Identify Outbound IP Addresses on EKS¶
This section will walk you through identifying the outbound IP addresses that applications running on your EKS cluster will end up using for outbound connections.
Overview
What You’ll Need¶
- A configured management environment.
- A configured VPC.
- An existing EKS cluster.
Procedure¶
Go to your GitOps repository, inside your
rok-tools
management environment:root@rok-tools:~# cd ~/ops/deploymentsRestore the required context from previous sections:
root@rok-tools:~/ops/deployments# source <(cat deploy/env.{aws-vpc,eks-cluster})root@rok-tools:~/ops/deployments# export AWS_VPC_ID EKS_CLUSTERFind the public IPs of the NAT gateways of your VPC, if any:
root@rok-tools:~/ops/deployments# aws ec2 describe-nat-gateways \ > --filter Name=vpc-id,Values=${AWS_VPC_ID?} \ > --query NatGateways[].NatGatewayAddresses[].[PublicIp] \ > --output text \ > | sed -e 's|$|/32|' 198.51.100.1/32 203.0.113.1/32Note
If your apps are running on worker nodes on private subnets, they will use these IP addresses for outgoing connections. If you don’t modify your VPC configuration, the list above will remain the same.
Note
If your VPC configuration has only public subnets, there will be no NAT gateways and as such, the above command will have no output.
Find the public IPs of the worker nodes of your EKS cluster, if any:
root@rok-tools:~/ops/deployments# aws ec2 describe-instances \ > --filters Name=tag-key,Values=kubernetes.io/cluster/${EKS_CLUSTER?} \ > --query Reservations[].Instances[].[PublicIpAddress] \ > --output text \ > | grep -v None \ > | sed -e 's|$|/32|' 198.51.100.100/32 203.0.113.100/32Important
If your apps are running on worker nodes on public subnets, they will use these IP addresses for outgoing connections. If your cluster scales up or down you have to re-run this since the above list will change.
Note
If your worker nodes are running on private subnets, they will not have a public IP address and as such, the above command will have no output.
Summary¶
You have successfully identified the outbound IP addresses in your EKS cluster.
What’s Next¶
The next step is to configure your deployment to allow access from trusted CIDRs.