DEV Community: César Sepúlveda Barra The latest articles on DEV Community by César Sepúlveda Barra (@csepulvedab). https://dev.to/csepulvedab https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3033680%2F63e29f3a-5f38-4c70-bd24-4787e669bf12.png DEV Community: César Sepúlveda Barra https://dev.to/csepulvedab en I Built a Kubernetes Operator That Programs My Cisco Router César Sepúlveda Barra Tue, 24 Feb 2026 20:36:13 +0000 https://dev.to/csepulvedab/i-built-a-kubernetes-operator-that-programs-my-cisco-router-5b9e https://dev.to/csepulvedab/i-built-a-kubernetes-operator-that-programs-my-cisco-router-5b9e <p>I wrote a Kubernetes operator in Go that talks to a Cisco 4331 router via RESTCONF. It creates VLANs, DHCP pools, and ACLs on the router, all triggered by <code>kubectl apply</code>. Pods get their IPs directly from the router's DHCP server, and inter-VLAN traffic is controlled by real ACLs running on real hardware. This is the full walkthrough.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F5liji8w4w7sm7khpa5xp.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F5liji8w4w7sm7khpa5xp.png" alt="mini eks cluster &amp; cisco gear" width="800" height="1200"></a></p> <h2> 1. Why? </h2> <p>Kubernetes networking is, by default, flat. Every pod can reach every other pod. That's fine for many workloads, but in plenty of scenarios you actually want segmentation. You want the database on a different network than the web servers. You want firewall rules between them.</p> <h3> There are better tools for this </h3> <p>I want to be honest from the start: if you need network segmentation in Kubernetes today, <strong>use Cilium or Calico</strong>. They provide NetworkPolicy enforcement, eBPF based segmentation, encryption, observability. They work in software, they scale, and thousands of companies run them in production. That's the right answer for most people.</p> <p>If you're deep in the Cisco world, <strong>ACI with Nexus switches</strong> is the official enterprise play. It integrates natively with Kubernetes, gives you policy-driven microsegmentation, multi-tenant networking, full visibility. But it requires Nexus 9000 hardware and APIC controllers, and that's a serious investment.</p> <h3> So why did I do this? </h3> <p>I had a Cisco 4331 router and a Catalyst switch on my desk. Not data center gear. Just mid-range networking equipment, the kind of thing you can pick up on eBay for a couple hundred bucks. The 4331 runs IOS-XE 16.12 and has <strong>RESTCONF</strong> enabled: a REST API for managing the router configuration over HTTPS.</p> <p>I wanted to see if I could wire that into Kubernetes. Not through some vendor plugin, but through a custom operator that I wrote from scratch. The idea was simple: define VLANs and policies as Kubernetes CRDs, and let the operator program the router to make them real.</p> <p>A pod says "I belong to VLAN 10." The operator creates the subinterface on the router, sets up DHCP, writes the ACLs, and the pod gets an IP from the router. No CLI sessions. No separate workflow. Just YAML.</p> <p>This was never about competing with Cilium or replacing ACI. It was about proving that the operator pattern can extend Kubernetes to control physical network infrastructure, even with equipment that wasn't designed for this.</p> <h2> 2. Physical Architecture </h2> <p>This runs on real hardware. No simulations, no GNS3, no virtual routers.</p> <h3> The Lab </h3> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Component</th> <th>Model</th> <th>IP</th> <th>Role</th> </tr> </thead> <tbody> <tr> <td><strong>Router</strong></td> <td>Cisco 4331 (IOS-XE 16.12)</td> <td>192.168.200.1</td> <td>Gateway, DHCP, ACLs, RESTCONF API</td> </tr> <tr> <td><strong>Switch</strong></td> <td>Cisco Catalyst</td> <td>192.168.200.2</td> <td>L2 switching, VLAN trunks</td> </tr> <tr> <td><strong>Node 1</strong></td> <td>Mini PC (8 vCPU, 32 GB)</td> <td>192.168.200.11</td> <td>K3s server + worker</td> </tr> <tr> <td><strong>Node 2</strong></td> <td>Mini PC (8 vCPU, 24 GB)</td> <td>192.168.200.12</td> <td>K3s server + worker</td> </tr> <tr> <td><strong>Node 3</strong></td> <td>Mini PC (4 vCPU, 16 GB)</td> <td>192.168.200.13</td> <td>K3s server + worker</td> </tr> </tbody> </table></div> <h3> Network Topology </h3> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F5wxeibex2e2238y3tmaa.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F5wxeibex2e2238y3tmaa.png" alt="Network Topology" width="521" height="375"></a></p> <h3> Two NICs per Node </h3> <p>Each node has two network interfaces. This is key to the whole design.</p> <ul> <li> <strong>NIC1 (<code>enp1s0</code>)</strong>: Management. Goes to an access port on the switch, VLAN 1, network <code>192.168.200.0/24</code>. Carries all the K3s traffic: API server, etcd, Flannel overlay.</li> <li> <strong>NIC2 (<code>enp2s0</code>)</strong>: Trunk. Goes to a trunk port on the switch that allows VLANs 10, 20, 30. This is the VLAN data plane. Pods attach to this interface via macvlan.</li> </ul> <h3> Switch Ports </h3> <ul> <li>Ports connected to NIC2 on each node: <strong>trunk mode</strong>, allowing tagged traffic for VLANs 10, 20, 30</li> <li>Ports connected to NIC1 on each node: <strong>access mode</strong>, VLAN 1 (management)</li> <li>Uplink to router Gi0/0/0: <strong>trunk mode</strong> (802.1Q), carrying all VLANs</li> </ul> <h3> Router on a Stick </h3> <p>The router's <code>GigabitEthernet0/0/0</code> is a trunk. It has subinterfaces for each VLAN (<code>.10</code>, <code>.20</code>, <code>.30</code>), each one with its own IP, DHCP pool, and ACL. All inter-VLAN traffic goes through the router, where ACLs decide what passes and what gets dropped.</p> <h3> Two Networks per Pod </h3> <p>Every pod ends up with two interfaces:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Pod ├── eth0: 10.42.x.x (Flannel overlay: K8s API, DNS, Services) └── net1: 172.16.x.x (VLAN via macvlan: app data traffic) </code></pre> </div> <p>Kubernetes internal stuff (API, DNS, service discovery) goes over Flannel. Application traffic between VLANs goes through the physical network, through the router, through real ACLs.</p> <h2> 3. Step by Step </h2> <p>Starting from a completely clean cluster. No operator installed, no VLANs, no demo apps. Everything from scratch.</p> <h3> 3.1 Install the Operator </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>helm <span class="nb">install </span>cisco-restconf-operator ./charts/cisco-restconf-operator <span class="se">\</span> <span class="nt">--set</span> image.tag<span class="o">=</span>v0.8.1 <span class="se">\</span> <span class="nt">--set</span> router.username<span class="o">=</span>admin <span class="se">\</span> <span class="nt">--set</span> router.password<span class="o">=</span><span class="s1">'1234'</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>NAME: cisco-restconf-operator LAST DEPLOYED: Tue Feb 24 15:08:32 2026 NAMESPACE: default STATUS: deployed </code></pre> </div> <p>One command. That's it. Here's what it created:</p> <p><strong>Three CRDs</strong> registered in the Kubernetes API:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>$ kubectl get crd | grep cisco ciscorouterconfigs.cisco.io 2026-02-24T18:08:32Z ciscovlans.cisco.io 2026-02-24T18:08:32Z vlanpolicies.cisco.io 2026-02-24T18:08:32Z </code></pre> </div> <p><strong>The operator pod</strong> plus a <strong>DaemonSet</strong> running on all three nodes (handles VLAN sub-interfaces and the DHCP CNI daemon):<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>$ kubectl get pods -n cisco-operator-system NAME READY STATUS cisco-restconf-operator-controller-manager-74bdd6c5c-x48f2 1/1 Running cisco-restconf-operator-vlan-setup-6qgdw 2/2 Running cisco-restconf-operator-vlan-setup-7dj8f 2/2 Running cisco-restconf-operator-vlan-setup-gldg4 2/2 Running </code></pre> </div> <p><strong>Two secrets</strong>: one with the router credentials, one with TLS certs for the mutating webhook:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>$ kubectl get secret -n cisco-operator-system | grep -E "router|webhook" cisco-restconf-operator-webhook-tls kubernetes.io/tls 2 cisco-router-credentials Opaque 2 </code></pre> </div> <p>And here's the interesting part. The Helm chart also creates a <strong>CiscoRouterConfig</strong> object, and the operator immediately connects to the router via RESTCONF:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>$ kubectl get ciscorouterconfigs -o wide NAME HOST CONNECTED MESSAGE AGE default 192.168.200.1 true Connected to LAB-ROUTER (IOS-XE 16.12) 26s </code></pre> </div> <p>Look at the status:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">status</span><span class="pi">:</span> <span class="na">connected</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">hostname</span><span class="pi">:</span> <span class="s">LAB-ROUTER</span> <span class="na">lastConnected</span><span class="pi">:</span> <span class="s2">"</span><span class="s">2026-02-24T18:08:35Z"</span> <span class="na">message</span><span class="pi">:</span> <span class="s">Connected to LAB-ROUTER (IOS-XE 16.12)</span> <span class="na">version</span><span class="pi">:</span> <span class="s2">"</span><span class="s">16.12"</span> </code></pre> </div> <p>The operator is alive, talking to the router, and reporting back its hostname and firmware version. It will re-validate the connection every 5 minutes.</p> <h3> 3.2 Create VLANs </h3> <p>Three VLANs for the demo:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># 00-vlans.yaml</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">cisco.io/v1alpha1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">CiscoVLAN</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">vlan-10</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">vlanId</span><span class="pi">:</span> <span class="m">10</span> <span class="na">cidr</span><span class="pi">:</span> <span class="s2">"</span><span class="s">172.16.10.0/24"</span> <span class="na">gateway</span><span class="pi">:</span> <span class="s2">"</span><span class="s">172.16.10.1"</span> <span class="na">dhcpRange</span><span class="pi">:</span> <span class="na">start</span><span class="pi">:</span> <span class="s2">"</span><span class="s">172.16.10.100"</span> <span class="na">end</span><span class="pi">:</span> <span class="s2">"</span><span class="s">172.16.10.200"</span> <span class="nn">---</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">cisco.io/v1alpha1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">CiscoVLAN</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">vlan-20</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">vlanId</span><span class="pi">:</span> <span class="m">20</span> <span class="na">cidr</span><span class="pi">:</span> <span class="s2">"</span><span class="s">172.16.20.0/24"</span> <span class="na">gateway</span><span class="pi">:</span> <span class="s2">"</span><span class="s">172.16.20.1"</span> <span class="na">dhcpRange</span><span class="pi">:</span> <span class="na">start</span><span class="pi">:</span> <span class="s2">"</span><span class="s">172.16.20.100"</span> <span class="na">end</span><span class="pi">:</span> <span class="s2">"</span><span class="s">172.16.20.200"</span> <span class="nn">---</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">cisco.io/v1alpha1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">CiscoVLAN</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">vlan-30</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">vlanId</span><span class="pi">:</span> <span class="m">30</span> <span class="na">cidr</span><span class="pi">:</span> <span class="s2">"</span><span class="s">172.16.30.0/24"</span> <span class="na">gateway</span><span class="pi">:</span> <span class="s2">"</span><span class="s">172.16.30.1"</span> <span class="na">dhcpRange</span><span class="pi">:</span> <span class="na">start</span><span class="pi">:</span> <span class="s2">"</span><span class="s">172.16.30.100"</span> <span class="na">end</span><span class="pi">:</span> <span class="s2">"</span><span class="s">172.16.30.200"</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>kubectl apply <span class="nt">-f</span> 00-vlans.yaml ciscovlan.cisco.io/vlan-10 created ciscovlan.cisco.io/vlan-20 created ciscovlan.cisco.io/vlan-30 created </code></pre> </div> <p>A few seconds later, all three are Active:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>$ kubectl get ciscovlans -o wide NAME VLAN-ID CIDR GATEWAY STATE PODS AGE vlan-10 10 172.16.10.0/24 172.16.10.1 Active 18s vlan-20 20 172.16.20.0/24 172.16.20.1 Active 18s vlan-30 30 172.16.30.0/24 172.16.30.1 Active 18s </code></pre> </div> <p>The status on each VLAN tells you exactly what got created on the router:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">status</span><span class="pi">:</span> <span class="na">state</span><span class="pi">:</span> <span class="s">Active</span> <span class="na">routerSubinterface</span><span class="pi">:</span> <span class="s">GigabitEthernet0/0/0.10</span> <span class="na">message</span><span class="pi">:</span> <span class="s">VLAN 10 configured on GigabitEthernet0/0/0.10</span> <span class="na">lastReconciled</span><span class="pi">:</span> <span class="s2">"</span><span class="s">2026-02-24T18:09:13Z"</span> </code></pre> </div> <p>So what actually happened on the router? I queried it via RESTCONF to confirm.