Identify Outbound IP Addresses on EKS

This section will walk you through identifying the outbound IP addresses that applications running on your EKS cluster will end up using for outbound connections.

What You’ll Need

Procedure

  1. Go to your GitOps repository, inside your rok-tools management environment:

    root@rok-tools:~# cd ~/ops/deployments
  2. Restore the required context from previous sections:

    root@rok-tools:~/ops/deployments# source <(cat deploy/env.{aws-vpc,eks-cluster})
    root@rok-tools:~/ops/deployments# export AWS_VPC_ID EKS_CLUSTER
  3. Find the public IPs of the NAT gateways of your VPC, if any:

    root@rok-tools:~/ops/deployments# aws ec2 describe-nat-gateways \ > --filter Name=vpc-id,Values=${AWS_VPC_ID?} \ > --query NatGateways[].NatGatewayAddresses[].[PublicIp] \ > --output text \ > | sed -e 's|$|/32|' 198.51.100.1/32 203.0.113.1/32

    Note

    If your apps are running on worker nodes on private subnets, they will use these IP addresses for outgoing connections. If you don’t modify your VPC configuration, the list above will remain the same.

    Note

    If your VPC configuration has only public subnets, there will be no NAT gateways and as such, the above command will have no output.

  4. Find the public IPs of the worker nodes of your EKS cluster, if any:

    root@rok-tools:~/ops/deployments# aws ec2 describe-instances \ > --filters Name=tag-key,Values=kubernetes.io/cluster/${EKS_CLUSTER?} \ > --query Reservations[].Instances[].[PublicIpAddress] \ > --output text \ > | grep -v None \ > | sed -e 's|$|/32|' 198.51.100.100/32 203.0.113.100/32

    Important

    If your apps are running on worker nodes on public subnets, they will use these IP addresses for outgoing connections. If your cluster scales up or down you have to re-run this since the above list will change.

    Note

    If your worker nodes are running on private subnets, they will not have a public IP address and as such, the above command will have no output.

Summary

You have successfully identified the outbound IP addresses in your EKS cluster.

What’s Next

The next step is to configure your deployment to allow access from trusted CIDRs.