DEV Community: Ngozi Opara The latest articles on DEV Community by Ngozi Opara (@hannahonthecloud). https://dev.to/hannahonthecloud https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3008799%2F65b66d65-824d-472b-ac08-c857fc1c9e26.jpg DEV Community: Ngozi Opara https://dev.to/hannahonthecloud en AWS Serverless Guide: Securing IoT Data Ingestion with API Gateway, Lambda, and DynamoDB Ngozi Opara Wed, 31 Dec 2025 16:28:39 +0000 https://dev.to/aws-builders/aws-serverless-guide-securing-iot-data-ingestion-with-api-gateway-lambda-and-dynamodb-2hl5 https://dev.to/aws-builders/aws-serverless-guide-securing-iot-data-ingestion-with-api-gateway-lambda-and-dynamodb-2hl5 <p>When I set out to build my gas emissions monitoring system, I faced a choice. I could build the system the "textbook" way using AWS IoT Core, MQTT protocols, and device shadows. Or, I could build it the "Ship It" way using AWS API Gateway, Lambda, and Amplify.</p> <p>The textbook approach is robust. However, I had strict time constraints and only one gas sensing device to configure. I chose the "Ship It" way.</p> <p>In this guide, I will show you how to build a serverless architecture to monitor IoT devices. We will skip the complex protocols and create a frontend dashboard using standard web tools.</p> <h2> Prerequisites: </h2> <ol> <li>A configured gas sensing unit: This guide assumes your ESP32 controller is ready to retrieve data.</li> <li>An AWS Account: You will need complete CLI and console access.</li> <li>Basic Knowledge: You should understand APIs and how serverless functions work.</li> </ol> <h2> Architecture Diagram </h2> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fancg21z7mgnsm0nicyf6.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fancg21z7mgnsm0nicyf6.png" alt="Architecture Diagram" width="800" height="522"></a></p> <h1> Lane 1: The Machine Lane </h1> <p>First, we need to create the engine that acts as the brain of our application. To reduce maintenance and keep costs low, we will use AWS Lambda. This function will trigger a write operation to our NoSQL database in DynamoDB when it receives data from our API. It will also send this data to our frontend application.</p> <h2> STEP 1: Creating the Database </h2> <p>Log in to the AWS management console. Type “DynamoDB” in the search bar and click on the service:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fev89q35ezuunzw8q3yg6.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fev89q35ezuunzw8q3yg6.png" alt="DynamoDB Search" width="800" height="156"></a></p> <p>On the right side of the dashboard, click Create table. You will see a table creation interface. DynamoDB is schemaless, but you must specify a primary key. Enter the following details:</p> <ul> <li>Partition Key: <code>device_id</code> (String). This groups your data by device.</li> <li>Sort Key: <code>timestamp</code> (String). This orders your data by time.</li> </ul> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fp5egfgsplnltz83b0108.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fp5egfgsplnltz83b0108.png" alt="DynamoDB Table Details" width="800" height="399"></a></p> <p>Even though DynamoDB handles unstructured data, defining these keys makes it cheaper to query your table later. <a href="https://docs.aws.amazon.com/amazondynamodb/latest/APIReference/API_Query.html" rel="noopener noreferrer">This guide from the AWS documentation explains how choosing the right keys can save you money on query costs.</a></p> <p>Leave all other settings as default and click “Create table.” Take note of the region your table is in because you will need it later. After a few minutes, your table will appear with an active status:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F8x86xpx48lubloy1gszb.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F8x86xpx48lubloy1gszb.png" alt="Active Table Status" width="640" height="313"></a></p> <h2> Step 2: Create a Lambda Function </h2> <p>AWS Lambda is responsible for the ingestion and read logic of your architecture. It allows us to send and query data without managing servers. To create a function, search for “Lambda” in the search bar and open it in a new tab.</p> <p>You will be redirected to the Functions page. Click on “Create function” in the top-right corner of that page.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fotqnz2qparu9jiptuu7r.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fotqnz2qparu9jiptuu7r.png" alt="Function interface" width="800" height="95"></a></p> <p>You have the option of authoring your function, using a Blueprint or using a container image. We will keep things simple and stick to writing our function from scratch. Keep “Author from scratch” selected.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fhdol0512vfetvdpm3uqa.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fhdol0512vfetvdpm3uqa.png" alt="Author from scratch option" width="614" height="75"></a></p> <p>The next thing we have to do is fill in the basic information like you see below:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fy50dlzwacvq0bvewk0x2.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fy50dlzwacvq0bvewk0x2.png" alt="Basic Lambda Info form" width="800" height="325"></a></p> <p>When naming your Lambda functions, it is important that you use a name that accurately describes the function of your code. In this guide, we are going to be using <code>Node.js</code> as our preferred language. However, AWS Lambda supports many other programming languages.</p> <p>For our server, we will be sticking to the standard <code>x86_64 AMD</code> architecture. This is the safest standard option. If you are curious about the difference between <code>arm64</code> and <code>x86</code>, <a href="https://aws.amazon.com/blogs/apn/comparing-aws-lambda-arm-vs-x86-performance-cost-and-analysis-2/" rel="noopener noreferrer">this article by AWS explains the use cases perfectly.</a></p> <p>Leave the durable execution setting unchecked and click “Create function.” You should now see your function running in the Functions tab.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fxsxzl07ofjmo6twd87zq.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fxsxzl07ofjmo6twd87zq.png" alt="Completed function" width="635" height="135"></a></p> <h2> Step 3: Write the Code to Run the Function </h2> <p>Enter the console of your function and navigate to the “Code” tab. Replace the existing code with the following block:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="k">import</span> <span class="p">{</span> <span class="nx">DynamoDBClient</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">@aws-sdk/client-dynamodb</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">DynamoDBDocumentClient</span><span class="p">,</span> <span class="nx">ScanCommand</span><span class="p">,</span> <span class="nx">PutCommand</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">@aws-sdk/lib-dynamodb</span><span class="dl">"</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">client</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">DynamoDBClient</span><span class="p">({</span> <span class="na">region</span><span class="p">:</span> <span class="dl">"</span><span class="s2">eu-north-1</span><span class="dl">"</span> <span class="p">});</span> <span class="kd">const</span> <span class="nx">docClient</span> <span class="o">=</span> <span class="nx">DynamoDBDocumentClient</span><span class="p">.</span><span class="k">from</span><span class="p">(</span><span class="nx">client</span><span class="p">);</span> <span class="k">export</span> <span class="kd">const</span> <span class="nx">handler</span> <span class="o">=</span> <span class="k">async </span><span class="p">(</span><span class="nx">event</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">tableName</span> <span class="o">=</span> <span class="dl">"</span><span class="s2">VehicleEmissionData</span><span class="dl">"</span><span class="p">;</span> <span class="c1">// 1. Identify what kind of request this is (GET or POST)</span> <span class="kd">const</span> <span class="nx">method</span> <span class="o">=</span> <span class="nx">event</span><span class="p">.</span><span class="nx">httpMethod</span> <span class="o">||</span> <span class="p">(</span><span class="nx">event</span><span class="p">.</span><span class="nx">requestContext</span> <span class="o">&amp;&amp;</span> <span class="nx">event</span><span class="p">.</span><span class="nx">requestContext</span><span class="p">.</span><span class="nx">http</span> <span class="p">?</span> <span class="nx">event</span><span class="p">.</span><span class="nx">requestContext</span><span class="p">.</span><span class="nx">http</span><span class="p">.</span><span class="nx">method</span> <span class="p">:</span> <span class="kc">null</span><span class="p">);</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">"</span><span class="s2">Incoming Request Method:</span><span class="dl">"</span><span class="p">,</span> <span class="nx">method</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">headers</span> <span class="o">=</span> <span class="p">{</span> <span class="dl">"</span><span class="s2">Access-Control-Allow-Origin</span><span class="dl">"</span><span class="p">:</span> <span class="dl">"</span><span class="s2">*</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">Access-Control-Allow-Headers</span><span class="dl">"</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Content-Type</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">Access-Control-Allow-Methods</span><span class="dl">"</span><span class="p">:</span> <span class="dl">"</span><span class="s2">GET, POST, OPTIONS</span><span class="dl">"</span> <span class="p">};</span> <span class="k">try</span> <span class="p">{</span> <span class="c1">// SCENARIO 1: WRITING DATA (POST) - For ESP32</span> <span class="k">if </span><span class="p">(</span><span class="nx">method</span> <span class="o">===</span> <span class="dl">'</span><span class="s1">POST</span><span class="dl">'</span><span class="p">)</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">event</span><span class="p">.</span><span class="nx">body</span><span class="p">)</span> <span class="p">{</span> <span class="k">throw</span> <span class="k">new</span> <span class="nc">Error</span><span class="p">(</span><span class="dl">"</span><span class="s2">No body found in the request</span><span class="dl">"</span><span class="p">);</span> <span class="p">}</span> <span class="kd">const</span> <span class="nx">body</span> <span class="o">=</span> <span class="k">typeof</span> <span class="nx">event</span><span class="p">.</span><span class="nx">body</span> <span class="o">===</span> <span class="dl">'</span><span class="s1">string</span><span class="dl">'</span> <span class="p">?</span> <span class="nx">JSON</span><span class="p">.</span><span class="nf">parse</span><span class="p">(</span><span class="nx">event</span><span class="p">.</span><span class="nx">body</span><span class="p">)</span> <span class="p">:</span> <span class="nx">event</span><span class="p">.</span><span class="nx">body</span><span class="p">;</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">"</span><span class="s2">Received Data to Write:</span><span class="dl">"</span><span class="p">,</span> <span class="nx">body</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">newItem</span> <span class="o">=</span> <span class="p">{</span> <span class="na">device_id</span><span class="p">:</span> <span class="nx">body</span><span class="p">.</span><span class="nx">device_id</span> <span class="o">||</span> <span class="dl">"</span><span class="s2">UNKNOWN_DEVICE</span><span class="dl">"</span><span class="p">,</span> <span class="na">timestamp</span><span class="p">:</span> <span class="k">new</span> <span class="nc">Date</span><span class="p">().</span><span class="nf">toISOString</span><span class="p">(),</span> <span class="c1">// Server-side timestamp is safer</span> <span class="na">CO</span><span class="p">:</span> <span class="nc">Number</span><span class="p">(</span><span class="nx">body</span><span class="p">.</span><span class="nx">CO</span><span class="p">),</span> <span class="na">CO2</span><span class="p">:</span> <span class="nc">Number</span><span class="p">(</span><span class="nx">body</span><span class="p">.</span><span class="nx">CO2</span><span class="p">),</span> <span class="na">location</span><span class="p">:</span> <span class="nx">body</span><span class="p">.</span><span class="nx">location</span> <span class="o">||</span> <span class="dl">"</span><span class="s2">Unknown</span><span class="dl">"</span> <span class="p">};</span> <span class="kd">const</span> <span class="nx">command</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">PutCommand</span><span class="p">({</span> <span class="na">TableName</span><span class="p">:</span> <span class="nx">tableName</span><span class="p">,</span> <span class="na">Item</span><span class="p">:</span> <span class="nx">newItem</span> <span class="p">});</span> <span class="k">await</span> <span class="nx">docClient</span><span class="p">.</span><span class="nf">send</span><span class="p">(</span><span class="nx">command</span><span class="p">);</span> <span class="k">return</span> <span class="p">{</span> <span class="na">statusCode</span><span class="p">:</span> <span class="mi">200</span><span class="p">,</span> <span class="na">headers</span><span class="p">:</span> <span class="nx">headers</span><span class="p">,</span> <span class="na">body</span><span class="p">:</span> <span class="nx">JSON</span><span class="p">.