</p> <p><strong>Subinterfaces created</strong>, each one with its own IP and <code>ip nat inside</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>GigabitEthernet0/0/0 (trunk, no IP) GigabitEthernet0/0/0.10 172.16.10.1/24 GigabitEthernet0/0/0.20 172.16.20.1/24 GigabitEthernet0/0/0.30 172.16.30.1/24 </code></pre> </div> <p><strong>DHCP pools</strong>, one per VLAN:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"id"</span><span class="p">:</span><span class="w"> </span><span class="s2">"VLAN10_POOL"</span><span class="p">,</span><span class="w"> </span><span class="nl">"network"</span><span class="p">:</span><span class="w"> </span><span class="s2">"172.16.10.0/24"</span><span class="p">,</span><span class="w"> </span><span class="nl">"default-router"</span><span class="p">:</span><span class="w"> </span><span class="s2">"172.16.10.1"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"id"</span><span class="p">:</span><span class="w"> </span><span class="s2">"VLAN20_POOL"</span><span class="p">,</span><span class="w"> </span><span class="nl">"network"</span><span class="p">:</span><span class="w"> </span><span class="s2">"172.16.20.0/24"</span><span class="p">,</span><span class="w"> </span><span class="nl">"default-router"</span><span class="p">:</span><span class="w"> </span><span class="s2">"172.16.20.1"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"id"</span><span class="p">:</span><span class="w"> </span><span class="s2">"VLAN30_POOL"</span><span class="p">,</span><span class="w"> </span><span class="nl">"network"</span><span class="p">:</span><span class="w"> </span><span class="s2">"172.16.30.0/24"</span><span class="p">,</span><span class="w"> </span><span class="nl">"default-router"</span><span class="p">:</span><span class="w"> </span><span class="s2">"172.16.30.1"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p><strong>Base ACLs</strong>. This is important. By default, each VLAN can talk to itself and to the internet, but is <strong>blocked</strong> from reaching any other VLAN:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>VLAN10_ACL: 10 permit ip 172.16.10.0 0.0.0.255 -&gt; 172.16.10.0 0.0.0.255 (intra-VLAN ok) 20 deny ip 172.16.10.0 0.0.0.255 -&gt; 172.16.20.0 0.0.0.255 (block VLAN 20) 30 deny ip 172.16.10.0 0.0.0.255 -&gt; 172.16.30.0 0.0.0.255 (block VLAN 30) 1000 permit ip any -&gt; any (internet ok) VLAN20_ACL: 10 permit ip 172.16.20.0 0.0.0.255 -&gt; 172.16.20.0 0.0.0.255 20 deny ip 172.16.20.0 0.0.0.255 -&gt; 172.16.10.0 0.0.0.255 30 deny ip 172.16.20.0 0.0.0.255 -&gt; 172.16.30.0 0.0.0.255 1000 permit ip any -&gt; any VLAN30_ACL: 10 permit ip 172.16.30.0 0.0.0.255 -&gt; 172.16.30.0 0.0.0.255 20 deny ip 172.16.30.0 0.0.0.255 -&gt; 172.16.10.0 0.0.0.255 30 deny ip 172.16.30.0 0.0.0.255 -&gt; 172.16.20.0 0.0.0.255 1000 permit ip any -&gt; any </code></pre> </div> <p>One <code>kubectl apply</code>. The router now has subinterfaces, DHCP pools, and ACLs for three VLANs. I didn't type a single command on the router CLI.</p> <h3> 3.3 Deploy Applications (Before Policy) </h3> <p>The demo uses three pods:</p> <ul> <li> <strong>postgres</strong> on VLAN 20: a PostgreSQL database</li> <li> <strong>hello-world</strong> on VLAN 10: a Flask app that tries to connect to PostgreSQL</li> <li> <strong>no-hello-world</strong> on VLAN 30: the exact same Flask app, but on a different VLAN </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># 04-apps.yaml (simplified)</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Pod</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">hello-world</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">demo</span> <span class="na">annotations</span><span class="pi">:</span> <span class="na">cisco.io/vlan</span><span class="pi">:</span> <span class="s">vlan-10</span> <span class="c1"># &lt;-- This is all you need</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">containers</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">hello-world</span> <span class="na">image</span><span class="pi">:</span> <span class="s">192.168.100.254:5000/hello-world:v1</span> <span class="na">env</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">DB_HOST</span> <span class="na">value</span><span class="pi">:</span> <span class="s2">"</span><span class="s">postgres-vlan.demo.svc.cluster.local"</span> </code></pre> </div> <p>The pod only has <code>cisco.io/vlan: vlan-10</code>. A <strong>mutating webhook</strong> intercepts pod creation and injects the Multus network annotation automatically. The app uses DNS (<code>postgres-vlan.demo.svc.cluster.local</code>) to find the database. The operator creates a headless Service that resolves to the database's DHCP-assigned VLAN IP.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>kubectl apply <span class="nt">-f</span> 04-apps.yaml namespace/demo created pod/postgres created pod/hello-world created pod/no-hello-world created </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>$ kubectl get pods -n demo -o wide NAME READY STATUS IP NODE hello-world 1/1 Running 10.42.1.97 node-2 no-hello-world 1/1 Running 10.42.1.98 node-2 postgres 1/1 Running 10.42.0.93 node-1 </code></pre> </div> <p>The VLAN CRDs now show one active pod each:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>$ kubectl get ciscovlans -o wide NAME VLAN-ID CIDR GATEWAY STATE PODS vlan-10 10 172.16.10.0/24 172.16.10.1 Active 1 vlan-20 20 172.16.20.0/24 172.16.20.1 Active 1 vlan-30 30 172.16.30.0/24 172.16.30.1 Active 1 </code></pre> </div> <p>I port-forwarded both Flask apps to my laptop:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl port-forward pod/hello-world <span class="nt">-n</span> demo 8080:8080 &amp; kubectl port-forward pod/no-hello-world <span class="nt">-n</span> demo 8081:8080 &amp; </code></pre> </div> <p>Open <code>http://localhost:8080</code> and <code>http://localhost:8081</code>. Both apps have a dashboard that auto-refreshes every second, showing whether the database is reachable.</p> <p><strong>Both show DB UNREACHABLE.</strong> Red badge on both.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="err">//</span><span class="w"> </span><span class="err">hello-world</span><span class="w"> </span><span class="err">(VLAN</span><span class="w"> </span><span class="mi">10</span><span class="err">)</span><span class="w"> </span><span class="err">at</span><span class="w"> </span><span class="err">http://localhost:</span><span class="mi">8080</span><span class="err">/api/status</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"db_reachable"</span><span class="p">:</span><span class="w"> </span><span class="kc">false</span><span class="p">,</span><span class="w"> </span><span class="nl">"db_error"</span><span class="p">:</span><span class="w"> </span><span class="s2">"connection failed: No route to host"</span><span class="p">,</span><span class="w"> </span><span class="nl">"net1_ip"</span><span class="p">:</span><span class="w"> </span><span class="s2">"172.16.10.2"</span><span class="p">,</span><span class="w"> </span><span class="nl">"pod"</span><span class="p">:</span><span class="w"> </span><span class="s2">"hello-world"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="err">//</span><span class="w"> </span><span class="err">no-hello-world</span><span class="w"> </span><span class="err">(VLAN</span><span class="w"> </span><span class="mi">30</span><span class="err">)</span><span class="w"> </span><span class="err">at</span><span class="w"> </span><span class="err">http://localhost:</span><span class="mi">8081</span><span class="err">/api/status</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"db_reachable"</span><span class="p">:</span><span class="w"> </span><span class="kc">false</span><span class="p">,</span><span class="w"> </span><span class="nl">"db_error"</span><span class="p">:</span><span class="w"> </span><span class="s2">"connection failed: No route to host"</span><span class="p">,</span><span class="w"> </span><span class="nl">"net1_ip"</span><span class="p">:</span><span class="w"> </span><span class="s2">"172.16.30.2"</span><span class="p">,</span><span class="w"> </span><span class="nl">"pod"</span><span class="p">:</span><span class="w"> </span><span class="s2">"no-hello-world"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>That's the base ACL doing its job. VLANs 10 and 30 both have <code>deny</code> rules blocking traffic to VLAN 20 where PostgreSQL lives. The segmentation is real, enforced on the router hardware, not in software.</p> <h3> 3.4 Apply a VLANPolicy </h3> <p>Now let's selectively open access. We want hello-world (VLAN 10) to reach PostgreSQL (VLAN 20) on TCP 5432, but keep no-hello-world (VLAN 30) blocked.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># 01-policy.yaml</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">cisco.io/v1alpha1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">VLANPolicy</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">app-to-db</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">source</span><span class="pi">:</span> <span class="s">vlan-10</span> <span class="na">destination</span><span class="pi">:</span> <span class="s">vlan-20</span> <span class="na">rules</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">protocol</span><span class="pi">:</span> <span class="s">tcp</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">[</span><span class="nv">5432</span><span class="pi">]</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>kubectl apply <span class="nt">-f</span> 01-policy.yaml vlanpolicy.cisco.io/app-to-db created </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>$ kubectl get vlanpolicies -o wide NAME SOURCE DESTINATION STATE ACL-ENTRIES AGE app-to-db vlan-10 vlan-20 Applied 10 9s </code></pre> </div> <p>The operator updated both ACLs on the router:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">status</span><span class="pi">:</span> <span class="na">state</span><span class="pi">:</span> <span class="s">Applied</span> <span class="na">aclEntries</span><span class="pi">:</span> <span class="m">10</span> <span class="na">message</span><span class="pi">:</span> <span class="s2">"</span><span class="s">ACL</span><span class="nv"> </span><span class="s">rules</span><span class="nv"> </span><span class="s">applied:</span><span class="nv"> </span><span class="s">VLAN10_ACL</span><span class="nv"> </span><span class="s">(5</span><span class="nv"> </span><span class="s">entries),</span><span class="nv"> </span><span class="s">VLAN20_ACL</span><span class="nv"> </span><span class="s">(5</span><span class="nv"> </span><span class="s">entries)"</span> </code></pre> </div> <p>Here's what the ACLs look like now on the router. The operator inserted <code>permit</code> rules <strong>before</strong> the existing <code>deny</code> rules:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>VLAN10_ACL (after policy): 10 permit tcp 172.16.10.0 -&gt; 172.16.20.0 eq 5432 &lt;&lt; NEW: allow TCP 5432 20 permit ip 172.16.10.0 -&gt; 172.16.10.0 (intra-VLAN) 30 deny ip 172.16.10.0 -&gt; 172.16.20.0 (block everything else to VLAN 20) 40 deny ip 172.16.10.0 -&gt; 172.16.30.0 (block VLAN 30) 1000 permit ip any -&gt; any (internet) VLAN20_ACL (after policy): 10 permit tcp 172.16.20.0 -&gt; 172.16.10.0 established &lt;&lt; NEW: return traffic only 20 permit ip 172.16.20.0 -&gt; 172.16.20.0 30 deny ip 172.16.20.0 -&gt; 172.16.10.0 40 deny ip 172.16.20.0 -&gt; 172.16.30.0 1000 permit ip any -&gt; any </code></pre> </div> <p>Two things to notice:</p> <ol> <li> <strong>VLAN10_ACL</strong> now has a <code>permit tcp ... eq 5432</code> at sequence 10, before the deny. VLAN 10 can initiate TCP connections to VLAN 20 on the PostgreSQL port.</li> <li> <strong>VLAN20_ACL</strong> has an <code>established</code> rule. This allows return traffic from connections that VLAN 10 started, but VLAN 20 cannot initiate new connections to VLAN 10.</li> </ol> <p><strong>VLAN30_ACL didn't change at all.</strong> No policy mentions VLAN 30, so it stays fully blocked.</p> <h3> 3.5 The Result </h3> <p>Back to the browsers. The dashboards refresh every second.