Expose Services in EKS via AWS API Gateway

  1. The On-Premise services are running in a self-managed Kubernetes Cluster.
  2. The services to be moved to AWS needs to be scalable as the product has done very well in the market.
  3. There is a new requirement to impose rate limit on the APIs being served.
  4. Services already running on AWS is leveraging AWS API Gateway, which has AWS Web Application Firewall (WAF) integrated with it to improve the security posture of the services.
  5. Some of the team members already have expertise with AWS API Gateway.
  6. There is a mandate to reduce the operational cost of the Kubernetes cluster.
  7. The migration from On-Premise to AWS should be done in less than 3 months to avoid signing the new lease contract of Data Centre for one more year.
  8. From compliance need, team wants to have control on the Operating System on which services shall run.
  9. OK to move SSL termination of external traffic from individual services to API Gateway.
API Gateway Integration with Private EKS Services
  1. Leverage AWS managed Elastic Kubernetes Service (EKS) with Self- managed nodes. Reduces operational cost.
  2. EKS configured with Horizontal Node scaler helps to handle scaling of the system.
  3. To handle resiliency, AWS Virtual Private Cloud (VPC) spanning across two Availability Zones with two subnets per Availability Zone. One private subnet called Application Subnet to host the EKS nodes and second private subnet called Data Subnet to host the Database. Public subnet is deliberately not mentioned here to avoid complexity.
  4. From security perspective, EKS compute nodes and Database is all in the private subnets and is accessible only via API Gateway. Gives you more control to filter the unwanted traffic right at the entry point.
  5. Use Nginx Ingress Controller to expose services running inside EKS. With this, a Network Load Balancer (NLB) is provisioned in application private subnet which routes traffic to the Nginx Ingress Controller which in-turn routes traffic to the services running inside EKS.
  6. External traffic is routed via API Gateway which sends traffic to the services hosted inside EKS via VPC Private Link -> NLB.
  7. Rate limit is handled by API Gateway.
  8. SSL termination responsibility removed from the services and is moved to API Gateway.



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Naresh Waswani

Naresh Waswani

#AWS #CloudArchitect #CloudMigration #Microservices #Mobility #IoT