</span><span class="nf">stringify</span><span class="p">({</span> <span class="na">message</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Data saved successfully!</span><span class="dl">"</span><span class="p">,</span> <span class="na">item</span><span class="p">:</span> <span class="nx">newItem</span> <span class="p">})</span> <span class="p">};</span> <span class="p">}</span> <span class="c1">// SCENARIO 2: READING DATA (GET) - For React App</span> <span class="k">else</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">command</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">ScanCommand</span><span class="p">({</span> <span class="na">TableName</span><span class="p">:</span> <span class="nx">tableName</span> <span class="p">});</span> <span class="kd">const</span> <span class="nx">data</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">docClient</span><span class="p">.</span><span class="nf">send</span><span class="p">(</span><span class="nx">command</span><span class="p">);</span> <span class="k">return</span> <span class="p">{</span> <span class="na">statusCode</span><span class="p">:</span> <span class="mi">200</span><span class="p">,</span> <span class="na">headers</span><span class="p">:</span> <span class="nx">headers</span><span class="p">,</span> <span class="na">body</span><span class="p">:</span> <span class="nx">JSON</span><span class="p">.</span><span class="nf">stringify</span><span class="p">(</span><span class="nx">data</span><span class="p">.</span><span class="nx">Items</span><span class="p">)</span> <span class="p">};</span> <span class="p">}</span> <span class="p">}</span> <span class="k">catch </span><span class="p">(</span><span class="nx">err</span><span class="p">)</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">error</span><span class="p">(</span><span class="dl">"</span><span class="s2">Error:</span><span class="dl">"</span><span class="p">,</span> <span class="nx">err</span><span class="p">);</span> <span class="k">return</span> <span class="p">{</span> <span class="na">statusCode</span><span class="p">:</span> <span class="mi">500</span><span class="p">,</span> <span class="na">headers</span><span class="p">:</span> <span class="nx">headers</span><span class="p">,</span> <span class="na">body</span><span class="p">:</span> <span class="nx">JSON</span><span class="p">.</span><span class="nf">stringify</span><span class="p">({</span> <span class="na">error</span><span class="p">:</span> <span class="nx">err</span><span class="p">.</span><span class="nx">message</span> <span class="p">})</span> <span class="p">};</span> <span class="p">}</span> <span class="p">};</span> </code></pre> </div> <p>In this block of code, we use a simple <code>if/else</code> statement to control the architectural flow. This acts like a traffic cop, sending <code>POST</code> requests one way and <code>GET</code> requests another.</p> <p>When we get a <code>POST</code> request, we read the data and add our own timestamp. We do this because the clocks on small devices are often wrong. <a href="https://www.1ot.com/blog/time-synchronization-iot" rel="noopener noreferrer">This guide on IoT time synchronization explains why</a> you should not trust them. Once the data is ready, we save it to the database.</p> <p>The <code>else</code> block handles <code>GET</code> requests from our frontend dashboard. Here, we grab every record in the table and send it back as a list. It is a simple way to dump all your data straight to the user.</p> <h2> Step 4: Grant Write Permissions to Lambda </h2> <p>For our sensor data to be stored in our database, we need to give Lambda function permission to write to and read from DynamoDB.</p> <p>To change the permission settings on your function, Click on the “Configuration” tab in your Lambda function. Select “Permissions” on the left navigation bar.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F3fv2ytbezim61lvjtkjg.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F3fv2ytbezim61lvjtkjg.png" alt="Configuration Tab" width="800" height="186"></a></p> <p>Click the role name under "Execution role". This redirects you to the AWS IAM console. Click the “Add permissions” dropdown and select “Attach policies.”</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fs1uhnzl71zoxwf8zw0ev.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fs1uhnzl71zoxwf8zw0ev.png" alt="Add Permissions" width="800" height="364"></a></p> <p>Search <code>AmazonDynamoDBFullAccess</code> in the new tab that opens up and check the box next to the policy name. Click “Add permissions”. Now your Lambda function has full access to DynamoDB.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fugqwbgwec7qlevx5g4hv.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fugqwbgwec7qlevx5g4hv.png" alt="Full Access Policy" width="800" height="304"></a></p> <h2> Step 5: Creating the API with API Gateway </h2> <p>APIs allow different software to communicate and exchange data. Here, the APIs we create will enable our Lambda function to retrieve information from the IoT device and send data to the web user.</p> <p>To begin, Search for API Gateway in the console. In the API Gateway interface, click “Create an API” to begin:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fue8tvew5t0y0ht0clxf6.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fue8tvew5t0y0ht0clxf6.png" alt="Create API" width="800" height="252"></a></p> <p>After clicking that, you will see a list of API types that AWS offers. Click “Build” on the HTTP API as that is what we will be using here.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fnl3d497zhlgd5f3jlsdb.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fnl3d497zhlgd5f3jlsdb.png" alt="HTTP API Build" width="800" height="193"></a></p> <p>Next name your API and leave the end point as IPV4. As good practice, your API name should be descriptive of what you will use it for.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F67kpsfhdxpxo8wvuv997.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F67kpsfhdxpxo8wvuv997.png" alt="API Naming" width="800" height="368"></a></p> <p>In the Integrations section, click on “Add integration” and Select Lambda. Choose your function (EmissionDataProcessor) from the list as you see below:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fmf5y0g6bpivakkaka32o.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fmf5y0g6bpivakkaka32o.png" alt="Integrations" width="800" height="274"></a></p> <p>Now, we need to add Routes to our API to tell our API what functions it will be carrying out.</p> <p>Click on Next and you will see the Configure routes interface. Click “Add routes” and you will be directed to a drop down with different route options. Configure your routes this way:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Frv3k1w1ajuxl3om01rkn.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Frv3k1w1ajuxl3om01rkn.png" alt="Configure Routes" width="800" height="358"></a></p> <p>The <code>GET</code> route is the web users’ access to the sensor data from a frontend dashboard. The <code>POST</code> route will allow us to write to our database. The Resource Path is essentially the street address or name for a specific set of actions within your API.</p> <p>It tells the API Gateway what resource the client wants to interact with. For example, in the path <code>/EmissionDataProcessor</code>, the resource is the sensor data itself. Click “Next” to review and create your API.</p> <p>To connect your IoT device, you need the Invoke URL. You can find this URL on the main API page under the "Stages" section. Copy this URL and add it to your Arduino code.</p> <h1> Lane 1: The Human Lane (Velocity via Amplify) </h1> <p>The end goal of this project is to create a human-readable dashboard available to users via the web. This dashboard will read data live from our database and display it beautifully with the help of our API.</p> <p>To create and deploy this dashboard, we will use this <a href="https://github.com/CloudWithHannah/final-year-proj-reactapp" rel="noopener noreferrer">React app in this GitHub repository</a>. Clone this repository to your local machine. I recommend using a Linux shell with the AWS CLI configured. This article by AWS teaches how to securely configure the AWS CLI.</p> <h2> Understanding the Project Layout </h2> <p>Before we deploy, it helps to understand what we are building. Here is the layout of our application:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>emissions-dashboard/ ├── public/ │ ├── index.html │ └── favicon.ico ├── src/ │ ├── components/ │ │ ├── Header.js │ │ ├── SummaryCards.js │ │ ├── Charts.js │ │ ├── ForecastCard.js │ │ └── DataTable.js │ ├── services/ │ │ └── dataService.js <span class="c"># DynamoDB connection logic</span> │ ├── utils/ │ │ ├── statusCalculator.js <span class="c"># Emission status logic</span> │ │ └── constants.js <span class="c"># Thresholds, colors, etc.</span> │ ├── styles/ │ │ └── styles.js <span class="c"># Shared styles</span> │ ├── App.js <span class="c"># Main component</span> │ ├── index.js │ └── aws-exports.js <span class="c"># Auto-generated by Amplify</span> ├── amplify/ │ └── <span class="o">(</span>Amplify configuration files<span class="o">)</span> ├── .env.local <span class="c"># Local environment variables</span> ├── .gitignore ├── package.json └── README.md </code></pre> </div> <p>Two files here are critical. dataService.js handles the connection to DynamoDB, while statusCalculator.js determines if the emission levels are safe. </p> <p>After cloning this application, check that it runs with the npm start command and you should see this:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fkuwpjalnog3sf4hw65pf.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fkuwpjalnog3sf4hw65pf.png" alt="App running locally" width="487" height="150"></a></p> <h2> Step 6: Deploy with AWS Amplify </h2> <p>Now we need to get this application online. We will use the AWS Amplify CLI to host our frontend. This tool does more than just host files. It also distributes your site across a global content delivery network (CDN) called Amazon CloudFront, ensuring your dashboard loads instantly for users anywhere in the world.</p> <p>To begin, open your terminal and install the Amplify tool globally. <a href="https://docs.amplify.aws/gen1/javascript/tools/cli/start/set-up-cli/#configure-the-amplify-cli" rel="noopener noreferrer">Follow this Amplify documentation to install and configure the Amplify CLI on your local machine</a>.</p> <p>Once it is installed, initialize the project in your terminal:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>amplify init </code></pre> </div> <p>The CLI will ask you a series of questions to understand your project. You can answer them as follows:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> ? Enter a name <span class="k">for </span>the project: emissionsdashboard ? Initialize the project with the above configuration? No ? Enter a name <span class="k">for </span>the environment: dev ? Choose your default editor: Visual Studio Code <span class="o">(</span>or your preference<span class="o">)</span> ? Choose the <span class="nb">type </span>of app that you<span class="s1">'re building: javascript ? What javascript framework are you using: react ? Source Directory Path: src ? Distribution Directory Path: build ? Build Command: npm run build ? Start Command: npm start ? Select the authentication method you want to use: AWS profile ? Please choose the profile you want to use: default </span></code></pre> </div> <p>After that, you should see:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>✔ Successfully created initial AWS cloud resources for deployments. ✔ Initialized provider successfully. </code></pre> </div> <p>Next, we tell Amplify how we want to host the site. Run the following command:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>amplify add hosting </code></pre> </div> <p>Select Hosting with Amplify Console (Managed hosting with custom domains, Continuous Deployment) and choose Manual deployment for now.</p> <p>Finally, push your application to the cloud:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>amplify publish </code></pre> </div> <p>This command runs your build script, uploads the files to an S3 bucket, and deploys them to the content delivery network. After a few minutes, the terminal will display your live URL.</p> <p>After waiting 2-5 minutes, you should see:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>✔ Deployment complete! https://dev.xxxxxxxx.amplifyapp.com </code></pre> </div> <p>View your project in the Amplify Console with the command:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>amplify console </code></pre> </div> <p>Your live application needs to know where to find your API. In local development, we used a <code>.env</code> file, but in the cloud, we must set this manually. Open your application and click on "Environment variables” in the side menu.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fvhjuy2k8vpcpcmy3ae8p.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fvhjuy2k8vpcpcmy3ae8p.png" alt="Env Variable" width="800" height="271"></a></p> <p>Click on “Manage variables” and add the new variable in this format:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fwrxg8fq9eujpuiuvnzhp.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fwrxg8fq9eujpuiuvnzhp.png" alt="Env variable value" width="800" height="85"></a></p> <p>For the value, paste your API Gateway Invoke URL. The variable name must match exactly what is in your code. This ensures that when Amplify builds your app in the cloud, it knows exactly where to send your API requests.