</p> <p><strong>hello-world (VLAN 10) at <code>http://localhost:8080</code></strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"db_reachable"</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="p">,</span><span class="w"> </span><span class="nl">"db_host"</span><span class="p">:</span><span class="w"> </span><span class="s2">"postgres-vlan.demo.svc.cluster.local"</span><span class="p">,</span><span class="w"> </span><span class="nl">"latency_ms"</span><span class="p">:</span><span class="w"> </span><span class="mf">7.2</span><span class="p">,</span><span class="w"> </span><span class="nl">"net1_ip"</span><span class="p">:</span><span class="w"> </span><span class="s2">"172.16.10.2"</span><span class="p">,</span><span class="w"> </span><span class="nl">"pod"</span><span class="p">:</span><span class="w"> </span><span class="s2">"hello-world"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>Green badge. <strong>DB REACHABLE</strong>, 7.2ms. It can also write and read data:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="err">//</span><span class="w"> </span><span class="err">GET</span><span class="w"> </span><span class="err">http://localhost:</span><span class="mi">8080</span><span class="err">/db</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"status"</span><span class="p">:</span><span class="w"> </span><span class="s2">"SUCCESS"</span><span class="p">,</span><span class="w"> </span><span class="nl">"inserted"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"id"</span><span class="p">:</span><span class="w"> </span><span class="mi">1</span><span class="p">,</span><span class="w"> </span><span class="nl">"created_at"</span><span class="p">:</span><span class="w"> </span><span class="s2">"2026-02-24T18:14:04.158103"</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"recent_messages"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"content"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Hello from 172.16.10.2 at 18:14:04"</span><span class="p">,</span><span class="w"> </span><span class="nl">"id"</span><span class="p">:</span><span class="w"> </span><span class="mi">1</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p><strong>no-hello-world (VLAN 30) at <code>http://localhost:8081</code></strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"db_reachable"</span><span class="p">:</span><span class="w"> </span><span class="kc">false</span><span class="p">,</span><span class="w"> </span><span class="nl">"db_error"</span><span class="p">:</span><span class="w"> </span><span class="s2">"connection failed: timeout expired"</span><span class="p">,</span><span class="w"> </span><span class="nl">"net1_ip"</span><span class="p">:</span><span class="w"> </span><span class="s2">"172.16.30.2"</span><span class="p">,</span><span class="w"> </span><span class="nl">"pod"</span><span class="p">:</span><span class="w"> </span><span class="s2">"no-hello-world"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>Red badge. <strong>DB UNREACHABLE.</strong> Same Docker image. Same code. Same DB_HOST env var. The only difference is one line in the YAML: <code>cisco.io/vlan: vlan-30</code> instead of <code>vlan-10</code>. The router drops the traffic.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="err">//</span><span class="w"> </span><span class="err">GET</span><span class="w"> </span><span class="err">http://localhost:</span><span class="mi">8081</span><span class="err">/db</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"status"</span><span class="p">:</span><span class="w"> </span><span class="s2">"ERROR"</span><span class="p">,</span><span class="w"> </span><span class="nl">"error"</span><span class="p">:</span><span class="w"> </span><span class="s2">"connection failed: No route to host"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <h2> 4. What's Next </h2> <p>The full source code is on <strong>GitHub</strong>: <a href="https://github.com/csepulveda/cisco-kubernetes" rel="noopener noreferrer">github.com/csepulveda/cisco-kubernetes</a></p> <p>Let me repeat what I said at the beginning: this is not production software. The code is tied to a specific router model (Cisco 4331), a specific IOS-XE version (16.12), and a specific physical setup. If you actually need network segmentation in Kubernetes, go with <strong>Cilium</strong> or <strong>Calico</strong>. If you're in the Cisco ecosystem and have the budget, <strong>ACI with Nexus</strong> is what it's designed for. Those are real, tested, supported solutions.</p> <p>This project is something else. It's a lab experiment. A proof of concept. And the thing it proves is this: <strong>Kubernetes operators can manage anything that has an API</strong>.</p> <p>The operator pattern is a control loop. It watches for desired state (your CRDs) and makes actual state match. Most operators manage stuff inside the cluster: databases, message queues, certificates. But nothing says it has to stay inside. The reconciliation loop doesn't care whether it's creating a Pod or configuring a physical router 3 meters away.</p> <p>In this case it's a Cisco router. But it could be a firewall, a load balancer, a DNS provider, a cloud networking service, some legacy system with SOAP endpoints. If it has an API and it has state, you can write an operator for it.</p> <p>That's what I find exciting about this. I wired a mid-range Cisco 4331 (not a Nexus 9000, not an ACI fabric, just a regular router) into a Kubernetes control plane using nothing but RESTCONF and Go. No vendor SDK, no proprietary integration, no expensive hardware. Just the operator pattern doing what it does best: turning YAML into reality.</p> <p><em>Built with Go, Kubebuilder, K3s, and a lot of patience debugging YANG models at 2am.</em></p> cisco kubernetes automation networking From Zero to EKS and Hybrid-Nodes —Part 3: Setting up the NLB, Ingress, and Services on a Hybrid EKS Infrastructure César Sepúlveda Barra Mon, 21 Apr 2025 03:41:08 +0000 https://dev.to/csepulvedab/from-zero-to-eks-and-hybrid-nodes-part-3-setting-up-the-nlb-ingress-and-services-on-a-hybrid-2opl https://dev.to/csepulvedab/from-zero-to-eks-and-hybrid-nodes-part-3-setting-up-the-nlb-ingress-and-services-on-a-hybrid-2opl <h2> Introduction: </h2> <p>In the <a href="https://dev.to/csepulvedab/from-zero-to-eks-and-hybrid-nodes-part-2-the-eks-and-hybrid-nodes-configuration-300n">previous part</a>, we set up the EKS cluster and deployed the first hybrid nodes. At that point, the network topology looked like this:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fb2f2plnfa2y81tvwosfl.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fb2f2plnfa2y81tvwosfl.png" alt="diagram - 1" width="700" height="422"></a></p> <p>Now, in this third part, we’re going to set up the <strong>Network Load Balancer (NLB)</strong>, configure <strong>Ingress</strong>, and deploy services to expose our application running on this hybrid infrastructure. We’ll also observe and analyze the behavior of a Kubernetes Deployment in this mixed node environment.</p> <h2> Network Topology Changes: </h2> <p>To enable communication between pods running on AWS-managed nodes and those on hybrid nodes, <strong>we need to configure specific routing rules on our VPN gateway/router.</strong></p> <p>In a production environment, you could enable <strong>BGP in Cilium</strong> (if your network supports it), but since this is a lab setup, we’ll handle routing manually via static routes on the gateway.</p> <h2> Disabling kube-proxy on Hybrid Nodes: </h2> <p>Since we’re replacing kube-proxy functionality with Cilium, we’ll prevent kube-proxy from running on hybrid nodes using the following patch:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl patch daemonset kube-proxy <span class="se">\</span> <span class="nt">-n</span> kube-system <span class="se">\</span> <span class="nt">--type</span><span class="o">=</span><span class="s1">'json'</span> <span class="se">\</span> <span class="nt">-p</span><span class="o">=</span><span class="s1">'[ { "op": "add", "path": "/spec/template/spec/affinity/nodeAffinity/requiredDuringSchedulingIgnoredDuringExecution/nodeSelectorTerms/0/matchExpressions/2/values/-", "value": "hybrid" } ]'</span> </code></pre> </div> <h2> Get EKS API Server Endpoint: </h2> <p>This will be needed in the next step:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>aws eks describe-cluster <span class="nt">--name</span> my-eks-cluster <span class="nt">--query</span> <span class="s2">"cluster.endpoint"</span> </code></pre> </div> <h2> Updating the Cilium Configuration: </h2> <p>Next, we’ll update our cilium-values.yaml file to:</p> <ul> <li>Enable kubeProxyReplacement.</li> <li>Enable Layer 2 (L2) announcements.</li> <li>Define the /25 subnets to be used for pod IPs.</li> <li>Set the Kubernetes API server endpoint and port. </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">affinity</span><span class="pi">:</span> <span class="na">nodeAffinity</span><span class="pi">:</span> <span class="na">requiredDuringSchedulingIgnoredDuringExecution</span><span class="pi">:</span> <span class="na">nodeSelectorTerms</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">matchExpressions</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">key</span><span class="pi">:</span> <span class="s">eks.amazonaws.com/compute-type</span> <span class="na">operator</span><span class="pi">:</span> <span class="s">In</span> <span class="na">values</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">hybrid</span> <span class="na">ipam</span><span class="pi">:</span> <span class="na">mode</span><span class="pi">:</span> <span class="s">cluster-pool</span> <span class="na">operator</span><span class="pi">:</span> <span class="na">clusterPoolIPv4MaskSize</span><span class="pi">:</span> <span class="m">25</span> <span class="na">clusterPoolIPv4PodCIDRList</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">192.168.101.0/25</span> <span class="pi">-</span> <span class="s">192.168.101.128/25</span> <span class="na">operator</span><span class="pi">:</span> <span class="na">replicas</span><span class="pi">:</span> <span class="m">1</span> <span class="na">affinity</span><span class="pi">:</span> <span class="na">nodeAffinity</span><span class="pi">:</span> <span class="na">requiredDuringSchedulingIgnoredDuringExecution</span><span class="pi">:</span> <span class="na">nodeSelectorTerms</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">matchExpressions</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">key</span><span class="pi">:</span> <span class="s">eks.amazonaws.com/compute-type</span> <span class="na">operator</span><span class="pi">:</span> <span class="s">In</span> <span class="na">values</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">hybrid</span> <span class="na">unmanagedPodWatcher</span><span class="pi">:</span> <span class="na">restart</span><span class="pi">:</span> <span class="kc">false</span> <span class="na">envoy</span><span class="pi">:</span> <span class="na">enabled</span><span class="pi">:</span> <span class="kc">false</span> <span class="na">kubeProxyReplacement</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">l2announcements</span><span class="pi">:</span> <span class="na">leaseDuration</span><span class="pi">:</span> <span class="s">2s</span> <span class="na">leaseRenewDeadline</span><span class="pi">:</span> <span class="s">1s</span> <span class="na">leaseRetryPeriod</span><span class="pi">:</span> <span class="s">200ms</span> <span class="na">enabled</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">externalIPs</span><span class="pi">:</span> <span class="na">enabled</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">k8sClientRateLimit</span><span class="pi">:</span> <span class="na">qps</span><span class="pi">:</span> <span class="m">100</span> <span class="na">burst</span><span class="pi">:</span> <span class="m">150</span> <span class="na">k8sServiceHost</span><span class="pi">:</span> <span class="s">&lt;CLUSTER_HOST&gt;</span> <span class="na">k8sServicePort</span><span class="pi">:</span> <span class="m">443</span> </code></pre> </div> <p>Apply the changes:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">cd </span>commands/02-cilium-updates helm upgrade <span class="nt">-i</span> cilium cilium/cilium <span class="nt">-n</span> kube-system <span class="nt">-f</span> cilium-values.yaml </code></pre> </div> <h2> Verifying Cilium Agents: </h2> <p>You should now see cilium-agent pods running on the hybrid nodes, and no kube-proxy pods there:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl <span class="nt">-n</span> kube-system get pods <span class="nt">-o</span> wide NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES aws-node-k8qw5 2/2 Running 0 31m 10.0.21.61 ip-10-0-21-61.ec2.internal &lt;none&gt; &lt;none&gt; cilium-lxphl 1/1 Running 0 48s 192.168.100.102 mi-00a55e151790a4c81 &lt;none&gt; &lt;none&gt; cilium-operator-7658767979-f57v5 1/1 Running 0 52s 192.168.100.101 mi-014887c08038cb6c2 &lt;none&gt; &lt;none&gt; cilium-znwdm 1/1 Running 0 49s 192.168.100.101 mi-014887c08038cb6c2 &lt;none&gt; &lt;none&gt; coredns-6b9575c64c-fxzv9 1/1 Running 0 35m 10.0.25.252 ip-10-0-21-61.ec2.internal &lt;none&gt; &lt;none&gt; eks-pod-identity-agent-k559t 1/1 Running 0 31m 10.0.21.61 ip-10-0-21-61.ec2.internal &lt;none&gt; &lt;none&gt; kube-proxy-6j74v 1/1 Running 0 15m 10.0.21.61 ip-10-0-21-61.ec2.internal &lt;none&gt; &lt;none&gt; </code></pre> </div> <h2> Static Routing: </h2> <p>Now it’s time to configure static routes on the VPN router. First, check which hybrid node is responsible for each /25 subnet:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl get ciliumnodes NAME CILIUMINTERNALIP INTERNALIP AGE mi-00a55e151790a4c81 192.168.101.51 192.168.100.102 8m14s mi-014887c08038cb6c2 192.168.101.192 192.168.100.101 8m14s </code></pre> </div> <p>Set the routes:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>ip route add 192.168.101.0/25 via 192.168.100.102 ip route add 192.168.101.128/25 via 192.168.100.101 </code></pre> </div> <p>Now out network will look like this:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fvb7gnmzn463otwg813hy.