Configure Subnets¶
This section will guide you through selecting and configuring the subnets that you want to use. You will export a list of public subnets and a list of private subnets, then validate them and tag them properly.
Fast Forward
If you already have a list of public and a list of private subnets that you have tagged properly, expand this box to fast-forward.
Specify the list of the public subnets. Replace
<SUBNET>with the subnet ID of each of your public subnets:root@rok-tools:~# export AWS_SUBNETS_PUBLIC="<SUBNET1> <SUBNET2>"Specify the list of the private subnets. Replace
<SUBNET>with the subnet ID of each of your private subnets:root@rok-tools:~# export AWS_SUBNETS_PRIVATE="<SUBNET1> <SUBNET2>"Go to your GitOps repository, inside your
rok-toolsmanagement environment:root@rok-tools:~# cd ~/ops/deploymentsSave your state:
root@rok-tools:~/ops/deployments# j2 deploy/env.aws-subnets.j2 \ > -o deploy/env.aws-subnetsCommit your changes:
root@rok-tools:~/ops/deployments# git commit -am "Configure Subnets"Proceed to the Verify section.
Choose one of the following options to configure your subnets:
Overview
What You’ll Need¶
- A configured management environment.
- A VPC.
Option 1: Configure Subnets Automatically (preferred)¶
Configure your subnets by following the on-screen instructions on the
rok-deploy user interface.
If rok-deploy is not already running, start it with:
Proceed to the Summary section.
Option 2: Configure Subnets Manually¶
If you want to configure your subnets manually, follow the instructions below.
Procedure¶
Go to your GitOps repository, inside your
rok-toolsmanagement environment:root@rok-tools:~# cd ~/ops/deploymentsRestore the required context from previous sections:
root@rok-tools:~/ops/deployments# source <(cat deploy/env.aws-vpc)root@rok-tools:~/ops/deployments# export AWS_VPC_IDList the subnets of the VPC. Choose one of the following options based on your VPC configuration.
root@rok-tools:~/ops/deployments# aws ec2 describe-subnets \ > --filter Name=vpc-id,Values=${AWS_VPC_ID?} \ > --query 'Subnets[].[SubnetId,AvailabilityZone,Tags[?Key==`Name`]|[0].Value]' \ > --output table --------------------------------------------------------------------------- | DescribeSubnets | +---------------------------+-------------+-------------------------------+ | subnet-05d5dd6c1087562f4 | us-east-1a | arrikto-cluster-vpc-Subnet01 | | subnet-0e19732eab4a56996 | us-east-1b | arrikto-cluster-vpc-Subnet02 | | subnet-0f3015565344174bd | us-east-1c | arrikto-cluster-vpc-Subnet03 | +---------------------------+-------------+-------------------------------+root@rok-tools:~/ops/deployments# aws ec2 describe-subnets \ > --filter Name=vpc-id,Values=${AWS_VPC_ID?} \ > --query 'Subnets[].[SubnetId,AvailabilityZone,Tags[?Key==`Name`]|[0].Value]' \ > --output table ---------------------------------------------------------------------------------- | DescribeSubnets | +---------------------------+-------------+--------------------------------------+ | subnet-0b936cdc4fae6862a | us-east-1a | arrikto-cluster-vpc-PublicSubnet01 | | subnet-0110cc3509ed64a7e | us-east-1b | arrikto-cluster-vpc-PublicSubnet02 | | subnet-018e3b5b3ec930ccb | us-east-1a | arrikto-cluster-vpc-PrivateSubnet01 | | subnet-074cebd1b78c50066 | us-east-1b | arrikto-cluster-vpc-PrivateSubnet02 | +---------------------------+-------------+--------------------------------------+root@rok-tools:~/ops/deployments# aws ec2 describe-subnets \ > --filter Name=vpc-id,Values=${AWS_VPC_ID?} \ > --query 'Subnets[].[SubnetId,AvailabilityZone,Tags[?Key==`Name`]|[0].Value]' \ > --output table ---------------------------------------------------------------------------------- | DescribeSubnets | +---------------------------+-------------+--------------------------------------+ | subnet-0866acfa93f46334c | us-east-1a | arrikto-cluster-vpc-PrivateSubnet01 | | subnet-05bb5faadcdea51cc | us-east-1b | arrikto-cluster-vpc-PrivateSubnet02 | | subnet-0d16fc5ab97eb48e8 | us-east-1c | arrikto-cluster-vpc-PrivateSubnet03 | +---------------------------+-------------+--------------------------------------+Select the VPC subnets that you will use. You will be able to only choose among the selected subnets to configure your EKS cluster and load balancers in later guides. The subnets should reside within at least two availability zones:
root@rok-tools:~/ops/deployments# AWS_SUBNETS=$(aws ec2 describe-subnets \ > --filter Name=vpc-id,Values=${AWS_VPC_ID?} \ > --query 'Subnets[].[SubnetId]' \ > --output text) && echo ${AWS_SUBNETS?} subnet-0b936cdc4fae6862a subnet-0110cc3509ed64a7e subnet-018e3b5b3ec930ccb subnet-074cebd1b78c50066Note
Advanced Networking: We recommend you use all the available subnets. However, if you have specific networking requirements, you can explicitly specify a subset of them with:
root@rok-tools:~/ops/deployments# AWS_SUBNETS="<SUBNET1> <SUBNET2>"Find the internet gateway associated with the VPC:
root@rok-tools:~/ops/deployments# IGW=$(aws ec2 describe-internet-gateways \ > --filters Name=attachment.vpc-id,Values=${AWS_VPC_ID?} \ > --query InternetGateways[].InternetGatewayId \ > --output text)Find the main route table of the VPC:
root@rok-tools:~/ops/deployments# MRTB=$(aws ec2 describe-route-tables \ > --filters Name=vpc-id,Values=${AWS_VPC_ID?} \ > Name=association.main,Values=true \ > --query RouteTables[].RouteTableId \ > --output text)Check if the main route table of the VPC has a default route to the internet gateway of the VPC:
root@rok-tools:~/ops/deployments# MRTBP=$(aws ec2 describe-route-tables \ > --filters Name=route-table-id,Values=${MRTB} \ > Name=route.destination-cidr-block,Values=0.0.0.0/0 \ > Name=route.gateway-id,Values=${IGW} \ > --query RouteTables[].RouteTableId \ > --output text)Identify the public and private subnets of the VPC. The public subnets are the ones whose associated route table has a default route to an internet gateway. The private subnets are the ones that are not public.
Declare the variables for holding public and private subnets:
root@rok-tools:~/ops/deployments# export AWS_SUBNETS_PUBLIC="" root@rok-tools:~/ops/deployments# export AWS_SUBNETS_PRIVATE=""Repeat steps a-h below for each one of the subnets in the list shown in step 4.
Pick a subnet from the
AWS_SUBNETSlist of step 4:root@rok-tools:~/ops/deployments# SUBNET=<SUBNET>Find the route table that the subnet is explicitly associated with:
root@rok-tools:~/ops/deployments# RTB=$(aws ec2 describe-route-tables \ > --filters Name=vpc-id,Values=${AWS_VPC_ID?} \ > Name=association.subnet-id,Values=${SUBNET?} \ > --query RouteTables[].RouteTableId \ > --output text)Check if the route table (if any) has a default route to the internet gateway of the VPC:
root@rok-tools:~/ops/deployments# RTBP=$(aws ec2 describe-route-tables \ > --filters Name=route-table-id,Values=${RTB} \ > Name=route.destination-cidr-block,Values=0.0.0.0/0 \ > Name=route.gateway-id,Values=${IGW} \ > --query RouteTables[].RouteTableId \ > --output text)Decide whether the subnet is public or private:
root@rok-tools:~/ops/deployments# [[ ( "${RTB}" && "${RTBP}" ) || ( ! "${RTB}" && "${MRTBP}" ) ]] \ > && IS_PUBLIC=true || IS_PUBLIC=falseAppend the subnet to the corresponding list:
root@rok-tools:~/ops/deployments# $IS_PUBLIC && AWS_SUBNETS_PUBLIC+="${SUBNET?} " root@rok-tools:~/ops/deployments# ! $IS_PUBLIC && AWS_SUBNETS_PRIVATE+="${SUBNET?} "Format the corresponding load balacner tag for the subnet:
root@rok-tools:~/ops/deployments# $IS_PUBLIC && TAG_KEY="kubernetes.io/role/elb" root@rok-tools:~/ops/deployments# ! $IS_PUBLIC && TAG_KEY="kubernetes.io/role/internal-elb"Tag the subnet so that it can later be used from a load balancer:
root@rok-tools:~/ops/deployments# aws ec2 create-tags --resources ${SUBNET?} \ > --tags Key="${TAG_KEY?}",Value="1"Go back to step a, and repeat the steps for the remaining subnets.