</p> <h2> Step 7: Set Up Continuous Deployment With Git </h2> <p>Manually running <code>amplify publish</code> every time you change a line of code is tedious. It is also error-prone. In a professional environment, we use Continuous Deployment (CD). This means that every time you save changes to your code repository, AWS automatically detects the update, builds the new version, and deploys it for you.</p> <p><a href="https://www.netdata.cloud/academy/deployment-automation/" rel="noopener noreferrer">This guide on CI/CD best practices</a> explains why automating your deployment pipeline is the single best thing you can do for your team's velocity.</p> <p>First, initialize a Git repository in your project folder:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>git init git add . git commit -m "&lt;commit message&gt;" </code></pre> </div> <p>Next, create a new repository on GitHub. Then, link your local project to GitHub and push your code:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>git remote add origin https://github.com/yourusername/emissions-dashboard.git git branch -M main git push -u origin main </code></pre> </div> <h2> Step 8: Connect GitHub to Amplify Console </h2> <p>Now we will tell AWS to listen to that GitHub repository.</p> <ol> <li>Go back to the AWS Amplify Console.</li> <li>Find your app (<code>emissionsdashboard</code>) and open it.</li> <li>Navigate to the “Hosting environments” tab and click “Connect branch.”</li> <li>Select GitHub as your source code provider and authorize AWS to access your account.</li> </ol> <p>Amplify usually detects the settings automatically, but you should double-check the Build settings section. Ensure the Build output directory is set to <code>build</code>. If it is set to <code>/</code>, your deployment will fail because Amplify won't know which folder contains your website files.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fhb11u1xcvqvzd8lo0w14.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fhb11u1xcvqvzd8lo0w14.png" alt="Amplify console" width="800" height="279"></a></p> <p>Click “Save and deploy.” AWS will now trigger a build. You can watch the progress bars as it provisions a server, downloads your code, builds the React app, and deploys it. Once the circles turn green, your automated pipeline is live.</p> <h1> How I Would Optimize This for Production </h1> <p>I built this system to work fast, not to last forever. The "Ship It" approach is perfect for prototypes or hackathons, but if I were tasked with scaling this for a paying client, I would make three major changes.</p> <ol> <li>Closing the Open Door</li> </ol> <p>In the Lambda code, I set the CORS header to <code>*</code>. This is the digital equivalent of leaving your front door wide open. It means any website on the internet can send requests to my API. In a real production environment, I would lock this down to only allow requests from my specific Amplify domain.</p> <ol> <li>Checking ID Cards </li> </ol> <p>Right now, my API is public. Anyone with the URL can send fake data to my database or read my sensor history. To secure this, I would implement AWS IAM authentication or API Keys. This ensures that only trusted devices and users can interact with the system. For an extra layer of defense, I might even add a Web Application Firewall (WAF) to block bots and malicious traffic, but checking IDs comes first.</p> <ol> <li>Escaping the "Scan" Trap </li> </ol> <p>I used <code>ScanCommand</code> to read my data. This works fine for a few hundred records, but it reads every single item in the database every time the dashboard loads. If this sensor ran for a year, that table would grow to millions of records. A <code>Scan</code> operation on a table that size would be incredibly slow and expensive. This breakdown of DynamoDB pricing models highlights why I would switch to <code>QueryCommand</code> and use proper indexes for a long-term solution.</p> <p>For now, though, the dashboard is live. I built something from scratch that actually works, and that is the most important step in engineering.</p> lambda amplify dynamodb iot How to Deploy Microservices App With EKS (And Automate the Full Pipeline with AWS CloudFormation & GitHub Actions) Ngozi Opara Sun, 30 Nov 2025 22:29:06 +0000 https://dev.to/aws-builders/how-to-deploy-microservices-app-with-eks-and-automate-the-full-pipeline-with-aws-cloudformation--3m1e https://dev.to/aws-builders/how-to-deploy-microservices-app-with-eks-and-automate-the-full-pipeline-with-aws-cloudformation--3m1e <p>In production environments for SaaS platforms, manual management is a recipe for disaster. DevOps and Cloud engineering teams do not just build systems and the automation that manages the systems.</p> <p>In this tutorial, you will build the cloud infrastructure for an online retail store using a microservice system. This retail store is split into five independent key players:</p> <ul> <li> <strong>UI:</strong> The frontend store.</li> <li> <strong>Catalog:</strong> The product inventory.</li> <li> <strong>Cart:</strong> The user's shopping session.</li> <li> <strong>Orders:</strong> The processing logic.</li> <li> <strong>Checkout:</strong> The payment gateway interface.</li> </ul> <p>You will not just click buttons. You will define the network, the cluster, and the pipelines as code using CloudFormation and GitHub Actions</p> <h3> Architecture Diagram </h3> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fze7mnbqqshhnbgt19g4i.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fze7mnbqqshhnbgt19g4i.png" alt="Architecture Diagram" width="800" height="415"></a></p> <h2> The Cost of the Cloud: Pricing &amp; Calculator </h2> <p>Before you write a single line of code, you need to estimate the cost. Cost optimization is one of the pillars of the AWS Well-Architected Framework, and ignoring it early is one of the most common mistakes engineers make.</p> <p>You can use the AWS Pricing Calculator to estimate the monthly run cost of this project.</p> <h3> 1. The Visible Costs </h3> <p>Open the calculator and search for Amazon EKS. The control plane alone runs about $0.10 per hour, which comes out to roughly $73/month just for the cluster itself.</p> <p>Next, search for Amazon EC2.<br> You will need compute power for your microservices. For a small production cluster, you might select <code>t3.medium</code> instances. If you run 2 worker nodes, that is roughly $60.00/month (depending on the region).</p> <h3> 2. The Hidden Costs (The "Gotchas") </h3> <p>This is where many engineers get surprised. The network is not free.</p> <ul> <li> <strong>NAT Gateways</strong> are one of the bigger gotchas. In this architecture, your private nodes need to reach the internet to pull updates and images. </li> </ul> <p>NAT Gateways make that possible, but you pay for every hour they exist, plus roughly $0.045 per GB of data that passes through them. If your app is pulling large images constantly, that fee compounds fast.</p> <ul> <li><p><strong>Load Balancers (ALB/NLB):</strong> They are another line item to watch. Exposing your UI to the public requires an Application Load Balancer. You pay an hourly rate plus a fee for LCU-hours, which scales with traffic.</p></li> <li><p><strong>Cross-AZ data transfer:</strong> It is very easy to miss this entirely. EKS places a network interface on your nodes for every pod. The interface itself is usually free, but if Service A in Zone 1 calls Service B in Zone 2, you're paying data transfer fees on every one of those requests.</p></li> </ul> <h2> Prerequisites </h2> <ul> <li> <strong>Basic knowledge of networking on AWS:</strong> for a refresher on the core concepts of a Virtual Private Cloud (VPC) , review the official Amazon VPC documentation.</li> <li> <strong>Beginner understanding of containerization and container orchestration:</strong> The <a href="https://kubernetes.io/docs/tutorials/kubernetes-basics/" rel="noopener noreferrer">Kubernetes Basics tutorial</a> is a solid starting point if you're new to orchestration.</li> <li> <strong>GitHub Account:</strong> You will need this for your code and automation pipelines.</li> </ul> <h2> Phase 1: The Network Foundation </h2> <p>Your first task is to build the land where your city will live. That land is the Virtual Private Cloud (VPC) and you will create a CloudFormation template named <code>infrastructure.yaml</code>.</p> <p>This architecture is robust. It consists of:</p> <ul> <li> <strong>2 Public Subnets:</strong> One in each Availability Zone (AZ) for the Load Balancers and NAT Gateways.</li> <li> <strong>4 Private Subnets:</strong> <ul> <li>2 for your Worker Nodes (where the apps live).</li> <li>2 for your Databases (RDS).</li> </ul> </li> <li> <strong>Gateways:</strong> An Internet Gateway for public traffic and 2 NAT Gateways for private outbound traffic.</li> <li> <strong>Route Tables:</strong> Three separate tables to control traffic flow.</li> </ul> <h3> Defining the VPC and Subnets </h3> <h3> Add this code to <code>CustomVPC.yaml</code>: </h3> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">AWSTemplateFormatVersion</span><span class="pi">:</span> <span class="s1">'</span><span class="s">2010-09-09'</span> <span class="na">Description</span><span class="pi">:</span> <span class="pi">&gt;</span> <span class="s">This template provisions the CORE requirements for Project Bedrock:</span> <span class="s">A VPC with public/private subnets, gateways, route tables,</span> <span class="s">essential EKS IAM roles, and necessary Security Groups for the EKS cluster stack.</span> <span class="na">Parameters</span><span class="pi">:</span> <span class="na">VpcCIDR</span><span class="pi">:</span> <span class="na">Description</span><span class="pi">:</span> <span class="s">The CIDR block for the VPC (e.g., 10.0.0.0/16).</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">String</span> <span class="na">Default</span><span class="pi">:</span> <span class="s">10.0.0.0/16</span> <span class="na">SubnetCIDR</span><span class="pi">:</span> <span class="na">Description</span><span class="pi">:</span> <span class="s">The CIDR block for the VPC (e.g., 10.0.0.0/16).</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">String</span> <span class="na">Default</span><span class="pi">:</span> <span class="s">10.0.0.0/24</span> <span class="na">InstanceType</span><span class="pi">:</span> <span class="na">Description</span><span class="pi">:</span> <span class="s">The EC2 instance type (e.g., t2.micro).</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">String</span> <span class="na">Default</span><span class="pi">:</span> <span class="s">t3.micro</span> <span class="na">AllowedValues</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">t3.micro</span> <span class="pi">-</span> <span class="s">t3.small</span> <span class="pi">-</span> <span class="s">t3.medium</span> <span class="na">ConstraintDescription</span><span class="pi">:</span> <span class="s">Must be a valid EC2 instance type.</span> <span class="na">Resources</span><span class="pi">:</span> <span class="na">MyVPC</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">AWS::EC2::VPC</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">CidrBlock</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s">VpcCIDR</span> <span class="na">EnableDnsSupport</span><span class="pi">:</span> <span class="s1">'</span><span class="s">true'</span> <span class="na">EnableDnsHostnames</span><span class="pi">:</span> <span class="s1">'</span><span class="s">true'</span> <span class="na">Tags</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">Key</span><span class="pi">:</span> <span class="s">Name</span> <span class="na">Value</span><span class="pi">:</span> <span class="kt">!Sub</span> <span class="s2">"</span><span class="s">${AWS::StackName}-VPC"</span> <span class="c1"># Attaching Internet Gateways</span> <span class="na">InternetGateway</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">AWS::EC2::InternetGateway</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">Tags</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">Key</span><span class="pi">:</span> <span class="s">Name</span> <span class="na">Value</span><span class="pi">:</span> <span class="kt">!Sub</span> <span class="s2">"</span><span class="s">${AWS::StackName}-IGW"</span> <span class="na">AttachGateway</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">AWS::EC2::VPCGatewayAttachment</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">VpcId</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s">MyVPC</span> <span class="na">InternetGatewayId</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s">InternetGateway</span> <span class="c1"># Public Subnets</span> <span class="na">PublicSubnetA</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">AWS::EC2::Subnet</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">VpcId</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s">MyVPC</span> <span class="na">CidrBlock</span><span class="pi">:</span> <span class="s">10.0.1.0/24</span> <span class="na">MapPublicIpOnLaunch</span><span class="pi">:</span> <span class="s1">'</span><span class="s">true'</span> <span class="na">AvailabilityZone</span><span class="pi">:</span> <span class="kt">!Select</span> <span class="pi">[</span> <span class="nv">0</span><span class="pi">,</span> <span class="kt">!GetAZs</span> <span class="s1">'</span><span class="s">'</span> <span class="pi">]</span> <span class="na">Tags</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">Key</span><span