AWS, NAT & EKS

This blog post explains how to configure NAT on AWS for an EKS cluster.
Why ?
If an application is deployed using Kubernetes, most of the time there will be more than one pod serving the requests. If auto-scaling is enabled, Kubernetes creates and kills nodes and pods according to the load. This means the IP address of the outbound requests can change anytime. If your application needs to connect to a database that is living behind a firewall/VPC, you need to whitelist the IP address of the application. But in our example, the IP changes over time.
ToolJet cloud runs on Kubernetes deployed on AWS EKS. ToolJet needs to connect to the databases of customers which are usually protected by firewalls.
What is NAT?
Network Address Translation gateway is usually when the instances in a private cloud wants to connect to internet but do not want internet to initiate incoming connections.
In short, all the outbound connections from an instance can be configured to go through NAT and the IP address that the destination server sees will be the IP address of the NAT gateway which is static.
Configuring NAT for EKS clusters
- Create an Elastic IP if you haven't created one already. This IP will be the IP address of the NAT gateway. Elastic IPs can be created from the EC2 console: https://console.aws.amazon.com/ec2
- Creating a NAT
Open AWS VPC console: https://console.aws.amazon.com/vpc/
Navigate to 'NAT Gateways' and click on 'Create NAT gateway'
Select the Elastic IP created in the last step and create a NAT gateway. - Open AWS VPC console and select 'Route Tables'.
- Select the subnet associated with your EKS cluster and click on 'Routes'. NOTE: It is recommended to create a new private subnet for the EKS cluster. Incoming traffic to the cluster can be routed through a load balancer.
- Add a route with destination
0.0.0.0/0
and target should be the NAT gateway you selected in the last step. - Now if you run
curl ifconfig.me
( or any other service that returns IP address of the source usingcurl
), the IP address returned will be the IP address of the NAT gateway ( the Elastic IP that we created in the first step )
NAT helped us give a set of IP address that never change to our customers so that the customers can whitelist ToolJet Cloud ( the hosted solution for ToolJet platform ).