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fvb7gnmzn463otwg813hy.png" alt="diagram - 2 static routing" width="720" height="500"></a></p> <h2> Installing the Load Balancer Controller: </h2> <p>Add the following Terraform file to your project to install the AWS Load Balancer Controller via Helm, and create the required IAM role:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">resource</span> <span class="s2">"helm_release"</span> <span class="s2">"aws-load-balancer-controller"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"aws-load-balancer-controller"</span> <span class="nx">chart</span> <span class="p">=</span> <span class="s2">"aws-load-balancer-controller"</span> <span class="nx">repository</span> <span class="p">=</span> <span class="s2">"https://aws.github.io/eks-charts"</span> <span class="nx">namespace</span> <span class="p">=</span> <span class="s2">"kube-system"</span> <span class="nx">version</span> <span class="p">=</span> <span class="s2">"1.12.0"</span> <span class="nx">set</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"serviceAccount.create"</span> <span class="nx">value</span> <span class="p">=</span> <span class="s2">"true"</span> <span class="p">}</span> <span class="nx">set</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"serviceAccount.name"</span> <span class="nx">value</span> <span class="p">=</span> <span class="k">module</span><span class="p">.</span><span class="nx">eks_loadbalancer_iam</span><span class="p">.</span><span class="nx">iam_role_name</span> <span class="p">}</span> <span class="nx">set</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"serviceAccount.annotations.eks</span><span class="se">\\</span><span class="s2">.amazonaws</span><span class="se">\\</span><span class="s2">.com/role-arn"</span> <span class="nx">value</span> <span class="p">=</span> <span class="k">module</span><span class="p">.</span><span class="nx">eks_loadbalancer_iam</span><span class="p">.</span><span class="nx">iam_role_arn</span> <span class="p">}</span> <span class="nx">set</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"clusterName"</span> <span class="nx">value</span> <span class="p">=</span> <span class="k">module</span><span class="p">.</span><span class="nx">eks</span><span class="p">.</span><span class="nx">cluster_name</span> <span class="p">}</span> <span class="nx">set</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"replicaCount"</span> <span class="nx">value</span> <span class="p">=</span> <span class="s2">"1"</span> <span class="p">}</span> <span class="nx">set</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"vpcId"</span> <span class="nx">value</span> <span class="p">=</span> <span class="k">data</span><span class="p">.</span><span class="nx">terraform_remote_state</span><span class="p">.</span><span class="nx">vpc</span><span class="p">.</span><span class="nx">outputs</span><span class="p">.</span><span class="nx">vpc_id</span> <span class="p">}</span> <span class="c1"># Optional affinity rule</span> <span class="nx">set</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"affinity.nodeAffinity.requiredDuringSchedulingIgnoredDuringExecution.nodeSelectorTerms[0].matchExpressions[0].key"</span> <span class="nx">value</span> <span class="p">=</span> <span class="s2">"eks.amazonaws.com/capacityType"</span> <span class="p">}</span> <span class="nx">set</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"affinity.nodeAffinity.requiredDuringSchedulingIgnoredDuringExecution.nodeSelectorTerms[0].matchExpressions[0].operator"</span> <span class="nx">value</span> <span class="p">=</span> <span class="s2">"Exists"</span> <span class="p">}</span> <span class="p">}</span> <span class="k">module</span> <span class="s2">"eks_loadbalancer_iam"</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks"</span> <span class="nx">version</span> <span class="p">=</span> <span class="s2">"5.54.0"</span> <span class="nx">role_name</span> <span class="p">=</span> <span class="s2">"load-balancer-controller"</span> <span class="nx">attach_load_balancer_controller_policy</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">oidc_providers</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">ex</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">provider_arn</span> <span class="p">=</span> <span class="k">module</span><span class="p">.</span><span class="nx">eks</span><span class="p">.</span><span class="nx">oidc_provider_arn</span> <span class="nx">namespace_service_accounts</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"kube-system:load-balancer-controller"</span><span class="p">]</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>Deploy it:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">cd</span> ../../EKS-HYBRID <span class="nb">cp</span> ../load-balancer/load-balancer.tf <span class="nb">.</span> tofu init tofu apply </code></pre> </div> <p>Verify the changes:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl get deployment/aws-load-balancer-controller <span class="nt">-n</span> kube-system NAME READY UP-TO-DATE AVAILABLE AGE aws-load-balancer-controller 1/1 1 1 5m </code></pre> </div> <h2> Deploying the Demo App: </h2> <p>Now let’s deploy a simple app with 6 replicas to observe pod distribution across AWS and hybrid nodes.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Namespace</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">whoami</span> <span class="nn">---</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">apps/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Deployment</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">whoami</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">whoami</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">replicas</span><span class="pi">:</span> <span class="m">6</span> <span class="na">selector</span><span class="pi">:</span> <span class="na">matchLabels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">whoami</span> <span class="na">template</span><span class="pi">:</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">whoami</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">topologySpreadConstraints</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">maxSkew</span><span class="pi">:</span> <span class="m">1</span> <span class="na">topologyKey</span><span class="pi">:</span> <span class="s">kubernetes.io/hostname</span> <span class="na">whenUnsatisfiable</span><span class="pi">:</span> <span class="s">ScheduleAnyway</span> <span class="na">labelSelector</span><span class="pi">:</span> <span class="na">matchLabels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">whoami</span> <span class="na">containers</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">image</span><span class="pi">:</span> <span class="s">containous/whoami</span> <span class="na">imagePullPolicy</span><span class="pi">:</span> <span class="s">Always</span> <span class="na">name</span><span class="pi">:</span> <span class="s">whoami</span> <span class="nn">---</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Service</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">whoami</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">whoami</span> <span class="na">annotations</span><span class="pi">:</span> <span class="na">service.beta.kubernetes.io/aws-load-balancer-type</span><span class="pi">:</span> <span class="s2">"</span><span class="s">external"</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">type</span><span class="pi">:</span> <span class="s">ClusterIP</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">http</span> <span class="na">port</span><span class="pi">:</span> <span class="m">80</span> <span class="na">targetPort</span><span class="pi">:</span> <span class="m">80</span> <span class="na">selector</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">whoami</span> <span class="nn">---</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">networking.k8s.io/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Ingress</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">whoami</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">whoami</span> <span class="na">annotations</span><span class="pi">:</span> <span class="na">alb.ingress.kubernetes.io/scheme</span><span class="pi">:</span> <span class="s">internet-facing</span> <span class="na">alb.ingress.kubernetes.io/listen-ports</span><span class="pi">:</span> <span class="s1">'</span><span class="s">[{"HTTP":</span><span class="nv"> </span><span class="s">80}]'</span> <span class="na">alb.ingress.kubernetes.io/target-type</span><span class="pi">:</span> <span class="s">ip</span> <span class="na">alb.ingress.kubernetes.io/load-balancer-type</span><span class="pi">:</span> <span class="s">nlb</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">ingressClassName</span><span class="pi">:</span> <span class="s">alb</span> <span class="na">rules</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">http</span><span class="pi">:</span> <span class="na">paths</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">path</span><span class="pi">:</span> <span class="s">/</span> <span class="na">pathType</span><span class="pi">:</span> <span class="s">Prefix</span> <span class="na">backend</span><span class="pi">:</span> <span class="na">service</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">whoami</span> <span class="na">port</span><span class="pi">:</span> <span class="na">number</span><span class="pi">:</span> <span class="m">80</span> </code></pre> </div> <p>Apply it:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">cd</span> ../commands/03-create-service kubectl apply <span class="nt">-f</span> service.yaml </code></pre> </div> <p>Check pod distribution:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl get pods <span class="nt">-n</span> <span class="nb">whoami</span> <span class="nt">-o</span> wide NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES whoami-7cb8f48c8-bhrvw 1/1 Running 0 2m6s 192.168.101.187 mi-014887c08038cb6c2 &lt;none&gt; &lt;none&gt; whoami-7cb8f48c8-gd48g 1/1 Running 0 6s 10.0.21.186 ip-10-0-21-61.ec2.internal &lt;none&gt; &lt;none&gt; whoami-7cb8f48c8-hhs49 1/1 Running 0 2m9s 192.168.101.212 mi-014887c08038cb6c2 &lt;none&gt; &lt;none&gt; whoami-7cb8f48c8-n64gh 1/1 Running 0 2m9s 192.168.101.108 mi-00a55e151790a4c81 &lt;none&gt; &lt;none&gt; whoami-7cb8f48c8-q8bhj 1/1 Running 0 2m9s 192.168.101.56 mi-00a55e151790a4c81 &lt;none&gt; &lt;none&gt; whoami-7cb8f48c8-rr7kp 1/1 Running 0 9s 10.0.27.231 ip-10-0-21-61.ec2.internal &lt;none&gt; &lt;none&gt; </code></pre> </div> <h2> Test Round-Robin Behavior: </h2> <p>Get the Ingress address:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl get ingress <span class="nt">-n</span> <span class="nb">whoami </span>NAME CLASS HOSTS ADDRESS PORTS AGE <span class="nb">whoami </span>alb <span class="k">*</span> k8s-whoami-whoami-xxxx-yyyy.us-east-1.elb.amazonaws.com 80 36s </code></pre> </div> <p>Then run:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="k">for </span>i <span class="k">in</span> <span class="si">$(</span><span class="nb">seq </span>1 10<span class="si">)</span><span class="p">;</span> <span class="k">do </span>curl <span class="nt">-s</span> http://&lt;your-lb-dns&gt;/api | jq .ip <span class="p">;</span> <span class="k">done</span> <span class="o">[</span> <span class="s2">"127.0.0.1"</span>, <span class="s2">"::1"</span>, <span class="s2">"192.168.101.212"</span>, <span class="s2">"fe80::b405:92ff:fe92:72f4"</span> <span class="o">]</span> <span class="o">[</span> <span class="s2">"127.0.0.1"</span>, <span class="s2">"::1"</span>, <span class="s2">"192.168.101.212"</span>, <span class="s2">"fe80::b405:92ff:fe92:72f4"</span> <span class="o">]</span> <span class="o">[</span> <span class="s2">"127.0.0.1"</span>, <span class="s2">"::1"</span>, <span class="s2">"10.0.21.186"</span>, <span class="s2">"fe80::6c8f:6aff:fe38:5e55"</span> <span class="o">]</span> <span class="o">[</span> <span class="s2">"127.0.0.1"</span>, <span class="s2">"::1"</span>, <span class="s2">"10.0.27.231"</span>, <span class="s2">"fe80::a8a6:26ff:feed:d649"</span> <span class="o">]</span> <span class="o">[</span> <span class="s2">"127.0.0.1"</span>, <span class="s2">"::1"</span>, <span class="s2">"192.168.101.108"</span>, <span class="s2">"fe80::28bc:50ff:fe48:d3d9"</span> <span class="o">]</span> <span class="o">[</span> <span class="s2">"127.0.0.1"</span>, <span class="s2">"::1"</span>, <span class="s2">"192.168.101.56"</span>, <span class="s2">"fe80::7869:ccff:fee5:b61b"</span> <span class="o">]</span> <span class="o">[</span> <span class="s2">"127.0.0.1"</span>, <span class="s2">"::1"</span>, <span class="s2">"192.168.101.187"</span>, <span class="s2">"fe80::14f6:88ff:fe17:f9ae"</span> <span class="o">]</span> <span class="o">[</span> <span class="s2">"127.0.0.1"</span>, <span class="s2">"::1"</span>, <span class="s2">"192.168.101.212"</span>, <span class="s2">"fe80::b405:92ff:fe92:72f4"</span> <span class="o">]</span> <span class="o">[</span> <span class="s2">"127.0.0.1"</span>, <span class="s2">"::1"</span>, <span class="s2">"10.0.21.186"</span>, <span class="s2">"fe80::6c8f:6aff:fe38:5e55"</span> <span class="o">]</span> <span class="o">[</span> <span class="s2">"127.0.0.1"</span>, <span class="s2">"::1"</span>, <span class="s2">"10.0.27.231"</span>, <span class="s2">"fe80::a8a6:26ff:feed:d649"</span> <span class="o">]</span> </code></pre> </div> <p>You should see requests being served by both AWS and hybrid nodes.