{"id":48979,"date":"2025-04-04T01:36:51","date_gmt":"2025-04-04T01:36:51","guid":{"rendered":"https:\/\/www.devopsschool.com\/blog\/?p=48979"},"modified":"2025-04-04T01:36:51","modified_gmt":"2025-04-04T01:36:51","slug":"eks-tutorials-types-of-security-groups-created-or-used-in-an-eks-cluster","status":"publish","type":"post","link":"https:\/\/www.devopsschool.com\/blog\/eks-tutorials-types-of-security-groups-created-or-used-in-an-eks-cluster\/","title":{"rendered":"EKS Tutorials: Types of Security Groups Created or Used in an EKS Cluster"},"content":{"rendered":"\n

When you set up an Amazon EKS (Elastic Kubernetes Service) cluster<\/strong>, AWS automatically creates and\/or requires several security groups<\/strong> to manage access to the control plane, worker nodes, and other associated components<\/strong>.<\/p>\n\n\n\n

Here\u2019s a complete breakdown<\/strong> of the types of Security Groups<\/strong> involved during an EKS cluster setup:<\/p>\n\n\n\n

\n\n\n\n

\ud83d\udd10 Types of Security Groups Created or Used in an EKS Cluster<\/h2>\n\n\n\n

1. EKS Control Plane Security Group<\/strong> (Optional\/Custom)<\/h3>\n\n\n\n
\ud83d\udd39 Name<\/th>Custom<\/th><\/tr><\/thead>
EKS Control Plane Security Group<\/td>\u2705 (You define it in the cluster config)<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n
    \n
  • Purpose:<\/strong> Controls communication from the control plane to worker nodes (EC2\/EKS-managed)<\/strong>.<\/li>\n\n\n\n
  • Traffic direction:<\/strong> Egress traffic from control plane \u2192 worker nodes (TCP 443 by default).<\/li>\n\n\n\n
  • When it’s defined:<\/strong> You specify this group when creating a cluster using the vpcConfig.securityGroupIds<\/code>.<\/li>\n<\/ul>\n\n\n\n
    \n

    \u2705 This group is not created automatically<\/strong> \u2013 it\u2019s the one you pass in during setup<\/strong>.<\/p>\n<\/blockquote>\n\n\n\n

    \n\n\n\n

    2. EKS Managed Node Group Security Group<\/strong> (Auto-created by EKS)<\/h3>\n\n\n\n
    \ud83d\udd39 Name<\/th>Auto-created<\/th><\/tr><\/thead>
    Node Security Group (Worker Nodes)<\/td>\u2705 Yes<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n
      \n
    • Created when:<\/strong> You launch a managed node group<\/strong>.<\/li>\n\n\n\n
    • Purpose:<\/strong> Controls traffic between nodes<\/strong> and from the nodes to the control plane<\/strong>.<\/li>\n\n\n\n
    • Includes ingress rules<\/strong> for:\n
        \n
      • Node-to-node communication<\/li>\n\n\n\n
      • Control plane-to-node communication<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n
        \n

        \u26a0\ufe0f This security group is automatically associated<\/strong> with your EC2 worker nodes.<\/p>\n<\/blockquote>\n\n\n\n

        \n\n\n\n

        3. Cluster Shared Node Security Group<\/strong> (Created Automatically)<\/h3>\n\n\n\n
        \ud83d\udd39 Name<\/th>Auto-created<\/th><\/tr><\/thead>
        Cluster Shared Node Security Group<\/td>\u2705 Yes<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n
          \n
        • Purpose:<\/strong> Used for:\n
            \n
          • Worker node communication (pods across nodes)<\/li>\n\n\n\n
          • Internal services<\/li>\n<\/ul>\n<\/li>\n\n\n\n
          • Managed by EKS:<\/strong> You cannot delete this manually.<\/li>\n\n\n\n
          • Shared across multiple node groups in the cluster.<\/li>\n<\/ul>\n\n\n\n
            \n

            This SG ensures pods and services across nodes<\/strong> in the cluster can communicate securely.<\/p>\n<\/blockquote>\n\n\n\n

            \n\n\n\n

            4. Fargate Pod Execution Role SG<\/strong> (if using Fargate)<\/h3>\n\n\n\n
            \ud83d\udd39 Name<\/th>User-defined<\/th><\/tr><\/thead>
            Fargate Pod ENI Security Group<\/td>\u2705 Yes (you must specify)<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n
              \n
            • If you’re using Fargate profiles<\/strong>, you need to define a security group<\/strong> that controls the network interfaces<\/strong> attached to the Fargate pods.<\/li>\n\n\n\n
            • This group handles pod-level network access when no EC2 nodes are used.<\/li>\n<\/ul>\n\n\n\n
              \n\n\n\n

              5. Load Balancer Security Group<\/strong> (Optional)<\/h3>\n\n\n\n
              \ud83d\udd39 Name<\/th>Custom or auto<\/th><\/tr><\/thead>
              Load Balancer SG<\/td>\u2705 Yes (by user or created by controller)<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n
                \n
              • For services of type LoadBalancer<\/code>, AWS creates an ELB (Classic\/NLB\/ALB).<\/li>\n\n\n\n
              • This SG controls traffic from the internet or other services to the service endpoints<\/strong>.<\/li>\n<\/ul>\n\n\n\n
                \n\n\n\n

                Summary Table<\/h3>\n\n\n\n
                Security Group Type<\/th>Created By<\/th>Purpose<\/th><\/tr><\/thead>
                Control Plane SG<\/td>User-defined<\/td>Allow traffic from control plane to worker nodes<\/td><\/tr>
                Worker Node SG<\/td>Auto-created<\/td>Allow intra-node and control plane communication<\/td><\/tr>
                Cluster Shared Node SG<\/td>Auto-created<\/td>Common communication for all nodes<\/td><\/tr>
                Fargate Pod SG<\/td>User-defined<\/td>Manage traffic for Fargate pod ENIs<\/td><\/tr>
                Load Balancer SG<\/td>Controller\/User<\/td>Allow external traffic to Kubernetes services<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n
                \n\n\n\n

                \ud83e\udde0 Best Practices<\/h2>\n\n\n\n
                  \n
                • Always restrict Control Plane SG<\/strong> to only allow required ports (like 443)<\/strong>.<\/li>\n\n\n\n
                • Tag all SGs with kubernetes.io\/cluster\/<cluster-name> = owned<\/code> for EKS to manage them.<\/li>\n\n\n\n
                • Use Network Policies<\/strong> inside the cluster for fine-grained pod-to-pod security.<\/li>\n\n\n\n
                • Monitor SGs with AWS Config to ensure compliance.<\/li>\n<\/ul>\n\n\n\n
                  \n\n\n\n

                  <\/p>\n","protected":false},"excerpt":{"rendered":"

                  When you set up an Amazon EKS (Elastic Kubernetes Service) cluster, AWS automatically creates and\/or requires several security groups to manage access to the control plane, worker nodes, and other… <\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"_joinchat":[],"footnotes":""},"categories":[2],"tags":[],"class_list":["post-48979","post","type-post","status-publish","format-standard","hentry","category-uncategorised"],"_links":{"self":[{"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/posts\/48979","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/comments?post=48979"}],"version-history":[{"count":1,"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/posts\/48979\/revisions"}],"predecessor-version":[{"id":48980,"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/posts\/48979\/revisions\/48980"}],"wp:attachment":[{"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/media?parent=48979"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/categories?post=48979"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/tags?post=48979"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}