class="pi">:</span> <span class="s">Name</span> <span class="na">Value</span><span class="pi">:</span> <span class="kt">!Sub</span> <span class="s2">"</span><span class="s">${AWS::StackName}-PublicSubnetA"</span> <span class="c1"># Tag for ALB discovery</span> <span class="pi">-</span> <span class="na">Key</span><span class="pi">:</span> <span class="s">kubernetes.io/role/elb</span> <span class="na">Value</span><span class="pi">:</span> <span class="s1">'</span><span class="s">1'</span> <span class="pi">-</span> <span class="na">Key</span><span class="pi">:</span> <span class="s">kubernetes.io/cluster/${AWS::StackName}-EKSCluster</span> <span class="na">Value</span><span class="pi">:</span> <span class="s">shared</span> <span class="na">PublicSubnetB</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">AWS::EC2::Subnet</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">VpcId</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s">MyVPC</span> <span class="na">CidrBlock</span><span class="pi">:</span> <span class="s">10.0.2.0/24</span> <span class="na">MapPublicIpOnLaunch</span><span class="pi">:</span> <span class="s1">'</span><span class="s">true'</span> <span class="na">AvailabilityZone</span><span class="pi">:</span> <span class="kt">!Select</span> <span class="pi">[</span> <span class="nv">1</span><span class="pi">,</span> <span class="kt">!GetAZs</span> <span class="s1">'</span><span class="s">'</span> <span class="pi">]</span> <span class="na">Tags</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">Key</span><span class="pi">:</span> <span class="s">Name</span> <span class="na">Value</span><span class="pi">:</span> <span class="kt">!Sub</span> <span class="s2">"</span><span class="s">${AWS::StackName}-PublicSubnetB"</span> <span class="pi">-</span> <span class="na">Key</span><span class="pi">:</span> <span class="s">kubernetes.io/role/elb</span> <span class="na">Value</span><span class="pi">:</span> <span class="s1">'</span><span class="s">1'</span> <span class="pi">-</span> <span class="na">Key</span><span class="pi">:</span> <span class="s">kubernetes.io/cluster/${AWS::StackName}-EKSCluster</span> <span class="na">Value</span><span class="pi">:</span> <span class="s">shared</span> <span class="c1"># Private Subnets </span> <span class="na">PrivateSubnetA1</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">AWS::EC2::Subnet</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">VpcId</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s">MyVPC</span> <span class="na">CidrBlock</span><span class="pi">:</span> <span class="s">10.0.10.0/24</span> <span class="na">MapPublicIpOnLaunch</span><span class="pi">:</span> <span class="s1">'</span><span class="s">false'</span> <span class="na">AvailabilityZone</span><span class="pi">:</span> <span class="kt">!Select</span> <span class="pi">[</span> <span class="nv">0</span><span class="pi">,</span> <span class="kt">!GetAZs</span> <span class="s1">'</span><span class="s">'</span> <span class="pi">]</span> <span class="na">Tags</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">Key</span><span class="pi">:</span> <span class="s">Name</span> <span class="na">Value</span><span class="pi">:</span> <span class="kt">!Sub</span> <span class="s2">"</span><span class="s">${AWS::StackName}-PrivateSubnetA1"</span> <span class="c1"># Tag for internal ALB discovery</span> <span class="pi">-</span> <span class="na">Key</span><span class="pi">:</span> <span class="s">kubernetes.io/role/internal-elb</span> <span class="na">Value</span><span class="pi">:</span> <span class="s1">'</span><span class="s">1'</span> <span class="pi">-</span> <span class="na">Key</span><span class="pi">:</span> <span class="s">kubernetes.io/cluster/${AWS::StackName}-EKSCluster</span> <span class="na">Value</span><span class="pi">:</span> <span class="s">shared</span> <span class="na">PrivateSubnetA2</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">AWS::EC2::Subnet</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">VpcId</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s">MyVPC</span> <span class="na">CidrBlock</span><span class="pi">:</span> <span class="s">10.0.11.0/24</span> <span class="na">MapPublicIpOnLaunch</span><span class="pi">:</span> <span class="s1">'</span><span class="s">false'</span> <span class="na">AvailabilityZone</span><span class="pi">:</span> <span class="kt">!Select</span> <span class="pi">[</span> <span class="nv">0</span><span class="pi">,</span> <span class="kt">!GetAZs</span> <span class="s1">'</span><span class="s">'</span> <span class="pi">]</span> <span class="na">Tags</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">Key</span><span class="pi">:</span> <span class="s">Name</span> <span class="na">Value</span><span class="pi">:</span> <span class="kt">!Sub</span> <span class="s2">"</span><span class="s">${AWS::StackName}-PrivateSubnetA2"</span> <span class="pi">-</span> <span class="na">Key</span><span class="pi">:</span> <span class="s">kubernetes.io/role/internal-elb</span> <span class="na">Value</span><span class="pi">:</span> <span class="s1">'</span><span class="s">1'</span> <span class="pi">-</span> <span class="na">Key</span><span class="pi">:</span> <span class="s">kubernetes.io/cluster/${AWS::StackName}-EKSCluster</span> <span class="na">Value</span><span class="pi">:</span> <span class="s">shared</span> <span class="na">PrivateSubnetB1</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">AWS::EC2::Subnet</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">VpcId</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s">MyVPC</span> <span class="na">CidrBlock</span><span class="pi">:</span> <span class="s">10.0.20.0/24</span> <span class="na">MapPublicIpOnLaunch</span><span class="pi">:</span> <span class="s1">'</span><span class="s">false'</span> <span class="na">AvailabilityZone</span><span class="pi">:</span> <span class="kt">!Select</span> <span class="pi">[</span> <span class="nv">1</span><span class="pi">,</span> <span class="kt">!GetAZs</span> <span class="s1">'</span><span class="s">'</span> <span class="pi">]</span> <span class="na">Tags</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">Key</span><span class="pi">:</span> <span class="s">Name</span> <span class="na">Value</span><span class="pi">:</span> <span class="kt">!Sub</span> <span class="s2">"</span><span class="s">${AWS::StackName}-PrivateSubnetB1"</span> <span class="pi">-</span> <span class="na">Key</span><span class="pi">:</span> <span class="s">kubernetes.io/role/internal-elb</span> <span class="na">Value</span><span class="pi">:</span> <span class="s1">'</span><span class="s">1'</span> <span class="pi">-</span> <span class="na">Key</span><span class="pi">:</span> <span class="s">kubernetes.io/cluster/${AWS::StackName}-EKSCluster</span> <span class="na">Value</span><span class="pi">:</span> <span class="s">shared</span> <span class="na">PrivateSubnetB2</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">AWS::EC2::Subnet</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">VpcId</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s">MyVPC</span> <span class="na">CidrBlock</span><span class="pi">:</span> <span class="s">10.0.21.0/24</span> <span class="na">MapPublicIpOnLaunch</span><span class="pi">:</span> <span class="s1">'</span><span class="s">false'</span> <span class="na">AvailabilityZone</span><span class="pi">:</span> <span class="kt">!Select</span> <span class="pi">[</span> <span class="nv">1</span><span class="pi">,</span> <span class="kt">!GetAZs</span> <span class="s1">'</span><span class="s">'</span> <span class="pi">]</span> <span class="na">Tags</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">Key</span><span class="pi">:</span> <span class="s">Name</span> <span class="na">Value</span><span class="pi">:</span> <span class="kt">!Sub</span> <span class="s2">"</span><span class="s">${AWS::StackName}-PrivateSubnetB2"</span> <span class="pi">-</span> <span class="na">Key</span><span class="pi">:</span> <span class="s">kubernetes.io/role/internal-elb</span> <span class="na">Value</span><span class="pi">:</span> <span class="s1">'</span><span class="s">1'</span> <span class="pi">-</span> <span class="na">Key</span><span class="pi">:</span> <span class="s">kubernetes.io/cluster/${AWS::StackName}-EKSCluster</span> <span class="na">Value</span><span class="pi">:</span> <span class="s">shared</span> </code></pre> </div> <h3> 2. Gateways and Routing </h3> <p>Now you add the networking logic. Your private subnets need a way to reach the internet to pull updates and container images, but you don't want them publicly exposed. NAT Gateways solve that and route tables then tell each subnet exactly where to send its traffic.</p> <p><strong>Add this to <code>CustomVPC.yaml</code>:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># NAT GATEWAYS</span> <span class="c1"># Elastic IPs</span> <span class="na">MyNATGateway1EIP</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">AWS::EC2::EIP</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">Domain</span><span class="pi">:</span> <span class="s">VPC</span> <span class="na">Tags</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">Key</span><span class="pi">:</span> <span class="s">Name</span> <span class="na">Value</span><span class="pi">:</span> <span class="kt">!Sub</span> <span class="s2">"</span><span class="s">${AWS::StackName}-NATGateway1-EIP"</span> <span class="na">MyNATGateway2EIP</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">AWS::EC2::EIP</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">Domain</span><span class="pi">:</span> <span class="s">VPC</span> <span class="na">Tags</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">Key</span><span class="pi">:</span> <span class="s">Name</span> <span class="na">Value</span><span class="pi">:</span> <span class="kt">!Sub</span> <span class="s2">"</span><span class="s">${AWS::StackName}-NATGateway2-EIP"</span> <span class="c1"># NATGATEway Actual Resources</span> <span class="na">MyNATGateway1</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">AWS::EC2::NatGateway</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">AllocationId</span><span class="pi">:</span> <span class="kt">!GetAtt</span> <span class="s">MyNATGateway1EIP.AllocationId</span> <span class="na">SubnetId</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s">PublicSubnetA</span> <span class="na">Tags</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">Key</span><span class="pi">:</span> <span class="s">Name</span> <span class="na">Value</span><span class="pi">:</span> <span class="kt">!Sub</span> <span class="s2">"</span><span class="s">${AWS::StackName}-NATGateway1"</span> <span class="na">MyNATGateway2</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">AWS::EC2::NatGateway</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">AllocationId</span><span class="pi">:</span> <span class="kt">!GetAtt</span> <span class="s">MyNATGateway2EIP.AllocationId</span> <span class="na">SubnetId</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s">PublicSubnetB</span> <span class="na">Tags</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">Key</span><span class="pi">:</span> <span class="s">Name</span> <span class="na">Value</span><span class="pi">:</span> <span class="kt">!Sub</span> <span class="s2">"</span><span class="s">${AWS::StackName}-NATGateway2"</span> <span class="c1"># Route Table</span> <span class="na">PublicRouteTable</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">AWS::EC2::RouteTable</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">VpcId</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s">MyVPC</span> <span class="na">Tags</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">Key</span><span class="pi">:</span> <span class="s">Name</span> <span class="na">Value</span><span class="pi">:</span> <span class="s">PublicRouteTable</span> <span class="na">PublicRoute</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">AWS::EC2::Route</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">RouteTableId</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s">PublicRouteTable</span> <span class="na">DestinationCidrBlock</span><span class="pi">:</span> <span class="s">0.0.0.0/0</span> <span class="na">GatewayId</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s">InternetGateway</span> <span class="na">PublicSubnetARouteTableAssociation</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">AWS::EC2::SubnetRouteTableAssociation</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">SubnetId</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s">PublicSubnetA</span> <span class="na">RouteTableId</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s">PublicRouteTable</span> <span class="na">PublicSubnetBRouteTableAssociation</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">AWS::EC2::SubnetRouteTableAssociation</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">SubnetId</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s">PublicSubnetB</span> <span class="na">RouteTableId</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s">PublicRouteTable</span> <span class="na">PrivateRouteTableA</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">AWS::EC2::RouteTable</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">VpcId</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s">MyVPC</span> <span class="na">Tags</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">Key</span><span class="pi">:</span> <span class="s">Name</span> <span