Create VPC

This section will guide you through creating a VPC for your EKS cluster.

Choose one of the following options to create a VPC for your EKS cluster:

What You’ll Need

Option 1: Create VPC for your EKS Cluster Automatically (preferred)

Create a VPC for your EKS cluster by following the on-screen instructions on the rok-deploy user interface.

If rok-deploy is not already running, start it with:

root@rok-tools:~# rok-deploy --run-from aws-vpc
../../../_images/aws-vpc.png

Option 2: Create VPC for your EKS Cluster Manually

If you want to create a VPC for your EKS Cluster manually, follow the instructions below.

Procedure

  1. Go to your GitOps repository, inside your rok-tools management environment:

    root@rok-tools:~# cd ~/ops/deployments
  2. Restore the required context from previous sections:

    root@rok-tools:~/ops/deployments# source <(cat deploy/env.envvars-aws)
    root@rok-tools:~/ops/deployments# export AWS_DEFAULT_REGION
  3. Decide on the VPC configuration you want to use. Here is how your VPC configuration will look like based on your choice:

    • The VPC will have three public subnets.
    • The EKS worker nodes will obtain public IPs.
    • You will use an internet-facing load balancer to expose your services.
    • The VPC will have two public subnets and two private subnets.
    • The private subnets can optionally have internet access.
    • The EKS worker nodes can obtain either public or private IPs.
    • You can use either internet-facing or an internal load balancer to expose your services.
    • The VPC will have three private subnets without internet access.
    • The VPC will have all the necessary VPC endpoints for the EKS workers and software running in the cluster.
    • The EKS worker nodes will obtain private IPs.
    • You will use an internal load balancer to expose services.

    Warning

    Choose this configuration option only if you have specific networking needs. A VPC with only private subnets is not accessible and you will need extra configuration to access it.

    Note

    We recommend you use a VPC configuration with Public and private subnets.

  4. Specify the VPC configuration according to what you decided in step 3:

    root@rok-tools:~/ops/deployments# export AWS_VPC_CONFIG=public
    root@rok-tools:~/ops/deployments# export AWS_VPC_CONFIG=public-private
    root@rok-tools:~/ops/deployments# export AWS_VPC_CONFIG=private
  5. Decide whether the private subnets will have access to the internet via a NAT Gateway.

    Skip this step since there are no private subnets for this configration option.

    root@rok-tools:~/ops/deployments# export AWS_VPC_PRIVATE_SUBNETS_INTERNET_ACCESS=true
    root@rok-tools:~/ops/deployments# export AWS_VPC_PRIVATE_SUBNETS_INTERNET_ACCESS=false

    Skip this step since internet access for private subnets is not supported in this configuration option.

  6. Set the name of the CloudFormation stack you will deploy:

    root@rok-tools:~/ops/deployments# export AWS_VPC_CF_STACK=rok-${AWS_DEFAULT_REGION}-vpc
  7. Generate the AWS CloudFormation stack:

    root@rok-tools:~/ops/deployments# j2 rok/eks/amazon-eks-vpc-public.yaml.j2 \ > -o rok/eks/amazon-eks-vpc-public.yaml
    root@rok-tools:~/ops/deployments# j2 rok/eks/amazon-eks-vpc-public-private.yaml.j2 \ > -o rok/eks/amazon-eks-vpc-public-private.yaml
    root@rok-tools:~/ops/deployments# j2 rok/eks/amazon-eks-vpc-private.yaml.j2 \ > -o rok/eks/amazon-eks-vpc-private.yaml
  8. Deploy the AWS CloudFormation stack. Choose one of the following options based on your VPC configuration.

    root@rok-tools:~/ops/deployments# aws cloudformation deploy \ > --stack-name ${AWS_VPC_CF_STACK?} \ > --template-file rok/eks/amazon-eks-vpc-public.yaml Waiting for changeset to be created.. Waiting for stack create/update to complete Successfully created/updated stack - arrikto-dev-arrikto-vpc
    root@rok-tools:~/ops/deployments# aws cloudformation deploy \ > --stack-name ${AWS_VPC_CF_STACK?} \ > --template-file rok/eks/amazon-eks-vpc-public-private.yaml \ > --parameter-overrides PrivateSubnetsInternetAccess=${AWS_VPC_PRIVATE_SUBNETS_INTERNET_ACCESS?} Waiting for changeset to be created.. Waiting for stack create/update to complete Successfully created/updated stack - arrikto-dev-arrikto-vpc
    root@rok-tools:~/ops/deployments# aws cloudformation deploy \ > --stack-name ${AWS_VPC_CF_STACK?} \ > --template-file rok/eks/amazon-eks-vpc-private.yaml Waiting for changeset to be created.. Waiting for stack create/update to complete Successfully created/updated stack - arrikto-dev-arrikto-vpc
  9. Obtain your VPC ID:

    root@rok-tools:~/ops/deployments# export AWS_VPC_ID=$(aws cloudformation describe-stack-resource \ > --stack-name ${AWS_VPC_CF_STACK?} \ > --logical-resource-id VPC \ > --query StackResourceDetail.PhysicalResourceId \ > --output text)
  10. Save your state:

    root@rok-tools:~/ops/deployments# j2 deploy/env.aws-vpc.j2 \ > -o deploy/env.aws-vpc
  11. Commit your changes:

    root@rok-tools:~/ops/deployments# git commit -am "Create VPC"
  12. Mark your progress:

    root@rok-tools:~/ops/deployments# export DATE=$(date -u "+%Y-%m-%dT%H.%M.%SZ")
    root@rok-tools:~/ops/deployments# git tag -a deploy/${DATE?}/release-1.5/aws-vpc \ > -m "Create VPC"

