Mo AbukarMo Abukar

EKS Private Network with Twingate

2024-12-06

Introduction

Setting up a private network for your EKS cluster is important for security and performance. There are many ways to do this, but in this article, we'll use Twingate to create a private network for your EKS cluster.

Step-by-Step Guide: Deploying a Private EKS Cluster with Twingate Access

Prerequisites

  • An AWS account
  • A Twingate account
  • Twingate CLI/client installed.
  • eksctl CLI

Terraform Setup

Assume you have a VPC and subnets already created.

module "eks" {
  source          = "terraform-aws-modules/eks/aws"
  cluster_name    = "private-eks-cluster"
  cluster_version = "1.27"
  subnets         = module.vpc.private_subnets
  vpc_id          = module.vpc.vpc_id

  cluster_endpoint_private_access = true
  cluster_endpoint_public_access  = false

  # Additional configurations...
}

Twingate Setup

Twingate provides secure, remote access to private resources without exposing them to the public internet. To integrate Twingate with your EKS cluster:

  • Create a Twingate Account: Sign up at Twingate.
  • Define a Remote Network: In the Twingate admin console, add a new remote network representing your AWS VPC.
  • Deploy a Connector: Deploy a Twingate Connector within your VPC. This can be done using AWS ECS Fargate, EC2, or as a Kubernetes Deployment. Ensure the Connector has outbound internet access to communicate with Twingate's services and can reach the EKS API endpoint.

Twingate Connector Deployment

Deploy the Twingate Connector as a container on AWS ECS (Fargate) within your VPC. Ensure the subnet has outbound internet access to communicate with Twingate's services and access the EKS control plane.

Twingate Resource Configuration

After deploying the Connector, configure Twingate to manage access to your EKS cluster: - Add a Remote Network: In the Twingate admin console, add a new remote network representing your AWS VPC. - Define Resources: Add a new resource with the private DNS name of your EKS API server. - Assign Access: Specify which user groups should have access to this resource.

Benefits of This Setup

  • Enhanced Security: The EKS API server is not exposed to the public internet, reducing the attack surface.
  • Granular Access Control: Twingate allows you to define precise access policies based on user groups.
  • Zero Trust Architecture: This configuration aligns with Zero Trust principles, ensuring that trust is never implicit.
  • Simplified Management: Twingate's centralized management console makes it easy to oversee access policies and monitor activity.

By following this approach, you can establish a secure, private EKS cluster accessible only through Twingate, providing robust protection for your Kubernetes workloads.

Related Posts