class="na">Value</span><span class="pi">:</span> <span class="s">PrivateRouteTableA</span> <span class="na">PrivateRouteA</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">AWS::EC2::Route</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">DestinationCidrBlock</span><span class="pi">:</span> <span class="s">0.0.0.0/0</span> <span class="na">NatGatewayId</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s">MyNATGateway1</span> <span class="na">RouteTableId</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s">PrivateRouteTableA</span> <span class="na">PrivateSubnetA1RouteTableAssociation</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">AWS::EC2::SubnetRouteTableAssociation</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">RouteTableId</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s">PrivateRouteTableA</span> <span class="na">SubnetId</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s">PrivateSubnetA1</span> <span class="na">PrivateSubnetA2RouteTableAssociation</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">AWS::EC2::SubnetRouteTableAssociation</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">RouteTableId</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s">PrivateRouteTableA</span> <span class="na">SubnetId</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s">PrivateSubnetA2</span> <span class="na">PrivateRouteTableB</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">AWS::EC2::RouteTable</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">VpcId</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s">MyVPC</span> <span class="na">Tags</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">Key</span><span class="pi">:</span> <span class="s">Name</span> <span class="na">Value</span><span class="pi">:</span> <span class="s">PrivateRouteTableB</span> <span class="na">PrivateRouteB</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">AWS::EC2::Route</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">DestinationCidrBlock</span><span class="pi">:</span> <span class="s">0.0.0.0/0</span> <span class="na">NatGatewayId</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s">MyNATGateway2</span> <span class="na">RouteTableId</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s">PrivateRouteTableB</span> <span class="na">PrivateAppSubnetBRouteTableAssociation</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">AWS::EC2::SubnetRouteTableAssociation</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">RouteTableId</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s">PrivateRouteTableB</span> <span class="na">SubnetId</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s">PrivateSubnetB1</span> <span class="na">PrivateDBSubnetBRouteTableAssociation</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">AWS::EC2::SubnetRouteTableAssociation</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">RouteTableId</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s">PrivateRouteTableB</span> <span class="na">SubnetId</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s">PrivateSubnetB2</span> </code></pre> </div> <h3> 3. Security Groups and Roles </h3> <p>Security Groups and IAM Roles act as the firewalls that protect your application from unauthorized access. You are also spinning up two EC2 instances to act as bastion hosts or test servers.</p> <p><strong>Add this to <code>CustomVPC.yaml</code>:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># ALB Security Group </span> <span class="na">MyALBSecurityGroup</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">AWS::EC2::SecurityGroup</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">GroupDescription</span><span class="pi">:</span> <span class="s">Allow HTTP, HTTPS, and SSH traffic</span> <span class="na">VpcId</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s">MyVPC</span> <span class="na">SecurityGroupIngress</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">IpProtocol</span><span class="pi">:</span> <span class="s">tcp</span> <span class="na">FromPort</span><span class="pi">:</span> <span class="m">80</span> <span class="na">ToPort</span><span class="pi">:</span> <span class="m">80</span> <span class="na">CidrIp</span><span class="pi">:</span> <span class="s">0.0.0.0/0</span> <span class="c1"># Allows HTTP traffic</span> <span class="pi">-</span> <span class="na">IpProtocol</span><span class="pi">:</span> <span class="s">tcp</span> <span class="na">FromPort</span><span class="pi">:</span> <span class="m">443</span> <span class="na">ToPort</span><span class="pi">:</span> <span class="m">443</span> <span class="na">CidrIp</span><span class="pi">:</span> <span class="s">0.0.0.0/0</span> <span class="c1"># Allows HTTPS traffic</span> <span class="na">Tags</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">Key</span><span class="pi">:</span> <span class="s">Name</span> <span class="na">Value</span><span class="pi">:</span> <span class="s">MyALBSecurityGroup</span> <span class="c1"># SSH Security Group for Maintenance</span> <span class="na">MySSHSecurityGroup</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">AWS::EC2::SecurityGroup</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">GroupDescription</span><span class="pi">:</span> <span class="s">Allow SSH traffic</span> <span class="na">VpcId</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s">MyVPC</span> <span class="na">SecurityGroupIngress</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">IpProtocol</span><span class="pi">:</span> <span class="s">tcp</span> <span class="na">FromPort</span><span class="pi">:</span> <span class="m">22</span> <span class="na">ToPort</span><span class="pi">:</span> <span class="m">22</span> <span class="na">CidrIp</span><span class="pi">:</span> <span class="s">0.0.0.0/0</span> <span class="na">Tags</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">Key</span><span class="pi">:</span> <span class="s">Name</span> <span class="na">Value</span><span class="pi">:</span> <span class="s">MySSHSecurityGroup</span> <span class="c1"># Server Security Group</span> <span class="na">MyServerSecurityGroup</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">AWS::EC2::SecurityGroup</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">GroupDescription</span><span class="pi">:</span> <span class="s">Allow HTTP and HTTPS traffic</span> <span class="na">VpcId</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s">MyVPC</span> <span class="na">SecurityGroupIngress</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">IpProtocol</span><span class="pi">:</span> <span class="s">tcp</span> <span class="na">FromPort</span><span class="pi">:</span> <span class="m">22</span> <span class="na">ToPort</span><span class="pi">:</span> <span class="m">22</span> <span class="na">SourceSecurityGroupID</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s">MySSHSecurityGroup</span> <span class="pi">-</span> <span class="na">IpProtocol</span><span class="pi">:</span> <span class="s">tcp</span> <span class="na">FromPort</span><span class="pi">:</span> <span class="m">80</span> <span class="na">ToPort</span><span class="pi">:</span> <span class="m">80</span> <span class="na">SourceSecurityGroupID</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s">MyALBSecurityGroup</span> <span class="pi">-</span> <span class="na">IpProtocol</span><span class="pi">:</span> <span class="s">tcp</span> <span class="na">FromPort</span><span class="pi">:</span> <span class="m">443</span> <span class="na">ToPort</span><span class="pi">:</span> <span class="m">443</span> <span class="na">SourceSecurityGroupID</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s">MyALBSecurityGroup</span> <span class="na">Tags</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">Key</span><span class="pi">:</span> <span class="s">Name</span> <span class="na">Value</span><span class="pi">:</span> <span class="s">MySecurityGroup</span> <span class="c1"># My EC2 instance</span> <span class="na">MyEC2InstanceA</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">AWS::EC2::Instance</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">InstanceType</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s">InstanceType</span> <span class="na">ImageId</span><span class="pi">:</span> <span class="s2">"</span><span class="s">ami-0a716d3f3b16d290c"</span> <span class="c1"># Replace with the desired AMI</span> <span class="na">SubnetId</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s">PublicSubnetA</span> <span class="na">KeyName</span><span class="pi">:</span> <span class="s2">"</span><span class="s">InnovateMart"</span> <span class="c1"># Replace with name of your key pair</span> <span class="na">SecurityGroupIds</span><span class="pi">:</span> <span class="pi">-</span> <span class="kt">!Ref</span> <span class="s">MyServerSecurityGroup</span> <span class="pi">-</span> <span class="kt">!Ref</span> <span class="s">MySSHSecurityGroup</span> <span class="na">Tags</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">Key</span><span class="pi">:</span> <span class="s">Name</span> <span class="na">Value</span><span class="pi">:</span> <span class="s">MyInstance</span> <span class="na">MyEC2InstanceB</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">AWS::EC2::Instance</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">InstanceType</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s">InstanceType</span> <span class="na">ImageId</span><span class="pi">:</span> <span class="s2">"</span><span class="s">ami-0a716d3f3b16d290c"</span> <span class="c1"># Replace with the desired AMI</span> <span class="na">SubnetId</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s">PublicSubnetB</span> <span class="na">KeyName</span><span class="pi">:</span> <span class="s2">"</span><span class="s">InnovateMart"</span> <span class="na">SecurityGroupIds</span><span class="pi">:</span> <span class="pi">-</span> <span class="kt">!Ref</span> <span class="s">MyServerSecurityGroup</span> <span class="pi">-</span> <span class="kt">!Ref</span> <span class="s">MySSHSecurityGroup</span> <span class="na">Tags</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">Key</span><span class="pi">:</span> <span class="s">Name</span> <span class="na">Value</span><span class="pi">:</span> <span class="s">MyInstance</span> <span class="c1"># EKS Cluster Role</span> <span class="na">EKSClusterRole</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">AWS::IAM::Role</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">RoleName</span><span class="pi">:</span> <span class="kt">!Sub</span> <span class="s2">"</span><span class="s">${AWS::StackName}-EKSClusterRole"</span> <span class="na">AssumeRolePolicyDocument</span><span class="pi">:</span> <span class="na">Version</span><span class="pi">:</span> <span class="s1">'</span><span class="s">2012-10-17'</span> <span class="na">Statement</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">Effect</span><span class="pi">:</span> <span class="s">Allow</span> <span class="na">Principal</span><span class="pi">:</span> <span class="na">Service</span><span class="pi">:</span> <span class="s">eks.amazonaws.com</span> <span class="na">Action</span><span class="pi">:</span> <span class="s">sts:AssumeRole</span> <span class="na">ManagedPolicyArns</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">arn:aws:iam::aws:policy/AmazonEKSClusterPolicy</span> <span class="c1"># EKS Node Role</span> <span class="na">EKSNodeRole</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">AWS::IAM::Role</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">RoleName</span><span class="pi">:</span> <span class="kt">!Sub</span> <span class="s2">"</span><span class="s">${AWS::StackName}-EKSNodeRole"</span> <span class="na">AssumeRolePolicyDocument</span><span class="pi">:</span> <span class="na">Version</span><span class="pi">:</span> <span class="s1">'</span><span class="s">2012-10-17'</span> <span class="na">Statement</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">Effect</span><span class="pi">:</span> <span class="s">Allow</span> <span class="na">Principal</span><span class="pi">:</span> <span class="na">Service</span><span class="pi">:</span> <span class="s">ec2.amazonaws.com</span> <span class="na">Action</span><span class="pi">:</span> <span class="s">sts:AssumeRole</span> <span class="na">ManagedPolicyArns</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy</span> <span class="pi">-</span> <span class="s">arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly</span> <span class="pi">-</span> <span class="s">arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy</span> </code></pre> </div> <h3> 4. Outputs </h3> <p>The last section of this template is the exports block. In phase two, you will be creating another template and Output is how it finds the VPC and Subnets we just created.