Amazon Web Services (AWS) provides a powerful combination of services for building, deploying, and managing applications. Amazon Elastic Kubernetes Service (EKS) is a managed Kubernetes service that simplifies the process of deploying, managing, and scaling containerized applications using Kubernetes. In certain scenarios, you might want to deploy a private Application Load Balancer (ALB) in front of your private EKS cluster to handle incoming traffic efficiently. In this guide, we’ll walk through the process of setting up a private ALB for your private EKS cluster using Terraform, along with best practices and intricate details.

Prerequisites

Before you begin, ensure you have the following prerequisites:

  • AWS Account: Access to an AWS account with necessary permissions to create resources.
  • Terraform: Installed Terraform CLI on your local machine.
  • AWS CLI: Installed AWS Command Line Interface to configure your AWS credentials.

Step-by-Step Guide

1. Configure AWS Credentials

Open your terminal and run the following command to configure your AWS credentials:

1

aws configure

Enter your AWS Access Key ID, Secret Access Key, default region, and preferred output format.

2. Create a VPC

In order to set up a private ALB and EKS cluster, you need a Virtual Private Cloud (VPC) with private subnets. Create a new Terraform configuration file (e.g., vpc.tf) and define your VPC, private subnets, and necessary networking components.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13

resource "aws_vpc" "my_vpc" {
  cidr_block = "10.0.0.0/16"
}

resource "aws_subnet" "private_subnets" {
  count = 2
  cidr_block = "10.0.${count.index}.0/24"
  vpc_id = aws_vpc.my_vpc.id

  tags = {
    Name = "private-subnet-${count.index}"
  }
}

3. Create an EKS Cluster

Define your EKS cluster configuration in a new Terraform configuration file (e.g., eks.tf). Specify your desired Kubernetes version, cluster name, and VPC configuration.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10

module "eks_cluster" {
  source          = "terraform-aws-modules/eks/aws"
  cluster_name    = "my-eks-cluster"
  subnets         = aws_subnet.private_subnets[*].id
  vpc_id          = aws_vpc.my_vpc.id
  cluster_version = "1.21"
  tags = {
    Terraform = "true"
  }
}

4. Create a Security Group for EKS Nodes

You need to create a security group to control inbound and outbound traffic for your EKS nodes. Add the following to your eks.tf file:

1
2
3
4
5

resource "aws_security_group" "eks_nodes" {
  name_prefix = "eks-nodes-"
  vpc_id      = aws_vpc.my_vpc.id
  // Define your security group rules here
}

5. Create an ALB Security Group

Similarly, create a security group for the private ALB. Add the following to your eks.tf file:

1
2
3
4
5

resource "aws_security_group" "alb_sg" {
  name_prefix = "alb-sg-"
  vpc_id      = aws_vpc.my_vpc.id
  // Define your ALB security group rules here
}

6. Create the Private ALB

Create a new Terraform configuration file (e.g., alb.tf) to define the private ALB. Specify your listener configurations, security groups, and target group.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33

resource "aws_lb" "private_alb" {
  name               = "private-alb"
  internal           = true
  load_balancer_type = "application"
  subnets            = aws_subnet.private_subnets[*].id

  enable_deletion_protection = false
}

resource "aws_lb_listener" "alb_listener" {
  load_balancer_arn = aws_lb.private_alb.arn
  port              = 80
  protocol          = "HTTP"

  default_action {
    target_group_arn = aws_lb_target_group.alb_target_group.arn
    type             = "fixed-response"

    fixed_response {
      content_type = "text/plain"
      message_body = "Hello, this is the ALB!"
      status_code  = "200"
    }
  }
}

resource "aws_lb_target_group" "alb_target_group" {
  name        = "alb-target-group"
  port        = 80
  protocol    = "HTTP"
  vpc_id      = aws_vpc.my_vpc.id
  target_type = "ip"
}

7. Update EKS Node Security Group

Update the EKS node security group to allow traffic from the ALB security group. Modify your eks.tf file:

1
2
3
4
5
6
7
8

resource "aws_security_group_rule" "alb_ingress" {
  type        = "ingress"
  from_port   = 80
  to_port     = 80
  protocol    = "tcp"
  cidr_blocks = [aws_security_group.alb_sg.id]
  security_group_id = aws_security_group.eks_nodes.id
}

8. Deploy the Configuration

In your terminal, navigate to the directory containing your Terraform files and run the following commands:

1
2

terraform init
terraform apply

Terraform will provision the resources defined in your configuration files.

In Closing

Setting up a private ALB in front of a private EKS cluster using Terraform requires careful planning and configuration. By following the steps outlined in this guide, you can efficiently deploy and manage your infrastructure, adhering to best practices. This approach enables you to securely handle incoming traffic and ensure the smooth operation of your private EKS cluster.

Remember that this guide provides a basic setup for demonstration purposes. In real-world scenarios, you should customize the configurations to match your application’s requirements and consider security, scalability, and high availability factors.