Export the variables holding the public and private subnets:
root@rok-tools:~/ops/deployments# export AWS_SUBNETS_PUBLIC="${AWS_SUBNETS_PUBLIC% }" root@rok-tools:~/ops/deployments# export AWS_SUBNETS_PRIVATE="${AWS_SUBNETS_PRIVATE% }"Save your state:
root@rok-tools:~/ops/deployments# j2 deploy/env.aws-subnets.j2 \ > -o deploy/env.aws-subnetsCommit your changes:
root@rok-tools:~/ops/deployments# git commit -am "Configure Subnets"Mark your progress:
root@rok-tools:~/ops/deployments# DATE=$(date -u "+%Y-%m-%dT%H.%M.%SZ")root@rok-tools:~/ops/deployments# git tag -a deploy/${DATE?}/release-1.5/aws-subnets \ > -m "Configure Subnets"
Verify¶
Go to your GitOps repository, inside your
rok-toolsmanagement environment:root@rok-tools:~# cd ~/ops/deploymentsRestore the required context from previous sections:
root@rok-tools:~/ops/deployments# source <(cat deploy/env.{aws-vpc,aws-subnets})root@rok-tools:~/ops/deployments# export AWS_VPC_ID AWS_SUBNETS_PUBLIC AWS_SUBNETS_PRIVATEFind the internet gateway associated with the VPC:
root@rok-tools:~/ops/deployments# IGW=$(aws ec2 describe-internet-gateways \ > --filters Name=attachment.vpc-id,Values=${AWS_VPC_ID?} \ > --query InternetGateways[].InternetGatewayId \ > --output text)Find the main route table of the VPC:
root@rok-tools:~/ops/deployments# MRTB=$(aws ec2 describe-route-tables \ > --filters Name=vpc-id,Values=${AWS_VPC_ID?} \ > Name=association.main,Values=true \ > --query RouteTables[].RouteTableId \ > --output text)Check if the main route table of the VPC has a default route to the internet gateway of the VPC:
root@rok-tools:~/ops/deployments# MRTBP=$(aws ec2 describe-route-tables \ > --filters Name=route-table-id,Values=${MRTB} \ > Name=route.destination-cidr-block,Values=0.0.0.0/0 \ > Name=route.gateway-id,Values=${IGW} \ > --query RouteTables[].RouteTableId \ > --output text)Ensure that the subnets in the
AWS_SUBNETS_PUBLIClist are public and properly tagged.List the public subnets:
root@rok-tools:~/ops/deployments# echo ${AWS_SUBNETS_PUBLIC?} subnet-0b936cdc4fae6862a subnet-0110cc3509ed64a7eRepeat steps a-f below for each one of the subnets in the list.