</p> <h2> Pricing Overview: </h2> <p>Hybrid nodes do not incur EC2 costs, but you’ll still pay:</p> <ul> <li>EKS control plane fees</li> <li>Data transfer</li> <li><strong>Hybrid node usage based on vCPU-hours</strong></li> </ul> <p>Example:</p> <blockquote> <p>A 32 vCPU hybrid node = 32 × 24 × 30 = 23,040 vCPU-hours/month<br> At $0.02 per vCPU-hour, that’s <strong>~$460.80/month</strong><br> The cheapest AWS instance with 32 vCPU and GPU (e.g. g5g.xlarge) costs <strong>~$987/month</strong> — <strong>nearly 2x more expensive</strong></p> </blockquote> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F803vajnyf0gp1mjbgj7r.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F803vajnyf0gp1mjbgj7r.png" alt="pricing" width="720" height="199"></a></p> <h2> Conclusion: </h2> <p>As you can see, it’s entirely possible to run a hybrid EKS environment combining AWS-managed and on-prem nodes. While this is not a common setup, it’s a powerful tool for organizations with existing infrastructure or specific compliance requirements.</p> <p>This lab setup uses static routing, eks_managed_node_groups, and minimal redundancy. In a production scenario, you’d likely adopt:</p> <ul> <li><strong>VPC CNI custom networking</strong></li> <li> <strong>Karpenter</strong> for dynamic scaling</li> <li> <strong>BGP routing</strong> for flexibility</li> <li><strong>A real VPN appliance</strong></li> </ul> <p>But as a proof of concept, it offers a strong foundation and a practical look into what’s required to implement EKS hybrid clusters successfully.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fnvlvmah5olil61pj50qk.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fnvlvmah5olil61pj50qk.png" alt="final - infra" width="720" height="500"></a></p> <p>All the files used by this lab, could be found <a href="https://github.com/csepulveda/modular-aws-resources" rel="noopener noreferrer">here</a></p> aws eks kubernetes Tools I Use Daily as a DevOps Engineer César Sepúlveda Barra Fri, 11 Apr 2025 17:14:40 +0000 https://dev.to/csepulvedab/tools-i-use-daily-as-a-devops-engineer-123d https://dev.to/csepulvedab/tools-i-use-daily-as-a-devops-engineer-123d <p>This is a post I plan to update frequently. Here’s the initial list of top tools I use in my day-to-day work — whether I'm managing Kubernetes clusters, working with AWS, or just trying to stay efficient.</p> <h2> 🔧 1. K9s </h2> <p><a href="https://k9scli.io/" rel="noopener noreferrer">K9s</a> is a must-have for Kubernetes administrators. It's lightweight, fast, and lets you:</p> <ul> <li>Check and explore Kubernetes resources</li> <li>Create port-forwardings</li> <li>Modify, delete, or view logs from pods</li> <li>And much more</li> </ul> <p><strong>Install</strong>: <code>brew install k9s</code><br><br> <strong>Demo</strong>: <a href="https://www.youtube.com/watch?v=AMUQzyPvO04" rel="noopener noreferrer">YouTube – K9s in Action</a></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Flceforhoyl5ifzb3zs3v.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Flceforhoyl5ifzb3zs3v.png" alt="k9s in action" width="800" height="419"></a></p> <h2> 🧭 2. kubectx &amp; kubens </h2> <p><a href="https://github.com/ahmetb/kubectx" rel="noopener noreferrer">kubectx</a> and <code>kubens</code> are simple tools to manage multiple Kubernetes contexts and namespaces efficiently.</p> <p><strong>Install</strong>: <code>brew install kubectx</code><br><br> <strong>Docs</strong>: <a href="https://github.com/ahmetb/kubectx" rel="noopener noreferrer">GitHub – kubectx</a></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ftdx93lcvbhln4xlafnmh.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ftdx93lcvbhln4xlafnmh.png" alt="Kubens in action" width="648" height="277"></a></p> <h2> 💣 3. aws-nuke </h2> <p><a href="https://github.com/ekristen/aws-nuke" rel="noopener noreferrer"><code>aws-nuke</code></a> helps you clean up AWS environments easily after testing or PoCs. Just define which IAM resources to keep — and nuke everything else.</p> <p><strong>Install</strong>: <code>brew install aws-nuke</code><br><br> <strong>Docs</strong>: <a href="https://github.com/ekristen/aws-nuke" rel="noopener noreferrer">GitHub – aws-nuke</a></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fr5wdj95nzwhkz4gk1s3n.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fr5wdj95nzwhkz4gk1s3n.png" alt="aws-nuke in acction" width="800" height="604"></a></p> <h2> 💸 4. eks-node-viewer </h2> <p>A tool I use almost daily to check how many EKS nodes I'm running and estimate my spending.</p> <p><strong>Install</strong>:</p> <p><code>brew tap aws/tap &amp;&amp; brew install eks-node-viewer</code><br> <strong>Docs</strong>: <a href="https://github.com/awslabs/eks-node-viewer" rel="noopener noreferrer">GitHub – eks-node-viewer</a></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fc69nz2tgucsmgtru0329.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fc69nz2tgucsmgtru0329.png" alt="eks-node-viewer in action" width="800" height="178"></a></p> <p>If you found this list helpful, let me know! I’ll keep this post updated with new tools as I incorporate them into my workflow.</p> <p>Stay tuned — more tools coming soon!</p> From Zero to EKS and Hybrid-Nodes — Part 2: The EKS and Hybrid Nodes configuration. César Sepúlveda Barra Fri, 11 Apr 2025 13:33:25 +0000 https://dev.to/csepulvedab/from-zero-to-eks-and-hybrid-nodes-part-2-the-eks-and-hybrid-nodes-configuration-300n https://dev.to/csepulvedab/from-zero-to-eks-and-hybrid-nodes-part-2-the-eks-and-hybrid-nodes-configuration-300n <h2> <strong>Introduction:</strong> </h2> <p>In the <a href="https://medium.com/@csepulvedab/from-zero-to-eks-and-hybrid-nodes-part-1-the-vpc-and-vpn-configuration-af31c69b0d1f" rel="noopener noreferrer">previous part</a>, we set up the VPC and the VPN Site-to-Site connection to prepare for our EKS cluster and hybrid nodes. The network diagram at that stage looked like this:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Frfs7vwsa4mfqnlqi4kxt.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Frfs7vwsa4mfqnlqi4kxt.png" alt="initial infra" width="800" height="490"></a></p> <p>In this second part, we’ll configure the EKS cluster using <strong>OpenTofu</strong>, including <strong>SSM Activation</strong>, and manually set up two <strong>Hybrid nodes</strong> using nodeadm.</p> <h2> <strong>Setup the EKS cluster</strong> </h2> <p>Cluster creation is straightforward. We’ll use the state file from the VPC creation to retrieve outputs, and we’ll create the cluster using the <a href="https://github.com/terraform-aws-modules/terraform-aws-eks" rel="noopener noreferrer">terraform-aws-modules/eks/aws</a> module.</p> <p>Full code is available here: <a href="https://github.com/csepulveda/modular-aws-resources/tree/main/EKS-HYBRID" rel="noopener noreferrer">https://github.com/csepulveda/modular-aws-resources/tree/main/EKS-HYBRID</a><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="c1">################################################################################</span> <span class="c1"># EKS Module</span> <span class="c1">################################################################################</span> <span class="k">module</span> <span class="s2">"eks"</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"terraform-aws-modules/eks/aws"</span> <span class="nx">version</span> <span class="p">=</span> <span class="s2">"20.35.0"</span> <span class="nx">cluster_name</span> <span class="p">=</span> <span class="kd">local</span><span class="p">.</span><span class="nx">name</span> <span class="nx">cluster_version</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">eks_version</span> <span class="nx">enable_cluster_creator_admin_permissions</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">cluster_endpoint_public_access</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">cluster_addons</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">coredns</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">configuration_values</span> <span class="p">=</span> <span class="nx">jsonencode</span><span class="p">({</span> <span class="nx">replicaCount</span> <span class="p">=</span> <span class="mi">1</span> <span class="p">})</span> <span class="p">}</span> <span class="nx">eks-pod-identity-agent</span> <span class="p">=</span> <span class="p">{}</span> <span class="nx">kube-proxy</span> <span class="p">=</span> <span class="p">{}</span> <span class="nx">vpc-cni</span> <span class="p">=</span> <span class="p">{}</span> <span class="p">}</span> <span class="nx">vpc_id</span> <span class="p">=</span> <span class="k">data</span><span class="p">.</span><span class="nx">terraform_remote_state</span><span class="p">.</span><span class="nx">vpc</span><span class="p">.</span><span class="nx">outputs</span><span class="p">.</span><span class="nx">vpc_id</span> <span class="nx">subnet_ids</span> <span class="p">=</span> <span class="k">data</span><span class="p">.</span><span class="nx">terraform_remote_state</span><span class="p">.</span><span class="nx">vpc</span><span class="p">.</span><span class="nx">outputs</span><span class="p">.</span><span class="nx">private_subnets</span> <span class="nx">control_plane_subnet_ids</span> <span class="p">=</span> <span class="k">data</span><span class="p">.</span><span class="nx">terraform_remote_state</span><span class="p">.</span><span class="nx">vpc</span><span class="p">.</span><span class="nx">outputs</span><span class="p">.</span><span class="nx">control_plane_subnet_ids</span> <span class="nx">eks_managed_node_groups</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">eks-base</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">ami_type</span> <span class="p">=</span> <span class="s2">"AL2023_x86_64_STANDARD"</span> <span class="nx">instance_types</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"t3.small"</span><span class="p">,</span> <span class="s2">"t3a.small"</span><span class="p">]</span> <span class="nx">min_size</span> <span class="p">=</span> <span class="mi">1</span> <span class="nx">max_size</span> <span class="p">=</span> <span class="mi">1</span> <span class="nx">desired_size</span> <span class="p">=</span> <span class="mi">1</span> <span class="nx">capacity_type</span> <span class="p">=</span> <span class="s2">"SPOT"</span> <span class="nx">network_interfaces</span> <span class="p">=</span> <span class="p">[{</span> <span class="nx">delete_on_termination</span> <span class="p">=</span> <span class="kc">true</span> <span class="p">}]</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">node_security_group_additional_rules</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">allow-all-80-traffic-from-loadbalancers</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">cidr_blocks</span> <span class="p">=</span> <span class="p">[</span><span class="nx">for</span> <span class="nx">s</span> <span class="nx">in</span> <span class="k">data</span><span class="p">.</span><span class="nx">aws_subnet</span><span class="p">.</span><span class="nx">elb_subnets</span> <span class="err">:</span> <span class="nx">s</span><span class="p">.