Create VPC¶
This section will guide you through creating a VPC for your EKS cluster.
Fast Forward
If you already have a VPC, expand this box to fast-forward.
Specify your VPC ID. Replace
<VPCID>
with the ID of your VPC:root@rok-tools:~# export AWS_VPC_ID=<VPCID>Specify the VPC configuration:
root@rok-tools:~/ops/deployments# export AWS_VPC_CONFIG=publicroot@rok-tools:~/ops/deployments# export AWS_VPC_CONFIG=public-privateroot@rok-tools:~/ops/deployments# export AWS_VPC_CONFIG=private(Optional) If you have a configuration with public and private subnets, specify whether the private subnets have access to the internet via a NAT Gateway. Replace
<ACCESS>
with eithertrue
orfalse
:root@rok-tools:~# export AWS_VPC_PRIVATE_SUBNETS_INTERNET_ACCESS=<ACCESS>Go to your GitOps repository, inside your
rok-tools
management environment:root@rok-tools:~# cd ~/ops/deploymentsSave your state:
root@rok-tools:~/ops/deployments# j2 deploy/env.aws-vpc.j2 \ > -o deploy/env.aws-vpcCommit your changes:
root@rok-tools:~/ops/deployments# git commit -am "Create VPC"Proceed to the Verify section.
Choose one of the following options to create a VPC for your EKS cluster:
- Option 1: Create VPC for your EKS Cluster Automatically (preferred).
- Option 2: Create VPC for your EKS Cluster Manually.
Overview
What You’ll Need¶
- A configured management environment.
- Access to the AWS Console.
- Permissions to create CloudFormation stacks.
Option 1: Create VPC for your EKS Cluster Automatically (preferred)¶
Create a VPC for your EKS cluster by following the on-screen instructions on
the rok-deploy
user interface.
If rok-deploy
is not already running, start it with:
Option 2: Create VPC for your EKS Cluster Manually¶
If you want to create a VPC for your EKS Cluster manually, follow the instructions below.
Procedure¶
Go to your GitOps repository, inside your
rok-tools
management environment:root@rok-tools:~# cd ~/ops/deploymentsRestore the required context from previous sections:
root@rok-tools:~/ops/deployments# source <(cat deploy/env.envvars-aws)root@rok-tools:~/ops/deployments# export AWS_DEFAULT_REGIONDecide on the VPC configuration you want to use. Here is how your VPC configuration will look like based on your choice:
- The VPC will have three public subnets.
- The EKS worker nodes will obtain public IPs.
- You will use an internet-facing load balancer to expose your services.
- The VPC will have two public subnets and two private subnets.
- The private subnets can optionally have internet access.
- The EKS worker nodes can obtain either public or private IPs.
- You can use either internet-facing or an internal load balancer to expose your services.
- The VPC will have three private subnets without internet access.
- The VPC will have all the necessary VPC endpoints for the EKS workers and software running in the cluster.
- The EKS worker nodes will obtain private IPs.
- You will use an internal load balancer to expose services.
Warning
Choose this configuration option only if you have specific networking needs. A VPC with only private subnets is not accessible and you will need extra configuration to access it.
Note
We recommend you use a VPC configuration with Public and private subnets.
Air Gapped
Use one of the following options:
- A VPC configuration with Public and private subnets and ensure that you will use Private subnets without internet access, or
- A VPC configuration with Only private subnets.
Specify the VPC configuration according to what you decided in step 3:
root@rok-tools:~/ops/deployments# export AWS_VPC_CONFIG=publicroot@rok-tools:~/ops/deployments# export AWS_VPC_CONFIG=public-privateroot@rok-tools:~/ops/deployments# export AWS_VPC_CONFIG=privateDecide whether the private subnets will have access to the internet via a NAT Gateway.
Skip this step since there are no private subnets for this configration option.
root@rok-tools:~/ops/deployments# export AWS_VPC_PRIVATE_SUBNETS_INTERNET_ACCESS=trueroot@rok-tools:~/ops/deployments# export AWS_VPC_PRIVATE_SUBNETS_INTERNET_ACCESS=falseAir Gapped
Use Private subnets without internet access.
Skip this step since internet access for private subnets is not supported in this configuration option.
Set the name of the CloudFormation stack you will deploy:
root@rok-tools:~/ops/deployments# export AWS_VPC_CF_STACK=rok-${AWS_DEFAULT_REGION}-vpcGenerate the AWS CloudFormation stack:
root@rok-tools:~/ops/deployments# j2 rok/eks/amazon-eks-vpc-public.yaml.j2 \ > -o rok/eks/amazon-eks-vpc-public.yamlroot@rok-tools:~/ops/deployments# j2 rok/eks/amazon-eks-vpc-public-private.yaml.j2 \ > -o rok/eks/amazon-eks-vpc-public-private.yamlroot@rok-tools:~/ops/deployments# j2 rok/eks/amazon-eks-vpc-private.yaml.j2 \ > -o rok/eks/amazon-eks-vpc-private.yamlDeploy the AWS CloudFormation stack. Choose one of the following options based on your VPC configuration.