</p> <p><strong>Add this to <code>CustomVPC.yaml</code>:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">Outputs</span><span class="pi">:</span> <span class="na">VpcId</span><span class="pi">:</span> <span class="na">Description</span><span class="pi">:</span> <span class="s">The ID of the VPC</span> <span class="na">Value</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s">MyVPC</span> <span class="na">Export</span><span class="pi">:</span> <span class="na">Name</span><span class="pi">:</span> <span class="kt">!Sub</span> <span class="s">${AWS::StackName}-MyVPC</span> <span class="na">PublicSubnetIDs</span><span class="pi">:</span> <span class="na">Description</span><span class="pi">:</span> <span class="s">A comma-separated list of public subnet IDs</span> <span class="na">Value</span><span class="pi">:</span> <span class="kt">!Join</span> <span class="pi">-</span> <span class="s1">'</span><span class="s">,'</span> <span class="pi">-</span> <span class="pi">-</span> <span class="kt">!Ref</span> <span class="s">PublicSubnetA</span> <span class="pi">-</span> <span class="kt">!Ref</span> <span class="s">PublicSubnetB</span> <span class="na">Export</span><span class="pi">:</span> <span class="na">Name</span><span class="pi">:</span> <span class="kt">!Sub</span> <span class="s2">"</span><span class="s">${AWS::StackName}-PublicSubnetIDs"</span> <span class="na">PrivateSubnetIDs</span><span class="pi">:</span> <span class="na">Description</span><span class="pi">:</span> <span class="s">A comma-separated list of private subnet IDs for EKS nodes</span> <span class="na">Value</span><span class="pi">:</span> <span class="kt">!Join</span> <span class="pi">-</span> <span class="s1">'</span><span class="s">,'</span> <span class="pi">-</span> <span class="pi">-</span> <span class="kt">!Ref</span> <span class="s">PrivateSubnetA1</span> <span class="pi">-</span> <span class="kt">!Ref</span> <span class="s">PrivateSubnetA2</span> <span class="pi">-</span> <span class="kt">!Ref</span> <span class="s">PrivateSubnetB1</span> <span class="pi">-</span> <span class="kt">!Ref</span> <span class="s">PrivateSubnetB2</span> <span class="na">Export</span><span class="pi">:</span> <span class="na">Name</span><span class="pi">:</span> <span class="kt">!Sub</span> <span class="s2">"</span><span class="s">${AWS::StackName}-PrivateSubnetIDs"</span> <span class="na">MyDBSecurityGroup</span><span class="pi">:</span> <span class="na">Description</span><span class="pi">:</span> <span class="s">The name of the DB Security Group cluster</span> <span class="na">Value</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s">MyServerSecurityGroup</span> <span class="na">Export</span><span class="pi">:</span> <span class="na">Name</span><span class="pi">:</span> <span class="kt">!Sub</span> <span class="s2">"</span><span class="s">${AWS::StackName}-MyDBSecurityGroup"</span> <span class="na">MyALBSecurityGroup</span><span class="pi">:</span> <span class="na">Description</span><span class="pi">:</span> <span class="s">The name of the ALB Security Group cluster</span> <span class="na">Value</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s">MyALBSecurityGroup</span> <span class="na">Export</span><span class="pi">:</span> <span class="na">Name</span><span class="pi">:</span> <span class="kt">!Sub</span> <span class="s2">"</span><span class="s">${AWS::StackName}-MyALBSecurityGroup"</span> <span class="na">MySSHSecurityGroup</span><span class="pi">:</span> <span class="na">Description</span><span class="pi">:</span> <span class="s">The name of the ALB Security Group cluster</span> <span class="na">Value</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s">MySSHSecurityGroup</span> <span class="na">Export</span><span class="pi">:</span> <span class="na">Name</span><span class="pi">:</span> <span class="kt">!Sub</span> <span class="s2">"</span><span class="s">${AWS::StackName}-MySSHSecurityGroup"</span> <span class="na">MyServerSecurityGroup</span><span class="pi">:</span> <span class="na">Description</span><span class="pi">:</span> <span class="s">The name of the ALB Security Group cluster</span> <span class="na">Value</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s">MyServerSecurityGroup</span> <span class="na">Export</span><span class="pi">:</span> <span class="na">Name</span><span class="pi">:</span> <span class="kt">!Sub</span> <span class="s2">"</span><span class="s">${AWS::StackName}-MyServerSecurityGroup"</span> <span class="na">EKSClusterRoleArn</span><span class="pi">:</span> <span class="na">Description</span><span class="pi">:</span> <span class="s">The ARN of the IAM role for the EKS cluster</span> <span class="na">Value</span><span class="pi">:</span> <span class="kt">!GetAtt</span> <span class="s">EKSClusterRole.Arn</span> <span class="na">Export</span><span class="pi">:</span> <span class="na">Name</span><span class="pi">:</span> <span class="kt">!Sub</span> <span class="s2">"</span><span class="s">${AWS::StackName}-EKSClusterRoleArn"</span> <span class="na">EKSNodeRoleArn</span><span class="pi">:</span> <span class="na">Description</span><span class="pi">:</span> <span class="s">The ARN of the IAM role for the EKS nodes</span> <span class="na">Value</span><span class="pi">:</span> <span class="kt">!GetAtt</span> <span class="s">EKSNodeRole.Arn</span> <span class="na">Export</span><span class="pi">:</span> <span class="na">Name</span><span class="pi">:</span> <span class="kt">!Sub</span> <span class="s2">"</span><span class="s">${AWS::StackName}-EKSNodeRoleArn"</span> </code></pre> </div> <p>To build this foundation, run the following command. We will name the stack <code>bedrock-vpc</code>.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>aws cloudformation create-stack <span class="se">\</span> <span class="nt">--stack-name</span> bedrock-vpc <span class="se">\</span> <span class="nt">--template-body</span> file://CustomVPC.yaml <span class="se">\</span> <span class="nt">--capabilities</span> CAPABILITY_NAMED_IAM </code></pre> </div> <p>Wait for this stack to reach <code>CREATE_COMPLETE</code> status before moving to Phase 2.</p> <p>Phase 2: The Cluster and Nodes (The House)</p> <p>Now that the land is prepped, you can build the house. Create a file named <strong>EKSCluster.yaml</strong>.</p> <p>This template uses the <code>Fn::ImportValue</code> function. It looks for the exports from your <strong>bedrock-vpc</strong> stack to know where to place the servers. It creates the Control Plane (Brain), the Node Group (Workers), and a Read-Only Developer User.</p> <h3> File: <code>EKSCluster.yaml</code> </h3> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">AWSTemplateFormatVersion</span><span class="pi">:</span> <span class="s1">'</span><span class="s">2010-09-09'</span> <span class="na">Description</span><span class="pi">:</span> <span class="pi">&gt;</span> <span class="s">This template provisions the EKS Cluster and a Managed Node Group</span> <span class="s">by importing resources from the VPC stack.</span> <span class="na">Parameters</span><span class="pi">:</span> <span class="na">VPCStackName</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">String</span> <span class="na">Description</span><span class="pi">:</span> <span class="pi">&gt;</span> <span class="s">The name of the CloudFormation stack that created the VPC</span> <span class="na">ClusterVersion</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">String</span> <span class="na">Default</span><span class="pi">:</span> <span class="s1">'</span><span class="s">1.29'</span> <span class="na">Description</span><span class="pi">:</span> <span class="s">The Kubernetes version for the EKS cluster.</span> <span class="na">InstanceType</span><span class="pi">:</span> <span class="na">Description</span><span class="pi">:</span> <span class="s">The EC2 instance type for the nodes (e.g., t3.medium).</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">String</span> <span class="na">Default</span><span class="pi">:</span> <span class="s">t3.medium</span> <span class="na">Resources</span><span class="pi">:</span> <span class="c1"># 1. EKS Cluster (The "Brain")</span> <span class="na">EKSCluster</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">AWS::EKS::Cluster</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">Name</span><span class="pi">:</span> <span class="kt">!Sub</span> <span class="s2">"</span><span class="s">${VPCStackName}-EKSCluster"</span> <span class="na">Version</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s">ClusterVersion</span> <span class="c1"># This is where we import the VPC info</span> <span class="na">RoleArn</span><span class="pi">:</span> <span class="kt">!ImportValue</span> <span class="na">Fn::Sub</span><span class="pi">:</span> <span class="s2">"</span><span class="s">${VPCStackName}-EKSClusterRoleArn"</span> <span class="na">ResourcesVpcConfig</span><span class="pi">:</span> <span class="na">SubnetIds</span><span class="pi">:</span> <span class="pi">-</span> <span class="kt">!Select</span> <span class="pi">[</span> <span class="nv">0</span><span class="pi">,</span> <span class="kt">!Split</span> <span class="pi">[</span> <span class="s1">'</span><span class="s">,'</span><span class="pi">,</span> <span class="kt">!ImportValue</span> <span class="pi">{</span> <span class="nv">Fn</span><span class="pi">::</span><span class="nv">Sub</span><span class="pi">:</span> <span class="s2">"</span><span class="s">${VPCStackName}-PublicSubnetIDs"</span> <span class="pi">}</span> <span class="pi">]</span> <span class="pi">]</span> <span class="pi">-</span> <span class="kt">!Select</span> <span class="pi">[</span> <span class="nv">1</span><span class="pi">,</span> <span class="kt">!Split</span> <span class="pi">[</span> <span class="s1">'</span><span class="s">,'</span><span class="pi">,</span> <span class="kt">!ImportValue</span> <span class="pi">{</span> <span class="nv">Fn</span><span class="pi">::</span><span class="nv">Sub</span><span class="pi">:</span> <span class="s2">"</span><span class="s">${VPCStackName}-PublicSubnetIDs"</span> <span class="pi">}</span> <span class="pi">]</span> <span class="pi">]</span> <span class="pi">-</span> <span class="kt">!Select</span> <span class="pi">[</span> <span class="nv">0</span><span class="pi">,</span> <span class="kt">!Split</span> <span class="pi">[</span> <span class="s1">'</span><span class="s">,'</span><span class="pi">,</span> <span class="kt">!ImportValue</span> <span class="pi">{</span> <span class="nv">Fn</span><span class="pi">::</span><span class="nv">Sub</span><span class="pi">:</span> <span class="s2">"</span><span class="s">${VPCStackName}-PrivateSubnetIDs"</span> <span class="pi">}</span> <span class="pi">]</span> <span class="pi">]</span> <span class="pi">-</span> <span class="kt">!Select</span> <span class="pi">[</span> <span class="nv">1</span><span class="pi">,</span> <span class="kt">!Split</span> <span class="pi">[</span> <span class="s1">'</span><span class="s">,'</span><span class="pi">,</span> <span class="kt">!ImportValue</span> <span class="pi">{</span> <span class="nv">Fn</span><span class="pi">::</span><span class="nv">Sub</span><span class="pi">:</span> <span class="s2">"</span><span class="s">${VPCStackName}-PrivateSubnetIDs"</span> <span class="pi">}</span> <span class="pi">]</span> <span class="pi">]</span> <span class="pi">-</span> <span class="kt">!Select</span> <span class="pi">[</span> <span class="nv">2</span><span class="pi">,</span> <span class="kt">!Split</span> <span class="pi">[</span> <span class="s1">'</span><span class="s">,'</span><span class="pi">,</span> <span class="kt">!ImportValue</span> <span class="pi">{</span> <span class="nv">Fn</span><span class="pi">::</span><span class="nv">Sub</span><span class="pi">:</span> <span class="s2">"</span><span class="s">${VPCStackName}-PrivateSubnetIDs"</span> <span class="pi">}</span> <span class="pi">]</span> <span class="pi">]</span> <span class="pi">-</span> <span class="kt">!Select</span> <span class="pi">[</span> <span class="nv">3</span><span class="pi">,</span> <span class="kt">!Split</span> <span class="pi">[</span> <span class="s1">'</span><span class="s">,'</span><span class="pi">,</span> <span class="kt">!ImportValue</span> <span class="pi">{</span> <span class="nv">Fn</span><span class="pi">::</span><span class="nv">Sub</span><span class="pi">:</span> <span class="s2">"</span><span class="s">${VPCStackName}-PrivateSubnetIDs"</span> <span class="pi">}</span> <span class="pi">]</span> <span class="pi">]</span> <span class="c1"># This tells EKS which SGs to use for its own networking</span> <span class="na">SecurityGroupIds</span><span class="pi">:</span> <span class="pi">-</span> <span class="kt">!ImportValue</span> <span class="na">Fn::Sub</span><span class="pi">:</span> <span class="s2">"</span><span class="s">${VPCStackName}-MyServerSecurityGroup"</span> <span class="na">EndpointPublicAccess</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">EndpointPrivateAccess</span><span class="pi">:</span> <span class="kc">false</span> <span class="c1"># 2. EKS Node Group (The "Workers")</span> <span class="na">EKSNodeGroup</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">AWS::EKS::Nodegroup</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">ClusterName</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s">EKSCluster</span> <span class="na">NodegroupName</span><span class="pi">:</span> <span class="kt">!Sub</span> <span class="s2">"</span><span class="s">${VPCStackName}-NodeGroup"</span> <span class="na">InstanceTypes</span><span class="pi">:</span> <span class="pi">-</span> <span class="kt">!Ref</span> <span class="s">InstanceType</span> <span class="na">NodeRole</span><span class="pi">:</span> <span class="kt">!ImportValue</span> <span class="na">Fn::Sub</span><span class="pi">:</span> <span class="s2">"</span><span class="s">${VPCStackName}-EKSNodeRoleArn"</span> <span class="c1"># Workers live in your private subnets</span> <span class="na">Subnets</span><span class="pi">:</span> <span class="pi">-</span> <span class="kt">!Select</span> <span class="pi">[</span> <span class="nv">0</span><span class="pi">,</span> <span class="kt">!Split</span> <span class="pi">[</span> <span class="s1">'</span><span class="s">,'</span><span class="pi">,</span> <span