</span><span class="nx">cidr_block</span><span class="p">]</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Allow all traffic from load balancers"</span> <span class="nx">from_port</span> <span class="p">=</span> <span class="mi">80</span> <span class="nx">to_port</span> <span class="p">=</span> <span class="mi">80</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="s2">"TCP"</span> <span class="nx">type</span> <span class="p">=</span> <span class="s2">"ingress"</span> <span class="p">}</span> <span class="nx">hybrid-all</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">cidr_blocks</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"192.168.100.0/23"</span><span class="p">]</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Allow all traffic from remote node/pod network"</span> <span class="nx">from_port</span> <span class="p">=</span> <span class="mi">0</span> <span class="nx">to_port</span> <span class="p">=</span> <span class="mi">0</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="s2">"all"</span> <span class="nx">type</span> <span class="p">=</span> <span class="s2">"ingress"</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">cluster_security_group_additional_rules</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">hybrid-all</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">cidr_blocks</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"192.168.100.0/23"</span><span class="p">]</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Allow all traffic from remote node/pod network"</span> <span class="nx">from_port</span> <span class="p">=</span> <span class="mi">0</span> <span class="nx">to_port</span> <span class="p">=</span> <span class="mi">0</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="s2">"all"</span> <span class="nx">type</span> <span class="p">=</span> <span class="s2">"ingress"</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">cluster_remote_network_config</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">remote_node_networks</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">cidrs</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"192.168.100.0/24"</span><span class="p">]</span> <span class="p">}</span> <span class="nx">remote_pod_networks</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">cidrs</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"192.168.101.0/24"</span><span class="p">]</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">access_entries</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">hybrid-node-role</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">principal_arn</span> <span class="p">=</span> <span class="k">module</span><span class="p">.</span><span class="nx">eks_hybrid_node_role</span><span class="p">.</span><span class="nx">arn</span> <span class="nx">type</span> <span class="p">=</span> <span class="s2">"HYBRID_LINUX"</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">node_security_group_tags</span> <span class="p">=</span> <span class="nx">merge</span><span class="p">(</span><span class="kd">local</span><span class="p">.</span><span class="nx">tags</span><span class="p">,</span> <span class="p">{</span> <span class="s2">"karpenter.sh/discovery"</span> <span class="p">=</span> <span class="kd">local</span><span class="p">.</span><span class="nx">name</span> <span class="p">})</span> <span class="nx">tags</span> <span class="p">=</span> <span class="kd">local</span><span class="p">.</span><span class="nx">tags</span> <span class="p">}</span> <span class="c1">################################################################################</span> <span class="c1"># Hybrid nodes Support</span> <span class="c1">################################################################################</span> <span class="k">module</span> <span class="s2">"eks_hybrid_node_role"</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"terraform-aws-modules/eks/aws//modules/hybrid-node-role"</span> <span class="nx">version</span> <span class="p">=</span> <span class="s2">"20.35.0"</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"hybrid"</span> <span class="nx">tags</span> <span class="p">=</span> <span class="kd">local</span><span class="p">.</span><span class="nx">tags</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"aws_ssm_activation"</span> <span class="s2">"this"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"hybrid-node"</span> <span class="nx">iam_role</span> <span class="p">=</span> <span class="k">module</span><span class="p">.</span><span class="nx">eks_hybrid_node_role</span><span class="p">.</span><span class="nx">name</span> <span class="nx">registration_limit</span> <span class="p">=</span> <span class="mi">10</span> <span class="nx">tags</span> <span class="p">=</span> <span class="kd">local</span><span class="p">.</span><span class="nx">tags</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"local_file"</span> <span class="s2">"nodeConfig"</span> <span class="p">{</span> <span class="nx">content</span> <span class="p">=</span> <span class="o">&lt;&lt;-</span><span class="no">EOT</span><span class="sh"> apiVersion: node.eks.aws/v1alpha1 kind: NodeConfig spec: cluster: name: ${module.eks.cluster_name} region: ${local.region} hybrid: ssm: activationId: ${aws_ssm_activation.this.id} activationCode: ${aws_ssm_activation.this.activation_code} </span><span class="no"> EOT </span> <span class="nx">filename</span> <span class="p">=</span> <span class="s2">"nodeConfig.yaml"</span> <span class="p">}</span> </code></pre> </div> <h3> <strong>Highlights of the configuration:</strong> </h3> <ul> <li><p>One EKS-managed node group for core services and ACK controllers (to be installed in Part 3).</p></li> <li><p>VPC CNI enabled via cluster_addons.</p></li> <li><p>Ingress rules to allow traffic from on-premise networks.</p></li> <li><p>Defined remote node and pod networks.</p></li> <li><p>Created a role for hybrid nodes and granted access via access_entries.</p></li> </ul> <h3> <strong>Hybrid Nodes and SSM Activation</strong> </h3> <p>We define:</p> <ul> <li><p>An IAM role using the hybrid node module.</p></li> <li><p>An SSM Activation to allow hybrid nodes to join the cluster.</p></li> <li><p>A nodeConfig.yaml file containing the activation credentials, automatically generated during tofu apply.<br> </p></li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>tofu apply .... Apply <span class="nb">complete</span><span class="o">!</span> Resources: 50 added, 0 changed, 0 destroyed. </code></pre> </div> <p>This generates a nodeConfig.yaml file, which is critical for authenticating on-prem nodes via <a href="https://docs.aws.amazon.com/systems-manager/latest/userguide/what-is-systems-manager.html" rel="noopener noreferrer">AWS Systems Manager</a>.</p> <p>Update your kubeconfig after creation:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>aws eks update-kubeconfig --region us-east-1 --name my-eks-cluster </code></pre> </div> <p>Now your infrastructure should look like this:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fs2jq0jyezl6ff8mm4302.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fs2jq0jyezl6ff8mm4302.png" alt="eks on infra" width="800" height="499"></a></p> <h2> <strong>Setting Up the Hybrid Nodes</strong> </h2> <p>SSH into the nodes (e.g., 192.168.100.101 and 192.168.100.102). These are configured with two networks:</p> <ul> <li><p>192.168.100.0/24 for nodes.</p></li> <li><p>192.168.101.0/24 for pods.</p></li> </ul> <p>Transfer the node config:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>scp nodeConfig.yaml cesar@192.168.100.101:/tmp/ scp nodeConfig.yaml cesar@192.168.100.102:/tmp/ </code></pre> </div> <p>Install and configure nodeadm:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>curl <span class="nt">-OL</span> <span class="s1">'https://hybrid-assets.eks.amazonaws.com/releases/latest/bin/linux/arm64/nodeadm'</span> <span class="nb">chmod </span>a+x nodeadm <span class="nb">mv </span>nodeadm /usr/local/bin/. nodeadm <span class="nb">install </span>1.32 <span class="nt">--credential-provider</span> ssm nodeadm init <span class="nt">--config-source</span> file:///tmp/nodeConfig.yaml </code></pre> </div> <p>Repeat for both nodes.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F330aghueuzzii1eebivj.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F330aghueuzzii1eebivj.png" alt="node instalation" width="800" height="496"></a></p> <p>Once done, check node registration:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl get nodes <span class="nt">-o</span> wide NAME STATUS ROLES AGE VERSION INTERNAL-IP EXTERNAL-IP OS-IMAGE KERNEL-VERSION CONTAINER-RUNTIME ip-10-0-19-137.ec2.internal Ready &lt;none&gt; 16m v1.32.1-eks-5d632ec 10.0.19.137 &lt;none&gt; Amazon Linux 2023.7.20250331 6.1.131-143.221.amzn2023.x86_64 containerd://1.7.27 mi-03c1eb4c6173151d6 NotReady &lt;none&gt; 3m4s v1.32.1-eks-5d632ec 192.168.100.102 &lt;none&gt; Ubuntu 22.04.5 LTS 5.15.0-136-generic containerd://1.7.24 mi-091f1dddb980a80ff NotReady &lt;none&gt; 3m51s v1.32.1-eks-5d632ec 192.168.100.101 &lt;none&gt; Ubuntu 22.04.5 LTS 5.15.0-136-generic containerd://1.7.24 </code></pre> </div> <p>The hybrid nodes appear but are NotReady — this is expected until we install a network controller.</p> <p><strong><em>Disclaimer time</em>:</strong> Although the documentation claims compatibility with Ubuntu 22.04 and 24.04, I couldn’t get 24.04 working due to missing nf_conntrack when kube-proxy attempts to apply iptables rules. If you manage to fix this, please share!</p> <h2> <strong>Setting Up the Network with Cilium</strong> </h2> <p>We’ll use <strong>Cilium</strong> as CNI.</p> <p><strong>cilium-values.yaml:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">affinity</span><span class="pi">:</span> <span class="na">nodeAffinity</span><span class="pi">:</span> <span class="na">requiredDuringSchedulingIgnoredDuringExecution</span><span class="pi">:</span> <span class="na">nodeSelectorTerms</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">matchExpressions</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">key</span><span class="pi">:</span> <span class="s">eks.amazonaws.com/compute-type</span> <span class="na">operator</span><span class="pi">:</span> <span class="s">In</span> <span class="na">values</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">hybrid</span> <span class="na">ipam</span><span class="pi">:</span> <span class="na">mode</span><span class="pi">:</span> <span class="s">cluster-pool</span> <span class="na">operator</span><span class="pi">:</span> <span class="na">clusterPoolIPv4MaskSize</span><span class="pi">:</span> <span class="m">24</span> <span class="na">clusterPoolIPv4PodCIDRList</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">192.168.101.0/24</span> <span class="na">operator</span><span class="pi">:</span> <span class="na">affinity</span><span class="pi">:</span> <span class="na">nodeAffinity</span><span class="pi">:</span> <span class="na">requiredDuringSchedulingIgnoredDuringExecution</span><span class="pi">:</span> <span class="na">nodeSelectorTerms</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">matchExpressions</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">key</span><span class="pi">:</span> <span class="s">eks.amazonaws.com/compute-type</span> <span class="na">operator</span><span class="pi">:</span> <span class="s">In</span> <span class="na">values</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">hybrid</span> <span class="na">unmanagedPodWatcher</span><span class="pi">:</span> <span class="na">restart</span><span class="pi">:</span> <span class="kc">false</span> <span class="na">envoy</span><span class="pi">:</span> <span class="na">enabled</span><span class="pi">:</span> <span class="kc">false</span> </code></pre> </div> <p>This yaml file indicate the affinity on cilium pods and also the cilium operator to run only en hybrid nodes, also we set the clusterPoolIPv4PodCIDRList pool, using the subnet 192.168.101.0/24</p> <h3> <strong>Install Cilium:</strong> </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>helm repo add cilium https://helm.cilium.io/ helm upgrade <span class="nt">-i</span> cilium cilium/cilium <span class="se">\</span> <span class="nt">--version</span> 1.17.2 <span class="se">\</span> <span class="nt">--namespace</span> kube-system <span class="se">\</span> <span class="nt">--values</span> cilium-values.yaml ... Release <span class="s2">"cilium"</span> does not exist. Installing it now. NAME: cilium LAST DEPLOYED: Fri Apr 11 08:35:31 2025 NAMESPACE: kube-system STATUS: deployed REVISION: 1 TEST SUITE: None NOTES: You have successfully installed Cilium with Hubble. Your release version is 1.17.2. For any further <span class="nb">help</span>, visit https://docs.cilium.io/en/v1.17/gettinghelp </code></pre> </div> <p>After a few minutes the nodes will be ready<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl get nodes <span class="nt">-o</span> wide </code></pre> </div> <p>You should see:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>NAME STATUS ROLES AGE VERSION INTERNAL-IP EXTERNAL-IP OS-IMAGE KERNEL-VERSION CONTAINER-RUNTIME ip-10-0-19-137.ec2.internal Ready &lt;none&gt; 56m v1.32.1-eks-5d632ec 10.0.19.137 &lt;none&gt; Amazon Linux 2023.7.20250331 6.1.131-143.221.amzn2023.x86_64 containerd://1.7.27 mi-03c1eb4c6173151d6 Ready &lt;none&gt; 42m v1.32.1-eks-5d632ec 192.168.100.102 &lt;none&gt; Ubuntu 22.04.5 LTS 5.15.0-136-generic containerd://1.7.24 mi-091f1dddb980a80ff Ready &lt;none&gt; 43m v1.32.1-eks-5d632ec 192.168.100.101 &lt;none&gt; Ubuntu 22.04.5 LTS 5.15.0-136-generic containerd://1.7.24 </code></pre> </div> <p>Your hybrid nodes are now fully integrated with EKS. 