AWS secure connectivity for EKS & RDS

The AWS Stack now supports securely connecting RDS instances and app deployments in an EKS cluster, using kubectl to manage new Crossplane resources including VPCs, Subnets, SecurityGroups, IAM Roles and more!

Continuing our series on cloud networking & security we’ll explore new Crossplane support for provisioning AWS networking and security resources from kubectl, so pods in an EKS cluster can securely consume dynamically provisioned RDS instances (MySQL, PostgreSQL) in the same VPC.

AWS supports multiple options for connecting EKS nodes to RDS. Crossplane v0.2 required manual creation of AWS networking and security resources involving use of web console GUIs and CLIs.

Crossplane v0.3 adds support for provisioning all the required AWS networking and security resources using managed Kubernetes resources, and configuring them to securely connect RDS instances to pods in an EKS cluster in the same VPC using SecurityGroups to secure network access.

Manual steps

Configuring a secure networking environment for EKS and RDS requires the following:

1) EKS cluster setup
The following resources are needed for EKS cluster networking and security:

  • VPC: virtual private cloud (VPC) the cluster will reside in.
  • Subnet: virtual subnetwork(s) within a VPC, for each availability zone the cluster's worker nodes will reside in.
  • SecurityGroup: allows the cluster to communicate with worker nodes. It logically groups the resources that could communicate with each other within a VPC, and also adds ingress and egress traffic rules.
  • IAMRole: enables EKS to make calls to other AWS services to manage the resources.
  • IAMRolePolicyAttachment: attaches required policies to the EKS role.
  • InternetGateway: enables the nodes to have traffic to and from the internet. This is necessary because most workloads have services that need to be accessed from the internet.
  • RouteTable: to route internet traffic to a set of subnets.

Then create an EKS cluster using the above resources.

2) Configure managed service access

  • DBSubnetGroup: represents a group of Subnets from different availability zones, from which a private IP is chosen and assigned to the RDS instance.
  • SecurityGroup: allows the RDS instance to accept traffic from a certain IP and port.

3) Provision managed services with private IPs on the cluster’s network

  • Provision managed service instances (RDS, ElasticCache) using a SubnetGroup. A private IP will be allocated from the selected Subnet in the SubnetGroup and assigned to the managed service instance so it’s reachable from the pods in the cluster.

Streamline EKS & RDS provisioning with kubectl

Crossplane v0.3 supports doing all of the above using kubectl by following the AWS Stack Setup Guide. It uses a standalone Crossplane control cluster running on your laptop or in the cloud to create a secure networking environment in AWS and dynamically provision an EKS cluster with RDS provisioning enabled.

Note the following:

  • The EKSClusterClass has fields for the cluster VCP, Subnets, and SecurityGroups.
  • The RDSInstanceClass has a SubnetGroup and SecurityGroups, so RDS instances will be made available with a private IP allocated from the selected Subnet, and network traffic is allowed using the SecurityGroup ingress rules.

Add RDS provisioning to existing EKS clusters

If you already have an existing EKS cluster then you can follow the AWS Services Guide to install an embedded Crossplane instancedirectly onto the target EKS cluster along with the AWS Stack.

This adds managed service CRDs to the Kubernetes API including RDS for MySQL and PostgreSQL. You can continue deploying to Kubernetes with the core resources you use today (deployments, pods, services, ingress) and augment that with additional Kubernetes objects (mysql.yaml, postgres.yaml) to provision managed services using kubectl.

Provision securely connected DB instances

Once managed service provisioning is enabled you can dynamically provision RDS instances in your app project namespaces using PostgreSQL and MySQL claims, but now with secure connectivity!

Beyond v0.3

Crossplane v0.3 supports provisioning securely connected RDS instances in the same VPC as the EKS cluster. If you have additional scenarios you'd like us to support, like multi-VPC, please let us know!

Learn more

To learn more about key design considerations, how secure connectivity fits into Crossplane's layered architecture, and a detailed example to make it real, checkout:

Get involved!

There are many different ways to get involved in the Crossplane project, both from the user side and the developer side. Please join us in helping the project continue to grow on its way beyond the v0.3 milestone as we move from alpha to beta over the coming months!

Join the open cloud movement to help level the playing field for everyone!

Keep up with Upbound

* indicates required