Pick a subnet from the list:
root@rok-tools:~/ops/deployments# SUBNET=<SUBNET>Find the route table that the subnet is explicitly associated with:
root@rok-tools:~/ops/deployments# RTB=$(aws ec2 describe-route-tables \ > --filters Name=vpc-id,Values=${AWS_VPC_ID?} \ > Name=association.subnet-id,Values=${SUBNET?} \ > --query RouteTables[].RouteTableId \ > --output text)Check if the route table (if any) has a default route to the internet gateway of the VPC:
root@rok-tools:~/ops/deployments# RTBP=$(aws ec2 describe-route-tables \ > --filters Name=route-table-id,Values=${RTB} \ > Name=route.destination-cidr-block,Values=0.0.0.0/0 \ > Name=route.gateway-id,Values=${IGW} \ > --query RouteTables[].RouteTableId \ > --output text)Ensure that the subnet is public:
root@rok-tools:~/ops/deployments# [[ ( "${RTB}" && "${RTBP}" ) || \ > ( ! "${RTB}" && "${MRTBP}" ) ]] && echo OK OKEnsure that the subnet is correctly tagged:
root@rok-tools:~/ops/deployments# aws ec2 describe-subnets --subnet-id ${SUBNET?} \ > --filters=Name="tag:kubernetes.io/role/elb",Values="1" \ > --query "Subnets[].SubnetId" --output text | \ > grep -q ${SUBNET?} && echo OK OKGo back to step a, and repeat the steps for the remaining subnets.
Ensure that the subnets in the
AWS_SUBNETS_PRIVATElist are private and properly tagged.List the private subnets:
root@rok-tools:~/ops/deployments# echo ${AWS_SUBNETS_PRIVATE?} subnet-018e3b5b3ec930ccb subnet-074cebd1b78c50066Repeat steps a-f below for each one of the subnets in the list.
Pick a subnet from the list:
root@rok-tools:~/ops/deployments# SUBNET=<SUBNET>Find the route table that the subnet is explicitly associated with:
root@rok-tools:~/ops/deployments# RTB=$(aws ec2 describe-route-tables \ > --filters Name=vpc-id,Values=${AWS_VPC_ID?} \ > Name=association.subnet-id,Values=${SUBNET?} \ > --query RouteTables[].RouteTableId \ > --output text)Check if the route table (if any) has a default route to the internet gateway of the VPC:
root@rok-tools:~/ops/deployments# RTBP=$(aws ec2 describe-route-tables \ > --filters Name=route-table-id,Values=${RTB} \ > Name=route.destination-cidr-block,Values=0.0.0.0/0 \ > Name=route.gateway-id,Values=${IGW} \ > --query RouteTables[].RouteTableId \ > --output text)Ensure that the subnet is private:
root@rok-tools:~/ops/deployments# [[ ( "${RTB}" && ! "${RTBP}" ) || \ > ( ! "${RTB}" && ! "${MRTBP}" ) ]] && echo OK OKEnsure that the subnet is correctly tagged:
root@rok-tools:~/ops/deployments# aws ec2 describe-subnets --subnet-id ${SUBNET?} \ > --filters=Name="tag:kubernetes.io/role/internal-elb",Values="1" \ > --query "Subnets[].SubnetId" --output text | \ > grep -q ${SUBNET?} && echo OK OKGo back to step a, and repeat the steps for the remaining subnets.
Ensure that the public and private subnets accumulatively reside within at least two availability zones, that is the second column refers to at least two AZs across all subnets:
root@rok-tools:~/ops/deployments# aws ec2 describe-subnets \ > --subnet-ids ${AWS_SUBNETS_PUBLIC?} ${AWS_SUBNETS_PRIVATE?} \ > --query 'Subnets[].[SubnetId,AvailabilityZone]' \ > --output table -------------------------------------------- | DescribeSubnets | +---------------------------+--------------+ | subnet-0b936cdc4fae6862a | us-east-1a | | subnet-0110cc3509ed64a7e | us-east-1b | | subnet-018e3b5b3ec930ccb | us-east-1a | | subnet-074cebd1b78c50066 | us-east-1b | +---------------------------+--------------+Ensure that the public subnets auto-assign IP addresses, that is, all values of the third column are equal to
True:root@rok-tools:~/ops/deployments# aws ec2 describe-subnets \ > --subnet-ids ${AWS_SUBNETS_PUBLIC?} \ > --query 'Subnets[].[SubnetId,MapPublicIpOnLaunch]' \ > --output table ---------------------------------------------------- | DescribeSubnets | +---------------------------+--------------+-------+ | subnet-0b936cdc4fae6862a | us-east-1a | True | | subnet-0110cc3509ed64a7e | us-east-1b | True | +---------------------------+--------------+-------+