🎊</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fpoeouf9622ifqh6e2vva.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fpoeouf9622ifqh6e2vva.png" alt="Eks nodes" width="800" height="165"></a></p> <p>Now your infrastructure should look like this:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F9jdrbt731hgok97klm7e.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F9jdrbt731hgok97klm7e.png" alt="Infra after nodes" width="800" height="481"></a></p> <h2> <strong>What’s Next?</strong> </h2> <p>In the final part of this series, we’ll:</p> <ul> <li><p>Deploy the <strong>Network Load Balancer (NLB) Controller</strong>.</p></li> <li><p>Set up an <strong>Ingress</strong>.</p></li> <li><p>Deploy a sample <strong>service</strong> running entirely on hybrid/on-prem nodes.</p></li> </ul> eks aws kubernetes From Zero to EKS and Hybrid-Nodes — Part 1: The VPC and VPN configuration. César Sepúlveda Barra Wed, 09 Apr 2025 14:07:49 +0000 https://dev.to/csepulvedab/from-zero-to-eks-and-hybrid-nodes-part-1-the-vpc-and-vpn-configuration-1f11 https://dev.to/csepulvedab/from-zero-to-eks-and-hybrid-nodes-part-1-the-vpc-and-vpn-configuration-1f11 <p>In this post, I’ll walk you through how to create an Amazon EKS node running Kubernetes 1.32 and set up a Site-to-Site VPN to connect an on-prem virtual machine to your EKS cluster using Linux hybrid nodes. To complete the setup, we’ll deploy a Network Load Balancer (NLB) and an NGINX Ingress controller to manage traffic across both cloud-based and on-prem applications.</p> <p>The goal is to demonstrate how we can extend our on-prem infrastructure into EKS, enabling a seamless hybrid environment. This approach is especially useful in scenarios where you want to leverage local GPU machines for LLM workloads, or manage CDN nodes running on data center hardware while orchestrating everything through Kubernetes.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fp6uzq9lcw04w27igdrzx.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fp6uzq9lcw04w27igdrzx.png" alt="Initial state infra"></a></p> <h2> Create VPC </h2> <p>We’ll start by creating the VPC, which is quite straightforward using OpenTofu (formerly Terraform). Below is the configuration using the terraform-aws-modules/vpc/aws module:</p> <p>The code is here: <a href="https://github.com/csepulveda/modular-aws-resources/tree/main/VPC" rel="noopener noreferrer">https://github.com/csepulveda/modular-aws-resources/tree/main/VPC</a><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">module</span> <span class="s2">"vpc"</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"terraform-aws-modules/vpc/aws"</span> <span class="nx">version</span> <span class="p">=</span> <span class="s2">"5.19.0"</span> <span class="nx">name</span> <span class="p">=</span> <span class="kd">local</span><span class="p">.</span><span class="nx">name</span> <span class="c1">#my-eks-cluster</span> <span class="nx">cidr</span> <span class="p">=</span> <span class="kd">local</span><span class="p">.</span><span class="nx">vpc_cidr</span> <span class="c1">#10.0.0.0/16</span> <span class="nx">azs</span> <span class="p">=</span> <span class="kd">local</span><span class="p">.</span><span class="nx">azs</span> <span class="c1">#["us-east-1a", "us-east-1b", "us-east-1c"]</span> <span class="nx">private_subnets</span> <span class="p">=</span> <span class="p">[</span><span class="nx">for</span> <span class="nx">k</span><span class="p">,</span> <span class="nx">v</span> <span class="nx">in</span> <span class="kd">local</span><span class="p">.</span><span class="nx">azs</span> <span class="err">:</span> <span class="nx">cidrsubnet</span><span class="p">(</span><span class="kd">local</span><span class="p">.</span><span class="nx">vpc_cidr</span><span class="p">,</span> <span class="mi">4</span><span class="p">,</span> <span class="nx">k</span><span class="p">)]</span> <span class="nx">public_subnets</span> <span class="p">=</span> <span class="p">[</span><span class="nx">for</span> <span class="nx">k</span><span class="p">,</span> <span class="nx">v</span> <span class="nx">in</span> <span class="kd">local</span><span class="p">.</span><span class="nx">azs</span> <span class="err">:</span> <span class="nx">cidrsubnet</span><span class="p">(</span><span class="kd">local</span><span class="p">.</span><span class="nx">vpc_cidr</span><span class="p">,</span> <span class="mi">8</span><span class="p">,</span> <span class="nx">k</span> <span class="err">+</span> <span class="mi">48</span><span class="p">)]</span> <span class="nx">intra_subnets</span> <span class="p">=</span> <span class="p">[</span><span class="nx">for</span> <span class="nx">k</span><span class="p">,</span> <span class="nx">v</span> <span class="nx">in</span> <span class="kd">local</span><span class="p">.</span><span class="nx">azs</span> <span class="err">:</span> <span class="nx">cidrsubnet</span><span class="p">(</span><span class="kd">local</span><span class="p">.</span><span class="nx">vpc_cidr</span><span class="p">,</span> <span class="mi">8</span><span class="p">,</span> <span class="nx">k</span> <span class="err">+</span> <span class="mi">52</span><span class="p">)]</span> <span class="nx">enable_nat_gateway</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">single_nat_gateway</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">public_subnet_tags</span> <span class="p">=</span> <span class="p">{</span> <span class="s2">"kubernetes.io/role/elb"</span> <span class="p">=</span> <span class="mi">1</span> <span class="p">}</span> <span class="nx">private_subnet_tags</span> <span class="p">=</span> <span class="p">{</span> <span class="s2">"kubernetes.io/role/internal-elb"</span> <span class="p">=</span> <span class="mi">1</span> <span class="s2">"karpenter.sh/discovery"</span> <span class="p">=</span> <span class="kd">local</span><span class="p">.</span><span class="nx">name</span> <span class="p">}</span> <span class="nx">tags</span> <span class="p">=</span> <span class="kd">local</span><span class="p">.</span><span class="nx">tags</span> <span class="p">}</span> </code></pre> </div> <p>To apply the changes, run:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>tofu apply </code></pre> </div> <p>Once applied, you should see an output similar to the following:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fw5hr3zfrks785a46i7pz.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fw5hr3zfrks785a46i7pz.png" alt="VPC creation output"></a></p> <p>This setup creates a basic but functional VPC with three subnet types, each serving a specific purpose:</p> <ul> <li> <strong>Private Subnets</strong>: Used for deploying nodes and pods.</li> <li> <strong>Public Subnets</strong>: Used for exposing services via Network Load Balancers.</li> <li> <strong>Intra Subnets</strong>: Dedicated to the EKS control plane. In the next steps, we’ll manually configure routing and VPN components. I’m choosing not to automate those with Terraform to better explain each concept and step in detail.</li> </ul> <h2> VPN Site to Site: </h2> <p>As you could see in the infra diagram, the local network CIDR is 192.168.100.0/23 and the VPC CIDR is 10.0.0.0/16 so we need to go to each subnet in our new VPC</p> <h3> Create the Customer gateway. </h3> <p>First we need to create the Customer gateway, this is a very simple step, we only need to define a name (<strong>Name tag — optional</strong>) and also what is the public IP (<strong>IP address</strong>) address of our local network router (in my case the routes is in a DMZ behind a NAT)</p> <p><strong>Name tag</strong>: eks-kybrid-customer-gateway<br> <strong>IP Address</strong>: [Your public IPv4]</p> <p> <iframe src="https://www.youtube.com/embed/koOA2mcF70o"> </iframe> </p> <h3> Create the Virtual private gateway </h3> <p>To create the Virtual Private Gateway, you only need to assign a name tag. This component will act as the gateway between your AWS VPC and the on-premises network.</p> <p><strong>Name tag</strong>: eks-kybrid-private-gateway</p> <p> <iframe src="https://www.youtube.com/embed/inLONUUKCIQ"> </iframe> </p> <h3> Create the Site-To-Site VPN connection </h3> <p>Once the Customer Gateway and Virtual Private Gateway are created, we can proceed to establish the Site-to-Site VPN connection.</p> <p>In this step, we will configure the following settings:<br> <strong>Name tag</strong>: eks-kybrid-vpn<br> <strong>Target gateway type</strong>: Virtual Private Gateway (select the one created earlier)<br> <strong>Customer gateway</strong>: Existing (select the previously created Customer Gateway)<br> <strong>Routing options</strong>: Static<br> <strong>Static IP prefixes</strong>: 192.168.100.0/23 (your on-prem network)<br> <strong>Local IPv4 network CIDR</strong>: 192.168.100.0/23 (your on-prem network)<br> <strong>Remote IPv4 network CIDR</strong>: 10.0.0.0/16 (the VPC CIDR)</p> <p> <iframe src="https://www.youtube.com/embed/arDmfVvbG1c"> </iframe> </p> <p>This configuration defines the routing paths for traffic between your on-premises network and the EKS cluster running in the cloud.</p> <h3> Attach the Virtual private gateway to VPC </h3> <p>In this step, we will attach the previously created private gateway to our EKS VPC. This connection allows the VPC to establish communication with the on-premises network through the Site-to-Site VPN.</p> <p> <iframe src="https://www.youtube.com/embed/0L-NljCSoz8"> </iframe> </p> <h3> Setup Routes in VPC. </h3> <p>To enable communication between resources in our VPC and the on-premises network, we need to update the routing tables. This configuration ensures that traffic destined for the local network is directed through the private gateway.</p> <p>We will update each of the relevant route tables: <strong>private</strong>, <strong>public</strong>, and <strong>intra</strong>, by adding a route to the local CIDR block 192.168.100.0/23 with the <strong>Private Gateway</strong> as the target.</p> <p> <iframe src="https://www.youtube.com/embed/crkIi0tOTeI"> </iframe> </p> <h2> Configure the client. </h2> <p>Now that everything is set up on the AWS side, it’s time to configure the VPN client on your local environment.</p> <p>In my case, the client is a <strong>Ubuntu 24.04 virtual machine</strong> located in a <strong>DMZ</strong>, meaning any request sent to my public IP is forwarded to this machine. We’ll be using <strong>Strongswan</strong> as the VPN client to connect to AWS’s Site-to-Site VPN.</p> <h3> Step 1: Download the VPN Configuration </h3> <p>Go to the <strong>VPC Dashboard → Site-to-Site VPN Connections</strong>, select your VPN connection, and click <strong>Download Configuration</strong>. Choose <strong>Strongswan</strong> as the vendor.</p> <p> <iframe src="https://www.youtube.com/embed/LqmMgF-LmZY"> </iframe> </p> <h3> Step 2: Install Strongswan </h3> <p>On your VPN client machine, install Strongswan using:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight ssh"><code><span class="k">apt</span> update <span class="k">apt</span> install strongswan </code></pre> </div> <h3> Step 3: Configure the VPN Tunnels </h3> <p>Use the provided AWS configuration as a base. Edit the file <code>/etc/ipsec.conf</code> with your VPN tunnel definitions, updating values where needed (e.g., IP addresses, leftupdown hook). Here’s an example configuration:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>config setup uniqueids = no conn Tunnel1 auto=start left=%defaultroute leftid=186.10.xx.xx right=34.194.25.197 type=tunnel leftauth=psk rightauth=psk keyexchange=ikev1 ike=aes128-sha1-modp1024 ikelifetime=8h esp=aes128-sha1-modp1024 lifetime=1h keyingtries=%forever leftsubnet=0.0.0.0/0 rightsubnet=0.0.0.0/0 dpddelay=10s dpdtimeout=30s dpdaction=restart mark=100 leftupdown="/etc/ipsec.d/aws-updown.sh -ln Tunnel1 -ll 169.254.41.174/30 -lr 169.254.41.173/30 -m 100 -r 10.0.0.0/16" conn Tunnel2 auto=start left=%defaultroute leftid=186.10.xx.xx right=100.27.149.167 type=tunnel leftauth=psk rightauth=psk keyexchange=ikev1 ike=aes128-sha1-modp1024 ikelifetime=8h esp=aes128-sha1-modp1024 lifetime=1h keyingtries=%forever leftsubnet=0.0.0.0/0 rightsubnet=0.0.0.0/0 dpddelay=10s dpdtimeout=30s dpdaction=restart mark=200 leftupdown="/etc/ipsec.d/aws-updown.sh -ln Tunnel2 -ll 169.254.125.226/30 -lr 169.254.125.225/30 -m 200 -r 10.0.0.0/16" </code></pre> </div> <h3> Step 4: Update the updown Script </h3> <p>The file <code>/etc/ipsec.d/aws-updown.sh</code> manages the VTI interface setup for each tunnel. If your VPN client is behind a NAT (like mine), you need to manually set the src IP in the routing section.