Verify

  1. Go to your GitOps repository, inside your rok-tools management environment:

    root@rok-tools:~# cd ~/ops/deployments
  2. Restore the required context from previous sections:

    root@rok-tools:~/ops/deployments# source <(cat deploy/env.aws-vpc)
    root@rok-tools:~/ops/deployments# export AWS_VPC_ID
  3. Ensure that your VPC exists:

    root@rok-tools:~/ops/deployments# aws ec2 describe-vpcs \ > --vpc-ids ${AWS_VPC_ID?} \ > --query 'Vpcs[].[VpcId,Tags[?Key==`Name`]|[0].Value,IsDefault]' \ > --output table --------------------------------------------------------------- | DescribeVpcs | +------------------------+---------------------------+--------+ | vpc-05dd9c31ee502b47d | arrikto-cluster-vpc-VPC | False | +------------------------+---------------------------+--------+
  4. Ensure that your VPC has DNS hostnames and DNS resolution enabled.

    1. Ensure that the enableDnsSupport VPC attribute is set:

      root@rok-tools:~/ops/deployments# aws ec2 describe-vpc-attribute \ > --vpc-id ${AWS_VPC_ID?} \ > --attribute enableDnsSupport \ > --query EnableDnsSupport.Value true
    2. Ensure that the enableDnsHostnames VPC attribute is set:

      root@rok-tools:~/ops/deployments# aws ec2 describe-vpc-attribute \ > --vpc-id ${AWS_VPC_ID?} \ > --attribute enableDnsHostnames \ > --query EnableDnsHostnames.Value true
  5. Verify that your VPC has the required endpoints. Choose one of the following options based on your VPC configuration.

    No VPC endpoints are required. Proceed to the next step.

    No VPC endpoints are required. Proceed to the next step.

    1. List the service name of each endpoint in your VPC:

      root@rok-tools:~/ops/deployments# aws ec2 describe-vpc-endpoints \ > --filter Name=vpc-id,Values=${AWS_VPC_ID?} \ > --query VpcEndpoints[].[ServiceName,State] \ > --output table --------------------------------------------------------------- | DescribeVpcEndpoints | +------------------------------------------------+------------+ | com.amazonaws.us-east-1.s3 | available | | com.amazonaws.us-east-1.ecr.dkr | available | | com.amazonaws.us-east-1.autoscaling | available | | com.amazonaws.us-east-1.ecr.api | available | | com.amazonaws.us-east-1.logs | available | | com.amazonaws.us-east-1.sts | available | | com.amazonaws.us-east-1.ec2 | available | | com.amazonaws.us-east-1.elasticloadbalancing | available | +------------------------------------------------+------------+
    2. Ensure that VPC endpoints are available for the following services:

      • com.amazonaws.REGION.sts
      • com.amazonaws.REGION.ecr.api
      • com.amazonaws.REGION.logs
      • com.amazonaws.REGION.ecr.dkr
      • com.amazonaws.REGION.s3
      • com.amazonaws.REGION.ec2
      • com.amazonaws.REGION.elasticloadbalancing
      • com.amazonaws.REGION.autoscaling
    1. List the service name of each endpoint in your VPC:

      root@rok-tools:~/ops/deployments# aws ec2 describe-vpc-endpoints \ > --filter Name=vpc-id,Values=${AWS_VPC_ID?} \ > --query VpcEndpoints[].[ServiceName,State] \ > --output table --------------------------------------------------------------- | DescribeVpcEndpoints | +------------------------------------------------+------------+ | com.amazonaws.us-east-1.s3 | available | | com.amazonaws.us-east-1.ecr.dkr | available | | com.amazonaws.us-east-1.autoscaling | available | | com.amazonaws.us-east-1.ecr.api | available | | com.amazonaws.us-east-1.logs | available | | com.amazonaws.us-east-1.sts | available | | com.amazonaws.us-east-1.ec2 | available | | com.amazonaws.us-east-1.elasticloadbalancing | available | +------------------------------------------------+------------+
    2. Ensure that VPC endpoints are available for the following services:

      • com.amazonaws.REGION.sts
      • com.amazonaws.REGION.ecr.api
      • com.amazonaws.REGION.logs
      • com.amazonaws.REGION.ecr.dkr
      • com.amazonaws.REGION.s3
      • com.amazonaws.REGION.ec2
      • com.amazonaws.REGION.elasticloadbalancing
      • com.amazonaws.REGION.autoscaling

Summary

You have successfully created a VPC to host your Arrikto EKF deployment.

What’s Next

The next step is to configure your subnets.