skip to Main Content

I’ve set up a service and some pods in an AWS Elastic Kubernetes Service (EKS) cluster which access a RabbitMQ message service and PostgreSQL database hosted externally to the cluster. At the moment, I’ve opened up via AWS security groups access from all IPs (0.0.0.0/0) to these services as kubernetes assigns an IP for each node when it is created.

Ideally, I’d like to route traffic from Kubernetes to these services via one consistent "external Kubernetes IP" so I can add it in to each external services security group. Currently, from Googling around I haven’t found a way to do this, is it possible?

For RabbitMQ I have the current Service and Endpoint set up, but I believe this is only for routing traffic through the Kubernetes cluster and not related to the external facing side of my cluster?

kind: Service
metadata:
  name: rabbitmq-service
spec:
  selector:
    app: job-wq-1
  ports:
    - port: 15672
      targetPort: 15672
      name: management-port
    - port: 5672
      targetPort: 5672
      name: data-port
  type: LoadBalancer
---
kind: Endpoints
apiVersion: v1
metadata:
  name: rabbitmq
subsets:
- addresses:
  - ip: 'rabbitmq.server.public.ip'
  ports:
  - port: 15672
    name: 'management-port'
  - port: 5672
    name: 'data-port'

2

Answers


  1. Do you mean the IP for the outgoing traffic?

    If you’re trying to create a LoadBalancer Service with a static external IP, you can use the loadBalancerIP field to use a reserved IP, such as an AWS Elastic IP.

    https://kubernetes.io/docs/concepts/services-networking/service/#type-loadbalancer

    Login or Signup to reply.
  2. Yes it is possible, but it is not simple.

    What would you have to do is route your outbound traffic from the cluster through either a VPC Gateway, NAT Gateway, or some other EC2 instance whose purpose will be to act as a NAT. That instance can then be given a static IP which you can then whitelist at the destination (so no need to use 0.0.0.0/0)

    We use a similar setup in GKE to allow us to spin up a GKE Cluster, run a workload in that, but have a known fixed IP the remote server will recognise and allow to connect.

    Login or Signup to reply.
Please signup or login to give your own answer.
Back To Top
Search