Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

Calling EKS RunJob from StepFunction WorkFlow when EKS cluster API endpoint access is set to "Private" only

0

My use-case is to call EKS RunJob from StepFunction workflow. I'm able to create an integration between StepFunction and EKS cluster with any access when the EKS Cluster API endpoint access is set to "Public". But I'm not able to create same integration when EKS cluster API endpoint access is set to "Private" only. I have tried introducing lambda in between SF and private EKS. This works fine. But I saw AWS re:Invent December 2024 (article) where they say that AWS has launched a capability to StepFunction to call private endpoint through resource sharing. As per the article the resource can be an HTTPS endpoint running in a ec2, a database, or an EKS. This is where it me that we make SF to call EKS private endpoint through this new capability. I have tried the steps mentioned over in the (article) but I could not make SF to call EKS (getting same access error).

The question is that "Is it still a limitation that we cannot make SF to call private endpoint of EKS cluster?". If not, can someone suggest me document or steps to call EKS Runjob from SF when EKS cluster API Server endpoint is set to "Private" only?

Thanks in advance!

  • mgasch
    10 months ago

    [PM for EventBridge/Step Functions here] Correct, the announced integration at re:Invent 2024 is not for the cluster API access, but to access private HTTPS endpoints in Kubernetes clusters, such as web servers behind an NLB/ALB. Can you please reach out to us via your support team so we can set up a meeting to discuss your requirements?

  • Ravi
    10 months ago

    I have raised the support ticket for the same but still struggling to get the answer. How can I contact you? I have a simple question "Is it possible to run a Kubernetes Job from Stepfunction on an EKS cluster whose API server access is set to "Private" only through this new capability launched by AWS in AWS re:Invent December 2024?".

  • mgasch
    10 months ago

    I have a simple question "Is it possible to run a Kubernetes Job from Stepfunction on an EKS cluster whose API server access is set to "Private" only through this new capability launched by AWS in AWS re:Invent December 2024?

    No, and therefore I and the service team like to talk to you :) You can connect me directly (email) with my username then [at] amazon.de

  • Ravi
    10 months ago

    Hi @mgasch - Thanks for your support. I have tried reaching out to you through support ticket but looks like you are on vacation. can you please check if anyone from your team can communicate with me?

Topics
Application IntegrationServerlessContainersNetworking & Content Delivery
Tags
Amazon VPCAmazon VPC LatticeAWS Step FunctionsAmazon EventBridgeAmazon Elastic Kubernetes Service
Language
English
asked 10 months ago669 views
2 Answers
0

Based on the current information available, it appears that there are still limitations when it comes to directly calling a private EKS cluster endpoint from Step Functions.

While AWS has introduced capabilities for Step Functions to access private endpoints through resource sharing, this functionality may not yet fully extend to private EKS cluster API endpoints. The ability to call private HTTPS services has been improved, but EKS presents unique challenges due to its specific API structure and authentication requirements.

For your use case of calling EKS RunJob from a Step Function workflow when the EKS cluster API endpoint access is set to "Private" only, the most reliable approach currently is still to use an intermediary Lambda function. This Lambda function can be placed within the same VPC as your EKS cluster, allowing it to communicate with the private endpoint.

If you want to explore alternatives, you could consider:

  1. Using AWS PrivateLink to create a secure, private connection between your VPC and Amazon EKS. This might allow you to set up an interface endpoint for Amazon EKS, which could potentially be accessed by Step Functions.

  2. Investigating if you can use Amazon EventBridge in conjunction with Step Functions to trigger actions in your private EKS cluster. EventBridge supports connections to private endpoints, which might provide a workaround.

  3. Exploring the use of AWS VPC Lattice, which can help in securely sharing and accessing resources across VPC boundaries.

However, it's important to note that these alternatives may require additional configuration and might not provide a direct solution for calling EKS RunJob from Step Functions when the cluster is set to private access only.

For the most up-to-date and reliable solution, it's recommended to continue using a Lambda function as an intermediary between Step Functions and your private EKS cluster. This approach, while not as direct, ensures secure and controlled access to your private EKS resources.
Sources
Access the Amazon EKS using AWS PrivateLink - Amazon EKS
VpcConfigRequest - Amazon EKS
Securely share AWS resources across VPC and account boundaries with PrivateLink, VPC Lattice, EventBridge, and Step Functions | AWS News Blog

answered 10 months ago
0

Hello,

In the article it is mentioned "an Amazon Elastic Kubernetes Service (Amazon EKS) service behind a Network Load Balancer". And this article is using on Amazon VPC Lattice and AWS PrivateLink, hence consider reviewing this article: https://www.eksworkshop.com/docs/networking/vpc-lattice/

After the VPC Lattice is configured for EKS, try to configure Step function with HTTP endpoint as 'Private'

AWS
SUPPORT ENGINEER
answered 10 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content