Back to Writing
Published on 2025-09-18

A Concise Guide to the AWS EKS Ecosystem

This document provides a clear, bullet-point-based overview of the fundamental concepts and best practices for deploying applications on AWS Elastic Kubernetes Service (EKS).

1. AWS Ecosystem Fundamentals

  • IAM (Identity and Access Management): This is the core of AWS security. It governs authentication ("who you are") and authorization ("what you can do"). Every action you perform, from managing an EKS cluster to reading an S3 bucket, is chnecked against IAM policies.
  • VPC (Virtual Private Cloud): This is your own isolated, virtual network in the AWS cloud. It allows you to create private networks for your resources and control all inbound and outbound traffic using security groups and network access control lists (ACLs).
  • EKS and RDS: Both of these are fully managed AWS services. AWS handles the operational burden of running the services for you, ensuring high availability, security patches, and scaling.

2. Kubernetes and EKS: The Two-Plane Model

  • Kubernetes: An open-source container orchestration tool. It helps you automate the deployment, scaling, and management of containerized applications.
  • EKS: AWS's managed Kubernetes service. It is designed around a two-plane model:
    • Control Plane (Managed by AWS): This is the "brain" of the cluster. It includes the API server, scheduler, and the etcd database. AWS fully manages this plane, ensuring it is highly available and secure. You never directly access these servers.
    • Data Plane (Managed by You): This is the "muscle" of the cluster. It consists of the EC2 instances (called "worker nodes") where your application pods actually run. You are responsible for configuring, scaling, and managing these nodes.

3. Security and Network Best Practices

  • Why Hide Behind a VPC? For security. By deploying your EKS cluster's API endpoint and your RDS database in a private subnet within a VPC, you prevent any public access. This drastically reduces the attack surface and ensures that only authorized traffic can reach your critical resources.
  • Accessing Private Resources: To connect to your private EKS cluster from your local machine, you must establish a secure tunnel. This is typically done through a Bastion Host (a hardened jump server) or a VPN connection, not a NAT Gateway. A NAT Gateway is used to allow private resources to make outbound connections to the internet.
  • The "One Cluster per VPC" Philosophy: This is a common and recommended practice for governance and security.
    • Network Isolation: It provides the strongest form of network isolation, ensuring that a security event or misconfiguration in one environment cannot affect another.
    • Simplicity: It simplifies IP address management and network policy enforcement.
    • Cost Management: It makes it easier to track and allocate costs to specific teams or projects.

4. Cluster Architecture and Application Deployment

  • Nodes and Pods: A cluster is a logical unit that contains multiple nodes (the EC2 instances). Each node hosts one or more pods, which are the smallest deployable units containing your application containers.
  • Application Deployment: Your application code, packaged as a container image, is deployed into these pods. The Kubernetes scheduler decides which nodes a pod should be deployed on based on resource requirements and other constraints.

5. Separating Environments for Stability

  • Separate Clusters for Each Environment: It is strongly recommended to have a separate cluster for each major environment (e.g., Development, Staging, and Production).
  • Why Separate?
    • Security: Prevents a security vulnerability in a test environment from spreading to a production environment.
    • Stability: An unstable, experimental workload in a development cluster cannot impact the stability or performance of your mission-critical production applications.
    • Resource Isolation: Resources in one cluster cannot be accidentally consumed by workloads in another, preventing resource starvation and ensuring consistent performance.
  • Using Namespaces: Within a single cluster, namespaces are a great way to logically group resources and separate applications or teams. However, they should not be used as a substitute for separating different environments.