class="kt">!ImportValue</span> <span class="pi">{</span> <span class="nv">Fn</span><span class="pi">::</span><span class="nv">Sub</span><span class="pi">:</span> <span class="s2">"</span><span class="s">${VPCStackName}-PrivateSubnetIDs"</span> <span class="pi">}</span> <span class="pi">]</span> <span class="pi">]</span> <span class="pi">-</span> <span class="kt">!Select</span> <span class="pi">[</span> <span class="nv">1</span><span class="pi">,</span> <span class="kt">!Split</span> <span class="pi">[</span> <span class="s1">'</span><span class="s">,'</span><span class="pi">,</span> <span class="kt">!ImportValue</span> <span class="pi">{</span> <span class="nv">Fn</span><span class="pi">::</span><span class="nv">Sub</span><span class="pi">:</span> <span class="s2">"</span><span class="s">${VPCStackName}-PrivateSubnetIDs"</span> <span class="pi">}</span> <span class="pi">]</span> <span class="pi">]</span> <span class="pi">-</span> <span class="kt">!Select</span> <span class="pi">[</span> <span class="nv">2</span><span class="pi">,</span> <span class="kt">!Split</span> <span class="pi">[</span> <span class="s1">'</span><span class="s">,'</span><span class="pi">,</span> <span class="kt">!ImportValue</span> <span class="pi">{</span> <span class="nv">Fn</span><span class="pi">::</span><span class="nv">Sub</span><span class="pi">:</span> <span class="s2">"</span><span class="s">${VPCStackName}-PrivateSubnetIDs"</span> <span class="pi">}</span> <span class="pi">]</span> <span class="pi">]</span> <span class="pi">-</span> <span class="kt">!Select</span> <span class="pi">[</span> <span class="nv">3</span><span class="pi">,</span> <span class="kt">!Split</span> <span class="pi">[</span> <span class="s1">'</span><span class="s">,'</span><span class="pi">,</span> <span class="kt">!ImportValue</span> <span class="pi">{</span> <span class="nv">Fn</span><span class="pi">::</span><span class="nv">Sub</span><span class="pi">:</span> <span class="s2">"</span><span class="s">${VPCStackName}-PrivateSubnetIDs"</span> <span class="pi">}</span> <span class="pi">]</span> <span class="pi">]</span> <span class="na">ScalingConfig</span><span class="pi">:</span> <span class="na">MinSize</span><span class="pi">:</span> <span class="m">2</span> <span class="na">DesiredSize</span><span class="pi">:</span> <span class="m">2</span> <span class="na">MaxSize</span><span class="pi">:</span> <span class="m">4</span> <span class="na">RemoteAccess</span><span class="pi">:</span> <span class="na">Ec2SshKey</span><span class="pi">:</span> <span class="s2">"</span><span class="s">InnovateMart"</span> <span class="c1"># This SG must allow SSH access</span> <span class="na">SourceSecurityGroups</span><span class="pi">:</span> <span class="pi">-</span> <span class="kt">!ImportValue</span> <span class="na">Fn::Sub</span><span class="pi">:</span> <span class="s2">"</span><span class="s">${VPCStackName}-MySSHSecurityGroup"</span> <span class="na">ReadOnlyDevUser</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">AWS::IAM::User</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">UserName</span><span class="pi">:</span> <span class="s">dev-readonly-user</span> <span class="na">ReadOnlyDevUserKey</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">AWS::IAM::AccessKey</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">UserName</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s">ReadOnlyDevUser</span> <span class="na">Outputs</span><span class="pi">:</span> <span class="na">EKSClusterName</span><span class="pi">:</span> <span class="na">Description</span><span class="pi">:</span> <span class="s">The name of the EKS cluster</span> <span class="na">Value</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s">EKSCluster</span> <span class="na">Export</span><span class="pi">:</span> <span class="na">Name</span><span class="pi">:</span> <span class="kt">!Sub</span> <span class="s2">"</span><span class="s">${AWS::StackName}-EKSClusterName"</span> <span class="na">EKSClusterEndpoint</span><span class="pi">:</span> <span class="na">Description</span><span class="pi">:</span> <span class="s">The endpoint for the EKS cluster</span> <span class="na">Value</span><span class="pi">:</span> <span class="kt">!GetAtt</span> <span class="s">EKSCluster.Endpoint</span> <span class="na">Export</span><span class="pi">:</span> <span class="na">Name</span><span class="pi">:</span> <span class="kt">!Sub</span> <span class="s2">"</span><span class="s">${AWS::StackName}-EKSClusterEndpoint"</span> <span class="na">ReadOnlyDevUserARN</span><span class="pi">:</span> <span class="na">Description</span><span class="pi">:</span> <span class="s2">"</span><span class="s">ARN</span><span class="nv"> </span><span class="s">of</span><span class="nv"> </span><span class="s">the</span><span class="nv"> </span><span class="s">read-only</span><span class="nv"> </span><span class="s">developer</span><span class="nv"> </span><span class="s">user"</span> <span class="na">Value</span><span class="pi">:</span> <span class="kt">!GetAtt</span> <span class="s">ReadOnlyDevUser.Arn</span> <span class="na">ReadOnlyDevUserAccessKey</span><span class="pi">:</span> <span class="na">Description</span><span class="pi">:</span> <span class="s2">"</span><span class="s">Access</span><span class="nv"> </span><span class="s">key</span><span class="nv"> </span><span class="s">for</span><span class="nv"> </span><span class="s">the</span><span class="nv"> </span><span class="s">read-only</span><span class="nv"> </span><span class="s">user"</span> <span class="na">Value</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s">ReadOnlyDevUserKey</span> <span class="na">ReadOnlyDevUserSecretKey</span><span class="pi">:</span> <span class="na">Description</span><span class="pi">:</span> <span class="s2">"</span><span class="s">Secret</span><span class="nv"> </span><span class="s">key</span><span class="nv"> </span><span class="s">for</span><span class="nv"> </span><span class="s">the</span><span class="nv"> </span><span class="s">read-only</span><span class="nv"> </span><span class="s">user"</span> <span class="na">Value</span><span class="pi">:</span> <span class="kt">!GetAtt</span> <span class="s">ReadOnlyDevUserKey.SecretAccessKey</span> </code></pre> </div> <h3> Deploy the stack: </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>aws cloudformation create-stack <span class="se">\</span> <span class="nt">--stack-name</span> project-bedrock <span class="se">\</span> <span class="nt">--template-body</span> file://infrastructure.yaml <span class="se">\</span> <span class="nt">--capabilities</span> CAPABILITY_NAMED_IAM </code></pre> </div> <h2> Phase 3: The Handshake </h2> <p>Your cluster is alive, but your local machine doesn't know how to talk to it yet. You need to establish a secure handshake with a 'kubeconfig' file and the 'kubectl' command.</p> <p>Run the update command to generate the config file:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>aws eks update-kubeconfig <span class="se">\</span> <span class="nt">--region</span> us-east-1 <span class="se">\</span> <span class="nt">--name</span> RetailStoreCluster </code></pre> </div> <p>Test the connection. If you see the internal IP addresses of your Kubernetes services, the handshake is complete.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl get svc </code></pre> </div> <p>If you see the internal IP addresses of your Kubernetes services come back, you're connected. The handshake is done.</p> <h2> Phase 4: The Database </h2> <p>Your microservices need somewhere to persist data. In Phase 1 you created two private database subnets, one in each Availability Zone, and tagged them for internal use. </p> <p>Now you actually put something in them. You will provision a PostgreSQL RDS instance that sits in those subnets, completely isolated from the public internet, and only reachable from your worker nodes.</p> <p>Create a new file named <code>RDS.yaml</code>.</p> <h3> 1. The DB Subnet Group and Security Group </h3> <p>Before RDS can launch, it needs to know which subnets it's allowed to live in. A DB subnet group is just a named collection of subnets that RDS picks from when it places your instance. </p> <p>You also need a dedicated security group that only allows PostgreSQL traffic on port 5432, and only from the worker node security group. Nothing else gets in.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">AWSTemplateFormatVersion</span><span class="pi">:</span> <span class="s1">'</span><span class="s">2010-09-09'</span> <span class="na">Description</span><span class="pi">:</span> <span class="pi">&gt;</span> <span class="s">This template provisions a PostgreSQL RDS instance</span> <span class="s">inside the private DB subnets created by the VPC stack.</span> <span class="na">Parameters</span><span class="pi">:</span> <span class="na">VPCStackName</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">String</span> <span class="na">Description</span><span class="pi">:</span> <span class="s">The name of the CloudFormation stack that created the VPC.</span> <span class="na">DBUsername</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">String</span> <span class="na">Default</span><span class="pi">:</span> <span class="s">retailadmin</span> <span class="na">Description</span><span class="pi">:</span> <span class="s">The master username for the database.</span> <span class="na">DBPassword</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">String</span> <span class="na">NoEcho</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">Description</span><span class="pi">:</span> <span class="s">The master password for the database.</span> <span class="na">DBInstanceClass</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">String</span> <span class="na">Default</span><span class="pi">:</span> <span class="s">db.t3.medium</span> <span class="na">Description</span><span class="pi">:</span> <span class="s">The RDS instance type.</span> <span class="na">Resources</span><span class="pi">:</span> <span class="na">DBSubnetGroup</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">AWS::RDS::DBSubnetGroup</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">DBSubnetGroupDescription</span><span class="pi">:</span> <span class="s">Subnet group for the retail store RDS instance</span> <span class="na">SubnetIds</span><span class="pi">:</span> <span class="pi">-</span> <span class="kt">!Select</span> <span class="pi">[</span> <span class="nv">2</span><span class="pi">,</span> <span class="kt">!Split</span> <span class="pi">[</span> <span class="s1">'</span><span class="s">,'</span><span class="pi">,</span> <span class="kt">!ImportValue</span> <span class="pi">{</span> <span class="nv">Fn</span><span class="pi">::</span><span class="nv">Sub</span><span class="pi">:</span> <span class="s2">"</span><span class="s">${VPCStackName}-PrivateSubnetIDs"</span> <span class="pi">}</span> <span class="pi">]</span> <span class="pi">]</span> <span class="pi">-</span> <span class="kt">!Select</span> <span class="pi">[</span> <span class="nv">3</span><span class="pi">,</span> <span class="kt">!Split</span> <span class="pi">[</span> <span class="s1">'</span><span class="s">,'</span><span class="pi">,</span> <span class="kt">!ImportValue</span> <span class="pi">{</span> <span class="nv">Fn</span><span class="pi">::</span><span class="nv">Sub</span><span class="pi">:</span> <span class="s2">"</span><span class="s">${VPCStackName}-PrivateSubnetIDs"</span> <span class="pi">}</span> <span class="pi">]</span> <span class="pi">]</span> <span class="na">Tags</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">Key</span><span class="pi">:</span> <span class="s">Name</span> <span class="na">Value</span><span class="pi">:</span> <span class="kt">!Sub</span> <span class="s2">"</span><span class="s">${AWS::StackName}-DBSubnetGroup"</span> <span class="na">DBSecurityGroup</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">AWS::EC2::SecurityGroup</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">GroupDescription</span><span class="pi">:</span> <span class="s">Allow PostgreSQL access from worker nodes only</span> <span class="na">VpcId</span><span class="pi">:</span> <span class="kt">!ImportValue</span> <span class="na">Fn::Sub</span><span class="pi">:</span> <span class="s2">"</span><span class="s">${VPCStackName}-MyVPC"</span> <span class="na">SecurityGroupIngress</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">IpProtocol</span><span class="pi">:</span> <span class="s">tcp</span> <span class="na">FromPort</span><span class="pi">:</span> <span class="m">5432</span> <span class="na">ToPort</span><span class="pi">:</span> <span class="m">5432</span> <span class="na">SourceSecurityGroupId</span><span class="pi">:</span> <span class="kt">!ImportValue</span> <span class="na">Fn::Sub</span><span class="pi">:</span> <span class="s2">"</span><span class="s">${VPCStackName}-MyServerSecurityGroup"</span> <span class="na">Tags</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">Key</span><span class="pi">:</span> <span class="s">Name</span> <span class="na">Value</span><span class="pi">:</span> <span class="kt">!Sub</span> <span class="s2">"</span><span class="s">${AWS::StackName}-DBSecurityGroup"</span> </code></pre> </div> <h3> 2. The RDS Instance </h3> <p>Now add the actual database resource. You are enabling Multi-AZ so RDS automatically maintains a standby replica in the second Availability Zone. If the primary goes down, RDS fails over to the standby without you doing anything.