Skip to main content

Create VPC Interface Endpoints

Create VPC Interface Endpoints

For EKS clusters running worker nodes in private subnets, VPC interface endpoints are required to allow pods and controllers to access AWS APIs without traversing the public internet.

Identify VPC and Subnets

Retrieve the VPC ID and cluster security group associated with the EKS cluster:

VPC_ID=$(aws eks describe-cluster \
  --name ${CLUSTER_NAME} \
  --region ${AWS_REGION} \
  --query 'cluster.resourcesVpcConfig.vpcId' \
  --output text)

SG_ID=$(aws eks describe-cluster \
  --name ${CLUSTER_NAME} \
  --region ${AWS_REGION} \
  --query 'cluster.resourcesVpcConfig.clusterSecurityGroupId' \
  --output text)

echo "VPC ID: ${VPC_ID}"
echo "Security Group: ${SG_ID}"

List the subnets attached to the cluster and identify private subnets (MapPublicIpOnLaunch=false):

SUBNET_ARRAY=($(aws eks describe-cluster \
  --name ${CLUSTER_NAME} \
  --region ${AWS_REGION} \
  --query 'cluster.resourcesVpcConfig.subnetIds' \
  --output text))

aws ec2 describe-subnets \
  --subnet-ids ${SUBNET_ARRAY[@]} \
  --region ${AWS_REGION} \
  --query 'Subnets[*].[SubnetId,AvailabilityZone,MapPublicIpOnLaunch]' \
  --output table

Select Private Subnets

Select one private subnet per availability zone:

PRIVATE_SUBNETS=$(aws ec2 describe-subnets \
  --subnet-ids ${SUBNET_ARRAY[@]} \
  --region ${AWS_REGION} \
  --query 'Subnets[?MapPublicIpOnLaunch==`false`].SubnetId' \
  --output text | tr '\t' ' ')

echo "Private Subnets: ${PRIVATE_SUBNETS}"

Enable VPC DNS Resolution

Ensure DNS resolution is enabled for the VPC. This is required for interface endpoints with Private DNS enabled.

aws ec2 modify-vpc-attribute \
  --vpc-id ${VPC_ID} \
  --enable-dns-hostnames \
  --region ${AWS_REGION}

aws ec2 modify-vpc-attribute \
  --vpc-id ${VPC_ID} \
  --enable-dns-support \
  --region ${AWS_REGION}

Allow HTTPS Traffic Within the VPC

Allow HTTPS traffic within the VPC CIDR on the cluster security group. This is required for communication with VPC endpoints.

VPC_CIDR=$(aws ec2 describe-vpcs \
  --vpc-ids ${VPC_ID} \
  --region ${AWS_REGION} \
  --query 'Vpcs[0].CidrBlock' \
  --output text)

aws ec2 authorize-security-group-ingress \
  --group-id ${SG_ID} \
  --protocol tcp \
  --port 443 \
  --cidr ${VPC_CIDR} \
  --region ${AWS_REGION}

Create VPC Endpoints

Create the required interface endpoints with Private DNS enabled.

STS Endpoint (Required for IRSA)

aws ec2 create-vpc-endpoint \
  --vpc-id ${VPC_ID} \
  --service-name com.amazonaws.${AWS_REGION}.sts \
  --vpc-endpoint-type Interface \
  --subnet-ids $PRIVATE_SUBNETS \
  --security-group-ids ${SG_ID} \
  --private-dns-enabled \
  --region ${AWS_REGION}

EC2 Endpoint (Required for EBS CSI Driver)

aws ec2 create-vpc-endpoint \
  --vpc-id ${VPC_ID} \
  --service-name com.amazonaws.${AWS_REGION}.ec2 \
  --vpc-endpoint-type Interface \
  --subnet-ids $PRIVATE_SUBNETS \
  --security-group-ids ${SG_ID} \
  --private-dns-enabled \
  --region ${AWS_REGION}

Verify Endpoint Status

Confirm that the interface endpoints are available:

aws ec2 describe-vpc-endpoints \
  --filters "Name=vpc-id,Values=${VPC_ID}" \
  --query 'VpcEndpoints[*].[ServiceName,State]' \
  --output table --region ${AWS_REGION}

Each endpoint should report a state of available.

© aklivity, inc. 2023-2026