</p> <p>Locate the add_route() function and modify the ip route add line to include your local machine’s internal IP (192.168.100.100 in this case):</p> <p><code>ip route add ${i} dev ${TUNNEL_NAME} metric ${TUNNEL_MARK}</code></p> <p>Here’s the complete updown script:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c">#!/bin/bash</span> <span class="k">while</span> <span class="o">[[</span> <span class="nv">$# </span><span class="o">&gt;</span> 1 <span class="o">]]</span><span class="p">;</span> <span class="k">do case</span> <span class="k">${</span><span class="nv">1</span><span class="k">}</span> <span class="k">in</span> <span class="nt">-ln</span><span class="p">|</span><span class="nt">--link-name</span><span class="p">)</span> <span class="nv">TUNNEL_NAME</span><span class="o">=</span><span class="s2">"</span><span class="k">${</span><span class="nv">2</span><span class="k">}</span><span class="s2">"</span> <span class="nv">TUNNEL_PHY_INTERFACE</span><span class="o">=</span><span class="s2">"</span><span class="k">${</span><span class="nv">PLUTO_INTERFACE</span><span class="k">}</span><span class="s2">"</span> <span class="nb">shift</span> <span class="p">;;</span> <span class="nt">-ll</span><span class="p">|</span><span class="nt">--link-local</span><span class="p">)</span> <span class="nv">TUNNEL_LOCAL_ADDRESS</span><span class="o">=</span><span class="s2">"</span><span class="k">${</span><span class="nv">2</span><span class="k">}</span><span class="s2">"</span> <span class="nv">TUNNEL_LOCAL_ENDPOINT</span><span class="o">=</span><span class="s2">"</span><span class="k">${</span><span class="nv">PLUTO_ME</span><span class="k">}</span><span class="s2">"</span> <span class="nb">shift</span> <span class="p">;;</span> <span class="nt">-lr</span><span class="p">|</span><span class="nt">--link-remote</span><span class="p">)</span> <span class="nv">TUNNEL_REMOTE_ADDRESS</span><span class="o">=</span><span class="s2">"</span><span class="k">${</span><span class="nv">2</span><span class="k">}</span><span class="s2">"</span> <span class="nv">TUNNEL_REMOTE_ENDPOINT</span><span class="o">=</span><span class="s2">"</span><span class="k">${</span><span class="nv">PLUTO_PEER</span><span class="k">}</span><span class="s2">"</span> <span class="nb">shift</span> <span class="p">;;</span> <span class="nt">-m</span><span class="p">|</span><span class="nt">--mark</span><span class="p">)</span> <span class="nv">TUNNEL_MARK</span><span class="o">=</span><span class="s2">"</span><span class="k">${</span><span class="nv">2</span><span class="k">}</span><span class="s2">"</span> <span class="nb">shift</span> <span class="p">;;</span> <span class="nt">-r</span><span class="p">|</span><span class="nt">--static-route</span><span class="p">)</span> <span class="nv">TUNNEL_STATIC_ROUTE</span><span class="o">=</span><span class="s2">"</span><span class="k">${</span><span class="nv">2</span><span class="k">}</span><span class="s2">"</span> <span class="nb">shift</span> <span class="p">;;</span> <span class="k">*</span><span class="p">)</span> <span class="nb">echo</span> <span class="s2">"</span><span class="k">${</span><span class="nv">0</span><span class="k">}</span><span class="s2">: Unknown argument </span><span class="se">\"</span><span class="k">${</span><span class="nv">1</span><span class="k">}</span><span class="se">\"</span><span class="s2">"</span> <span class="o">&gt;</span>&amp;2 <span class="p">;;</span> <span class="k">esac</span> <span class="nb">shift </span><span class="k">done </span>command_exists<span class="o">()</span> <span class="o">{</span> <span class="nb">type</span> <span class="s2">"</span><span class="nv">$1</span><span class="s2">"</span> <span class="o">&gt;</span>&amp;2 2&gt;&amp;2 <span class="o">}</span> create_interface<span class="o">()</span> <span class="o">{</span> ip <span class="nb">link </span>add <span class="k">${</span><span class="nv">TUNNEL_NAME</span><span class="k">}</span> <span class="nb">type </span>vti <span class="nb">local</span> <span class="k">${</span><span class="nv">TUNNEL_LOCAL_ENDPOINT</span><span class="k">}</span> remote <span class="k">${</span><span class="nv">TUNNEL_REMOTE_ENDPOINT</span><span class="k">}</span> key <span class="k">${</span><span class="nv">TUNNEL_MARK</span><span class="k">}</span> ip addr add <span class="k">${</span><span class="nv">TUNNEL_LOCAL_ADDRESS</span><span class="k">}</span> remote <span class="k">${</span><span class="nv">TUNNEL_REMOTE_ADDRESS</span><span class="k">}</span> dev <span class="k">${</span><span class="nv">TUNNEL_NAME</span><span class="k">}</span> ip <span class="nb">link set</span> <span class="k">${</span><span class="nv">TUNNEL_NAME</span><span class="k">}</span> up mtu 1419 <span class="o">}</span> configure_sysctl<span class="o">()</span> <span class="o">{</span> sysctl <span class="nt">-w</span> net.ipv4.ip_forward<span class="o">=</span>1 sysctl <span class="nt">-w</span> net.ipv4.conf.<span class="k">${</span><span class="nv">TUNNEL_NAME</span><span class="k">}</span>.rp_filter<span class="o">=</span>2 sysctl <span class="nt">-w</span> net.ipv4.conf.<span class="k">${</span><span class="nv">TUNNEL_NAME</span><span class="k">}</span>.disable_policy<span class="o">=</span>1 sysctl <span class="nt">-w</span> net.ipv4.conf.<span class="k">${</span><span class="nv">TUNNEL_PHY_INTERFACE</span><span class="k">}</span>.disable_xfrm<span class="o">=</span>1 sysctl <span class="nt">-w</span> net.ipv4.conf.<span class="k">${</span><span class="nv">TUNNEL_PHY_INTERFACE</span><span class="k">}</span>.disable_policy<span class="o">=</span>1 <span class="o">}</span> add_route<span class="o">()</span> <span class="o">{</span> <span class="nv">IFS</span><span class="o">=</span><span class="s1">','</span> <span class="nb">read</span> <span class="nt">-ra</span> route <span class="o">&lt;&lt;&lt;</span> <span class="s2">"</span><span class="k">${</span><span class="nv">TUNNEL_STATIC_ROUTE</span><span class="k">}</span><span class="s2">"</span> <span class="k">for </span>i <span class="k">in</span> <span class="s2">"</span><span class="k">${</span><span class="nv">route</span><span class="p">[@]</span><span class="k">}</span><span class="s2">"</span><span class="p">;</span> <span class="k">do </span>ip route add <span class="k">${</span><span class="nv">i</span><span class="k">}</span> dev <span class="k">${</span><span class="nv">TUNNEL_NAME</span><span class="k">}</span> metric <span class="k">${</span><span class="nv">TUNNEL_MARK</span><span class="k">}</span> src 192.168.100.100 <span class="k">done </span>iptables <span class="nt">-t</span> mangle <span class="nt">-A</span> FORWARD <span class="nt">-o</span> <span class="k">${</span><span class="nv">TUNNEL_NAME</span><span class="k">}</span> <span class="nt">-p</span> tcp <span class="nt">--tcp-flags</span> SYN,RST SYN <span class="nt">-j</span> TCPMSS <span class="nt">--clamp-mss-to-pmtu</span> iptables <span class="nt">-t</span> mangle <span class="nt">-A</span> INPUT <span class="nt">-p</span> esp <span class="nt">-s</span> <span class="k">${</span><span class="nv">TUNNEL_REMOTE_ENDPOINT</span><span class="k">}</span> <span class="nt">-d</span> <span class="k">${</span><span class="nv">TUNNEL_LOCAL_ENDPOINT</span><span class="k">}</span> <span class="nt">-j</span> MARK <span class="nt">--set-xmark</span> <span class="k">${</span><span class="nv">TUNNEL_MARK</span><span class="k">}</span> ip route flush table 220 <span class="o">}</span> cleanup<span class="o">()</span> <span class="o">{</span> <span class="nv">IFS</span><span class="o">=</span><span class="s1">','</span> <span class="nb">read</span> <span class="nt">-ra</span> route <span class="o">&lt;&lt;&lt;</span> <span class="s2">"</span><span class="k">${</span><span class="nv">TUNNEL_STATIC_ROUTE</span><span class="k">}</span><span class="s2">"</span> <span class="k">for </span>i <span class="k">in</span> <span class="s2">"</span><span class="k">${</span><span class="nv">route</span><span class="p">[@]</span><span class="k">}</span><span class="s2">"</span><span class="p">;</span> <span class="k">do </span>ip route del <span class="k">${</span><span class="nv">i</span><span class="k">}</span> dev <span class="k">${</span><span class="nv">TUNNEL_NAME</span><span class="k">}</span> metric <span class="k">${</span><span class="nv">TUNNEL_MARK</span><span class="k">}</span> <span class="k">done </span>iptables <span class="nt">-t</span> mangle <span class="nt">-D</span> FORWARD <span class="nt">-o</span> <span class="k">${</span><span class="nv">TUNNEL_NAME</span><span class="k">}</span> <span class="nt">-p</span> tcp <span class="nt">--tcp-flags</span> SYN,RST SYN <span class="nt">-j</span> TCPMSS <span class="nt">--clamp-mss-to-pmtu</span> iptables <span class="nt">-t</span> mangle <span class="nt">-D</span> INPUT <span class="nt">-p</span> esp <span class="nt">-s</span> <span class="k">${</span><span class="nv">TUNNEL_REMOTE_ENDPOINT</span><span class="k">}</span> <span class="nt">-d</span> <span class="k">${</span><span class="nv">TUNNEL_LOCAL_ENDPOINT</span><span class="k">}</span> <span class="nt">-j</span> MARK <span class="nt">--set-xmark</span> <span class="k">${</span><span class="nv">TUNNEL_MARK</span><span class="k">}</span> ip route flush cache <span class="o">}</span> delete_interface<span class="o">()</span> <span class="o">{</span> ip <span class="nb">link set</span> <span class="k">${</span><span class="nv">TUNNEL_NAME</span><span class="k">}</span> down ip <span class="nb">link </span>del <span class="k">${</span><span class="nv">TUNNEL_NAME</span><span class="k">}</span> <span class="o">}</span> <span class="c"># main execution starts here</span> command_exists ip <span class="o">||</span> <span class="nb">echo</span> <span class="s2">"ERROR: ip command is required to execute the script, check if you are running as root, mostly to do with path, /sbin/"</span> <span class="o">&gt;</span>&amp;2 2&gt;&amp;2 command_exists iptables <span class="o">||</span> <span class="nb">echo</span> <span class="s2">"ERROR: iptables command is required to execute the script, check if you are running as root, mostly to do with path, /sbin/"</span> <span class="o">&gt;</span>&amp;2 2&gt;&amp;2 command_exists sysctl <span class="o">||</span> <span class="nb">echo</span> <span class="s2">"ERROR: sysctl command is required to execute the script, check if you are running as root, mostly to do with path, /sbin/"</span> <span class="o">&gt;</span>&amp;2 2&gt;&amp;2 <span class="k">case</span> <span class="s2">"</span><span class="k">${</span><span class="nv">PLUTO_VERB</span><span class="k">}</span><span class="s2">"</span> <span class="k">in </span>up-client<span class="p">)</span> create_interface configure_sysctl add_route <span class="p">;;</span> down-client<span class="p">)</span> cleanup delete_interface <span class="p">;;</span> <span class="k">esac</span> </code></pre> </div> <h3> Step 5: Add Shared Secrets </h3> <p>Open <code>/etc/ipsec.secrets</code> and add the shared secrets provided in the configuration file:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code># This file holds shared secrets or RSA private keys for authentication. # RSA private key for this host, authenticating it to any other host # which knows the public part. 186.10.xx.xx 34.194.25.197 : PSK "kPcU.tJ_sA33J7Z.I4f4gxxxxx" 186.10.xx.xx 100.27.149.167 : PSK "YtaQSGhvMKV4aLQx.4wxxxxxxx" </code></pre> </div> <h3> Step 6: Start the VPN Service </h3> <p>Restart the service and check the tunnel status:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>systemctl restart ipsec ipsec status </code></pre> </div> <p>The following video demonstrates the complete setup step by step:<br> <iframe src="https://www.youtube.com/embed/s3teyQI9zlg"> </iframe> </p> <p>If everything is correctly configured, both tunnels should show as <strong>“up”</strong> in the <strong>AWS Console → Site-to-Site VPN Connections</strong> page.</p> <p>At this stage, the network connectivity between the EKS cluster and the on-premises environment is fully configured:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fuql0v3q2lmb7sl0fgcfh.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fuql0v3q2lmb7sl0fgcfh.png" alt="Resulting infra"></a></p> <p>In <strong>Part 2</strong>, we will provision the EKS cluster using <strong>OpenTofu</strong>, set up the SSM activator, and register the on-premises nodes using <strong>nodeadm</strong> with the <strong>Cilium CNI</strong> driver.</p> <p>In <strong>Part 3</strong>, we will install the <strong>AWS Load Balancer Controller</strong>, configure <strong>NGINX Ingress</strong>, and deploy our application across both <strong>EC2</strong> and <strong>hybrid (on-prem)</strong> nodes.</p> eks kubernetes aws