Create EKS private cluster using CLI without NAT gateway?

Question

Create 2 managed node group join private EKS cluster

I tried following the link: https://eksctl.io/usage/creating-and-managing-clusters/

Answer 1

Yes, you can create EKS cluster without any Internet Connectivity. No need of Nat Gateway. AWS has documented the prerequisites for such private clusters here . You just need to make sure you have at-least these interface endpoints configured in your VPC.

Please find detailed step by step approach for creating Interface Endpoints here

• com.amazonaws.region-code.ecr.dkr

• com.amazonaws.region-code.ecr.api

• com.amazonaws.region-code.sts

• com.amazonaws.region-code.logs

Please also create S3 gateway Endpoint. Please find the guide for creating S3 Gateway Endpoint here .

• com.amazonaws.region-code.s3

In-case your compute nodes don't join the cluster, which can happen if you miss any of the prerequisites, please refer to this recommendation for troubleshooting.

Answer 2

Strictly speaking you don't need to, but you will have to use interface endpoints (AWS PrivateLink) :

You can use AWS PrivateLink to create a private connection between your VPC and Amazon Elastic Kubernetes Service. You can access Amazon EKS as if it were in your VPC, without the use of an internet gateway, NAT device, VPN connection, or AWS Direct Connect connection. Instances in your VPC don't need public IP addresses to access Amazon EKS.

Here, "NAT device" includes NAT gateways.

You establish this private connection by creating an interface endpoint powered by AWS PrivateLink. We create an endpoint network interface in each subnet that you enable for the interface endpoint. These are requester-managed network interfaces that serve as the entry point for traffic destined for Amazon EKS.

The whole point of NAT is to facilitate the outbound communication to register nodes with the EKS control plane. For more information see Subnet requirements and considerations .