root@rok-tools:~/ops/deployments# aws cloudformation deploy \ > --stack-name ${AWS_VPC_CF_STACK?} \ > --template-file rok/eks/amazon-eks-vpc-public.yaml Waiting for changeset to be created.. Waiting for stack create/update to complete Successfully created/updated stack - arrikto-dev-arrikto-vpcroot@rok-tools:~/ops/deployments# aws cloudformation deploy \ > --stack-name ${AWS_VPC_CF_STACK?} \ > --template-file rok/eks/amazon-eks-vpc-public-private.yaml \ > --parameter-overrides PrivateSubnetsInternetAccess=${AWS_VPC_PRIVATE_SUBNETS_INTERNET_ACCESS?} Waiting for changeset to be created.. Waiting for stack create/update to complete Successfully created/updated stack - arrikto-dev-arrikto-vpcroot@rok-tools:~/ops/deployments# aws cloudformation deploy \ > --stack-name ${AWS_VPC_CF_STACK?} \ > --template-file rok/eks/amazon-eks-vpc-private.yaml Waiting for changeset to be created.. Waiting for stack create/update to complete Successfully created/updated stack - arrikto-dev-arrikto-vpcObtain your VPC ID:
root@rok-tools:~/ops/deployments# export AWS_VPC_ID=$(aws cloudformation describe-stack-resource \ > --stack-name ${AWS_VPC_CF_STACK?} \ > --logical-resource-id VPC \ > --query StackResourceDetail.PhysicalResourceId \ > --output text)Save your state:
root@rok-tools:~/ops/deployments# j2 deploy/env.aws-vpc.j2 \ > -o deploy/env.aws-vpcCommit your changes:
root@rok-tools:~/ops/deployments# git commit -am "Create VPC"Mark your progress:
root@rok-tools:~/ops/deployments# export DATE=$(date -u "+%Y-%m-%dT%H.%M.%SZ")root@rok-tools:~/ops/deployments# git tag -a deploy/${DATE?}/release-1.5/aws-vpc \ > -m "Create VPC"
Verify¶
Go to your GitOps repository, inside your
rok-tools
management environment:root@rok-tools:~# cd ~/ops/deploymentsRestore the required context from previous sections:
root@rok-tools:~/ops/deployments# source <(cat deploy/env.aws-vpc)root@rok-tools:~/ops/deployments# export AWS_VPC_IDEnsure that your VPC exists:
root@rok-tools:~/ops/deployments# aws ec2 describe-vpcs \ > --vpc-ids ${AWS_VPC_ID?} \ > --query 'Vpcs[].[VpcId,Tags[?Key==`Name`]|[0].Value,IsDefault]' \ > --output table --------------------------------------------------------------- | DescribeVpcs | +------------------------+---------------------------+--------+ | vpc-05dd9c31ee502b47d | arrikto-cluster-vpc-VPC | False | +------------------------+---------------------------+--------+Ensure that your VPC has DNS hostnames and DNS resolution enabled.
Ensure that the
enableDnsSupport
VPC attribute is set:root@rok-tools:~/ops/deployments# aws ec2 describe-vpc-attribute \ > --vpc-id ${AWS_VPC_ID?} \ > --attribute enableDnsSupport \ > --query EnableDnsSupport.Value trueEnsure that the
enableDnsHostnames
VPC attribute is set:root@rok-tools:~/ops/deployments# aws ec2 describe-vpc-attribute \ > --vpc-id ${AWS_VPC_ID?} \ > --attribute enableDnsHostnames \ > --query EnableDnsHostnames.Value true
Verify that your VPC has the required endpoints. Choose one of the following options based on your VPC configuration.
No VPC endpoints are required. Proceed to the next step.
No VPC endpoints are required. Proceed to the next step.
List the service name of each endpoint in your VPC:
root@rok-tools:~/ops/deployments# aws ec2 describe-vpc-endpoints \ > --filter Name=vpc-id,Values=${AWS_VPC_ID?} \ > --query VpcEndpoints[].[ServiceName,State] \ > --output table --------------------------------------------------------------- | DescribeVpcEndpoints | +------------------------------------------------+------------+ | com.amazonaws.us-east-1.s3 | available | | com.amazonaws.us-east-1.ecr.dkr | available | | com.amazonaws.us-east-1.autoscaling | available | | com.amazonaws.us-east-1.ecr.api | available | | com.amazonaws.us-east-1.logs | available | | com.amazonaws.us-east-1.sts | available | | com.amazonaws.us-east-1.ec2 | available | | com.amazonaws.us-east-1.elasticloadbalancing | available | +------------------------------------------------+------------+Ensure that VPC endpoints are available for the following services:
com.amazonaws.REGION.sts
com.amazonaws.REGION.ecr.api
com.amazonaws.REGION.logs
com.amazonaws.REGION.ecr.dkr
com.amazonaws.REGION.s3
com.amazonaws.REGION.ec2
com.amazonaws.REGION.elasticloadbalancing
com.amazonaws.REGION.autoscaling
List the service name of each endpoint in your VPC:
root@rok-tools:~/ops/deployments# aws ec2 describe-vpc-endpoints \ > --filter Name=vpc-id,Values=${AWS_VPC_ID?} \ > --query VpcEndpoints[].[ServiceName,State] \ > --output table --------------------------------------------------------------- | DescribeVpcEndpoints | +------------------------------------------------+------------+ | com.amazonaws.us-east-1.s3 | available | | com.amazonaws.us-east-1.ecr.dkr | available | | com.amazonaws.us-east-1.autoscaling | available | | com.amazonaws.us-east-1.ecr.api | available | | com.amazonaws.us-east-1.logs | available | | com.amazonaws.us-east-1.sts | available | | com.amazonaws.us-east-1.ec2 | available | | com.amazonaws.us-east-1.elasticloadbalancing | available | +------------------------------------------------+------------+Ensure that VPC endpoints are available for the following services:
com.amazonaws.REGION.sts
com.amazonaws.REGION.ecr.api
com.amazonaws.REGION.logs
com.amazonaws.REGION.ecr.dkr
com.amazonaws.REGION.s3
com.amazonaws.REGION.ec2
com.amazonaws.REGION.elasticloadbalancing
com.amazonaws.REGION.autoscaling