- Newest
- Most votes
- Most comments
Hi Fabio curious which VPC Endpoints did you create in this private subnet, did you by chance create one for EC2 api? This might be what you are missing for your nodes to join. (if you have ECR, STS, S3 plus anything else you might need ALB, CW etc but not necessary for nodes). https://repost.aws/knowledge-center/resolve-eks-node-failures
With Public and Private Endpoints are enabled then yes nodes in Private Subnet should be able to join cluster without traversing the Public internet.
Sounds like you might be missing these setting in your VPC, if you are properly enabling both Public and Private Endpoints.
When creating the Endpoints EKS creates a Private Hosted Zone (which will allow your nodes to look up Public Endpoint name as it doesnt change and resolve it to private VPC Endpoints managed by EKS). This private hosted zone is managed by Amazon EKS, and it doesn't appear in your account's Route 53 resources. **In order for the private hosted zone to properly route traffic to your API server, your VPC must have enableDnsHostnames and enableDnsSupport set to true, and the DHCP options set for your VPC must include AmazonProvidedDNS in its domain name servers list. **
https://docs.aws.amazon.com/eks/latest/userguide/cluster-endpoint.html
All described settings were in place, yet I still need the NAT in order to register my node located at a private network to a cluster endpoint enabled with both private and public access. The endpoint FQDN indeed return when issued inside the VPC the up addresses of the EKS-managed ENIs. Certainly I will require a NAT gateway to access AWS ECR for instance, or created a VPC interface endpoint, but it is annoying me why I can’t register the node with NAT. I have ran the EKS node automated troubleshooting tool provided by AWS, and it still indicates the absence of a NAT GW.
Relevant content
- asked 2 years ago
- asked 2 years ago
- AWS OFFICIALUpdated 7 months ago
- AWS OFFICIALUpdated 3 months ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 3 months ago
You are correct. EC2 API end-point was missing indeed.