?} ${AWS_SUBNETS_PRIVATE?} \ > --query 'Subnets[].[SubnetId,AvailabilityZone]' \ > --output table -------------------------------------------- | DescribeSubnets | +---------------------------+--------------+ | subnet-0b936cdc4fae6862a | us-east-1a | | subnet-0110cc3509ed64a7e | us-east-1b | | subnet-018e3b5b3ec930ccb | us-east-1a | | subnet-074cebd1b78c50066 | us-east-1b | +---------------------------+--------------+
  9. Ensure that the public subnets auto-assign IP addresses, that is, all values of the third column are equal to True:

    root@rok-tools:~/ops/deployments# aws ec2 describe-subnets \ > --subnet-ids ${AWS_SUBNETS_PUBLIC?} \ > --query 'Subnets[].[SubnetId,MapPublicIpOnLaunch]' \ > --output table ---------------------------------------------------- | DescribeSubnets | +---------------------------+--------------+-------+ | subnet-0b936cdc4fae6862a | us-east-1a | True | | subnet-0110cc3509ed64a7e | us-east-1b | True | +---------------------------+--------------+-------+

Summary

You have successfully configured the subnets of your VPC.

What’s Next

The next steps is to create a Kubernetes cluster.