</p> <p>Add this to <code>RDS.yaml</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code> <span class="na">RetailDB</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">AWS::RDS::DBInstance</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">DBInstanceIdentifier</span><span class="pi">:</span> <span class="kt">!Sub</span> <span class="s2">"</span><span class="s">${AWS::StackName}-retaildb"</span> <span class="na">DBInstanceClass</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s">DBInstanceClass</span> <span class="na">Engine</span><span class="pi">:</span> <span class="s">postgres</span> <span class="na">EngineVersion</span><span class="pi">:</span> <span class="s1">'</span><span class="s">15.4'</span> <span class="na">MasterUsername</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s">DBUsername</span> <span class="na">MasterUserPassword</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s">DBPassword</span> <span class="na">AllocatedStorage</span><span class="pi">:</span> <span class="s1">'</span><span class="s">20'</span> <span class="na">StorageType</span><span class="pi">:</span> <span class="s">gp3</span> <span class="na">MultiAZ</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">DBSubnetGroupName</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s">DBSubnetGroup</span> <span class="na">VPCSecurityGroups</span><span class="pi">:</span> <span class="pi">-</span> <span class="kt">!Ref</span> <span class="s">DBSecurityGroup</span> <span class="na">PubliclyAccessible</span><span class="pi">:</span> <span class="kc">false</span> <span class="na">DeletionProtection</span><span class="pi">:</span> <span class="kc">false</span> <span class="na">Tags</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">Key</span><span class="pi">:</span> <span class="s">Name</span> <span class="na">Value</span><span class="pi">:</span> <span class="kt">!Sub</span> <span class="s2">"</span><span class="s">${AWS::StackName}-RetailDB"</span> <span class="na">Outputs</span><span class="pi">:</span> <span class="na">DBEndpoint</span><span class="pi">:</span> <span class="na">Description</span><span class="pi">:</span> <span class="s">The connection endpoint for the RDS instance</span> <span class="na">Value</span><span class="pi">:</span> <span class="kt">!GetAtt</span> <span class="s">RetailDB.Endpoint.Address</span> <span class="na">Export</span><span class="pi">:</span> <span class="na">Name</span><span class="pi">:</span> <span class="kt">!Sub</span> <span class="s2">"</span><span class="s">${AWS::StackName}-DBEndpoint"</span> <span class="na">DBPort</span><span class="pi">:</span> <span class="na">Description</span><span class="pi">:</span> <span class="s">The port the database is listening on</span> <span class="na">Value</span><span class="pi">:</span> <span class="kt">!GetAtt</span> <span class="s">RetailDB.Endpoint.Port</span> <span class="na">Export</span><span class="pi">:</span> <span class="na">Name</span><span class="pi">:</span> <span class="kt">!Sub</span> <span class="s2">"</span><span class="s">${AWS::StackName}-DBPort"</span> </code></pre> </div> <p>Deploy the database stack:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>aws cloudformation create-stack <span class="se">\</span> <span class="nt">--stack-name</span> project-bedrock-rds <span class="se">\</span> <span class="nt">--template-body</span> file://RDS.yaml <span class="se">\</span> <span class="nt">--capabilities</span> CAPABILITY_NAMED_IAM <span class="se">\</span> <span class="nt">--parameters</span> <span class="se">\</span> <span class="nv">ParameterKey</span><span class="o">=</span>VPCStackName,ParameterValue<span class="o">=</span>bedrock-vpc <span class="se">\</span> <span class="nv">ParameterKey</span><span class="o">=</span>DBUsername,ParameterValue<span class="o">=</span>retailadmin <span class="se">\</span> <span class="nv">ParameterKey</span><span class="o">=</span>DBPassword,ParameterValue<span class="o">=</span>YOUR_SECURE_PASSWORD </code></pre> </div> <p>RDS takes a few minutes to provision, especially with Multi-AZ enabled. Wait for <code>CREATE_COMPLETE</code> before moving on.</p> <h3> 3. Storing the Credentials as a Kubernetes Secret </h3> <p>Your pods need the database connection string, but you never want credentials hardcoded into your Helm values or your container images. </p> <p>A Kubernetes Secret keeps them out of your codebase and injects them into the pod at runtime as environment variables.</p> <p>Once your RDS stack is complete, grab the endpoint from the outputs:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>aws cloudformation describe-stacks <span class="se">\</span> <span class="nt">--stack-name</span> project-bedrock-rds <span class="se">\</span> <span class="nt">--query</span> <span class="s2">"Stacks[0].Outputs"</span> </code></pre> </div> <p>Then create the secret in your cluster:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl create secret generic retail-db-credentials <span class="se">\</span> <span class="nt">--from-literal</span><span class="o">=</span><span class="nv">host</span><span class="o">=</span>YOUR_RDS_ENDPOINT <span class="se">\</span> <span class="nt">--from-literal</span><span class="o">=</span><span class="nv">port</span><span class="o">=</span>5432 <span class="se">\</span> <span class="nt">--from-literal</span><span class="o">=</span><span class="nv">username</span><span class="o">=</span>retailadmin <span class="se">\</span> <span class="nt">--from-literal</span><span class="o">=</span><span class="nv">password</span><span class="o">=</span>YOUR_SECURE_PASSWORD <span class="se">\</span> <span class="nt">--from-literal</span><span class="o">=</span><span class="nv">dbname</span><span class="o">=</span>retailstore </code></pre> </div> <p>Your microservices can now reference these values as environment variables in their pod specs without the actual credentials ever appearing in your Git repository.</p> <h2> Phase 5: Deploying the Application </h2> <p>Now you need the actual retail store code. Rather than building one from scratch, you'll use the official AWS sample retail application.</p> <h3> Clone the Repository: </h3> <p>You will use the official AWS sample retail app. Run this command in your working directory:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>git clone https://github.com/aws-containers/retail-store-sample-app.git <span class="nb">cd </span>retail-store-sample-app </code></pre> </div> <h3> Deploy with Helm: </h3> <p>We will use Helm to install the microservices defined in this repository.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>helm <span class="nb">install </span>retail-app ./helm </code></pre> </div> <h2> Phase 6: Developer Access (RBAC) </h2> <p>Back in Phase 2, you created an IAM user called <code>dev-readonly-user</code>. That user exists in AWS, but Kubernetes doesn't know anything about it yet. You need to wire the two together using RBAC.</p> <p>Start by creating a <code>k8s</code> directory inside the cloned repo:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">mkdir </span>k8s </code></pre> </div> <h3> Create the RBAC Files: </h3> <p>Inside that folder, you will create a Role and a RoleBinding. The Role defines what permissions exist, and the RoleBinding attaches that Role to the IAM user. </p> <p>Together, they give a developer a way to observe what's running in the cluster without being able to change anything.</p> <h2> Phase 7: Automation (CI/CD) </h2> <p>The final piece is setting up GitHub Actions to watch this repository.</p> <p>Create the file:<br><br> <code>.github/workflows/deploy.yml</code> in your project root.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">name</span><span class="pi">:</span> <span class="s">Deploy to EKS</span> <span class="na">on</span><span class="pi">:</span> <span class="na">push</span><span class="pi">:</span> <span class="na">branches</span><span class="pi">:</span> <span class="pi">[</span> <span class="s2">"</span><span class="s">main"</span> <span class="pi">]</span> <span class="na">jobs</span><span class="pi">:</span> <span class="na">deploy</span><span class="pi">:</span> <span class="na">runs-on</span><span class="pi">:</span> <span class="s">ubuntu-latest</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Checkout</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/checkout@v3</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Configure AWS Credentials</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">aws-actions/configure-aws-credentials@v2</span> <span class="na">with</span><span class="pi">:</span> <span class="na">aws-access-key-id</span><span class="pi">:</span> <span class="s">${{ secrets.AWS_ACCESS_KEY_ID }}</span> <span class="na">aws-secret-access-key</span><span class="pi">:</span> <span class="s">${{ secrets.AWS_SECRET_ACCESS_KEY }}</span> <span class="na">aws-region</span><span class="pi">:</span> <span class="s">us-east-1</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Update Kubeconfig</span> <span class="na">run</span><span class="pi">:</span> <span class="s">aws eks update-kubeconfig --name bedrock-vpc-EKSCluster</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Deploy</span> <span class="na">run</span><span class="pi">:</span> <span class="s">helm upgrade --install retail-app ./helm</span> </code></pre> </div> <p>Every push to <code>main</code> now triggers a deploy. The pipeline authenticates to AWS using secrets you store in your GitHub repository settings, updates the kubeconfig, and runs a Helm upgrade. If the release already exists, it upgrades it and if it does not, it creates it.</p> <h2> Phase 8: Exposing the Store to the Internet (Ingress) </h2> <p>Your application is deployed and running, but it's completely locked inside the VPC. No customer can reach it. To fix that, you need an Ingress resource and the controller that knows how to act on it. This is where your <code>ingress.yaml</code> file comes in.</p> <h3> Install the Controller: </h3> <p>Kubernetes does not do anything with an Ingress object on its own. You need to install the AWS Load Balancer Controller into your cluster first You need to install the AWS Load Balancer Controller into your cluster.</p> <p>This controller listens for Ingress creation requests and automatically creates the corresponding AWS Application Load Balancer (ALB).</p> <h3> Create the Ingress File: </h3> <p>Place your <code>ingress.yaml</code> file inside the <code>k8s</code> folder created in Phase 5.</p> <h3> Example command to verify file placement: </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">ls </span>k8s/ingress.yaml </code></pre> </div> <h3> Apply the Configuration: </h3> <p>Unlike the Helm deployment, this file is applied manually (or added to your CI/CD pipeline).<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl apply <span class="nt">-f</span> k8s/ingress.yaml </code></pre> </div> <p>Once you apply the configuration, the Controller detects the new Ingress resource and provisions an AWS Application Load Balancer in the public subnets created in Phase 1. </p> <p>You can then point your domain (e.g., <code>store.example.com</code>) to this Load Balancer using Route 53.</p> <h2> Common Issues You Might Encounter and How to Fix Them </h2> <p>CloudFormation stacks fail. Pods don't start. The ALB never shows up. None of this is unusual, it is just part of working with distributed infrastructure. Most failures in this architecture follow a short list of patterns, and knowing where to look cuts your debug time significantly.</p> <p>The most common stack failure is a <code>CREATE_FAILED</code> status on the EKS cluster, usually because the VPC stack hadn't fully settled before Phase 2 ran. When this happens, open the CloudFormation events tab in the AWS console and find the first red entry, not the last one. The <a href="https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/troubleshooting.html" rel="noopener noreferrer">AWS CloudFormation troubleshooting guide</a> breaks down the most common status codes and what they mean in plain terms.</p> <p>If your pods are stuck in <code>Pending</code> after the Helm install, the node group is usually where the problem lives. Run <code>kubectl describe pod &lt;pod-name&gt;</code> and read the events section at the bottom, where you will likely see a message about insufficient CPU or memory. That means your <code>t3.medium</code> nodes are undersized, or your desired node count is too low. </p> <p>You can increase <code>DesiredSize</code> in the node group config and update the stack. If <code>kubectl get nodes</code> returns nothing at all, the node IAM role is probably missing a policy, which stops the nodes from joining the cluster entirely. The <a href="https://docs.aws.amazon.com/eks/latest/userguide/troubleshooting.html" rel="noopener noreferrer">EKS worker node troubleshooting docs</a> cover this exact scenario and are worth keeping open during your first deployment.</p> <p>The last thing that catches people off guard is the ALB not provisioning after you apply <code>ingress.yaml</code>. This almost always comes down to two things: the AWS Load Balancer Controller isn't running, or the subnet tags from Phase 1 are missing. </p> <p>Run <code>kubectl get pods -n kube-system</code> to confirm the controller pod is healthy, then check that your public subnets carry the <code>kubernetes.io/role/elb: "1"</code> tag and your private subnets carry <code>kubernetes.io/role/internal-elb: "1"</code>. Without those tags the controller has no idea where to place the load balancer, and it will silently do nothing.</p> microservices cicd cloudformation kubernetes