{"id":50522,"date":"2025-07-22T02:15:45","date_gmt":"2025-07-22T02:15:45","guid":{"rendered":"https:\/\/www.devopsschool.com\/blog\/?p=50522"},"modified":"2025-07-22T02:23:38","modified_gmt":"2025-07-22T02:23:38","slug":"aws-eks-how-to-make-eks-api-server-private","status":"publish","type":"post","link":"https:\/\/www.devopsschool.com\/blog\/aws-eks-how-to-make-eks-api-server-private\/","title":{"rendered":"AWS – EKS – How to make EKS API Server Private"},"content":{"rendered":"\n

Deploying to a Private EKS Cluster Using Terraform Cloud (TFC)<\/h2>\n\n\n\n

By default, Terraform Cloud (TFC) workspaces require network-level access to the EKS API endpoint to deploy workloads or manage clusters. When the EKS API endpoint is private<\/strong>, it becomes unreachable from the public internet, including TFC. Here are your options for deploying applications to a private EKS cluster from TFC:<\/p>\n\n\n\n

1. Use a Network Bridge: AWS VPC Endpoint + PrivateLink<\/strong><\/h2>\n\n\n\n
    \n
  • PrivateLink<\/strong> lets you expose the EKS API as a private service inside your AWS VPC. TFC cannot use this directly, but you can provision a bastion (jumpbox) EC2 instance<\/strong> or a client node<\/strong> inside the VPC with access to the private endpoint.<\/li>\n\n\n\n
  • Use an AWS Session Manager (SSM) tunnel<\/strong> or a self-hosted runner\/agent (see #2 below) running on this bastion to perform EKS operations. TFC connects to the runner, and the runner has private-path-only access to EKS.<\/li>\n<\/ul>\n\n\n\n

    2. Deploy a Self-Hosted (Agent) Runner in Your AWS VPC<\/strong><\/h2>\n\n\n\n
      \n
    • Terraform Cloud supports self-hosted agents<\/strong> that can run inside your AWS environment.<\/li>\n\n\n\n
    • Spin up a small EC2 instance (or Fargate task) in a private subnet with permissions scoped for your deployment.<\/li>\n\n\n\n
    • Register this instance as a TFC agent, then run TFC jobs through it. These jobs have network access to your private EKS cluster.<\/li>\n\n\n\n
    • This is the most seamless and secure method as no public access or proxies are exposed.<\/li>\n<\/ul>\n\n\n\n

      3. Temporary Public Access Only During Deployment<\/strong><\/h2>\n\n\n\n
        \n
      • Make the EKS API endpoint public only for the duration of Terraform apply, then revert to private.<\/li>\n\n\n\n
      • This is logistically complex, somewhat insecure, and not recommended for automation but can be used as a short-term workaround.<\/li>\n<\/ul>\n\n\n\n

        4. VPN or Direct Peering<\/strong><\/h2>\n\n\n\n
          \n
        • Connect your organization’s internal network and the AWS VPC via VPN<\/strong> or VPC Peering<\/strong> so TFC jobs can route to the private API endpoint from a trusted on-premises location (rare, but technically possible).<\/li>\n<\/ul>\n\n\n\n

          5. Use a Bastion + SSM Bridge<\/strong><\/h2>\n\n\n\n
            \n
          • Set up a bastion host (jumphost) with SSM enabled inside the VPC.<\/li>\n\n\n\n
          • Use [AWS SSM Session Manager] to tunnel traffic from your corporate\/TFC runner to the EKS endpoint.<\/li>\n\n\n\n
          • This pattern is documented by AWS as a secure approach for accessing private EKS clusters for CI\/CD and automation tasks.<\/li>\n<\/ul>\n\n\n\n

            Summary Table<\/h2>\n\n\n\n
            Option<\/th>Additional Infra Needed<\/th>Security Level<\/th>Maint. Overhead<\/th>Typical Use Case<\/th><\/tr><\/thead>
            TFC Agent (self-hosted runner)<\/td>EC2 in VPC<\/td>High<\/td>Moderate<\/td>Enterprise, robust CI\/CD<\/td><\/tr>
            PrivateLink & Bastion (jump host)<\/td>EC2, PrivateLink<\/td>High<\/td>High<\/td>Strictly isolated clusters<\/td><\/tr>
            Public endpoint (on\/off as needed)<\/td>None<\/td>Low<\/td>Low<\/td>Short-term workaround<\/td><\/tr>
            VPN\/Peering<\/td>VPN Gateway\/Peering<\/td>Varies<\/td>High<\/td>On-premises CI\/CD bridge<\/td><\/tr>
            Bastion+SSM tunnel<\/td>EC2 + AWS SSM<\/td>High<\/td>Moderate<\/td>Secure admin\/CI access<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n

            Recommended Solution<\/h2>\n\n\n\n

            Deploy a Self-Hosted TFC Agent (Runner) in your AWS VPC<\/strong>:<\/p>\n\n\n\n

              \n
            • This aligns with best practices, giving you private network access to EKS and all AWS resources.<\/li>\n\n\n\n
            • Keeps your EKS endpoint private and your CI\/CD pipeline secure.<\/li>\n\n\n\n
            • See [HashiCorp\u2019s documentation] for steps to register self-hosted agents.<\/li>\n<\/ul>\n\n\n\n

              Alternatively, for advanced isolation, use AWS PrivateLink with a jump\/bastion<\/strong> or an SSM bridge<\/strong> as described by AWS.<\/p>\n\n\n\n

              <\/p>\n\n\n\n

              <\/p>\n\n\n\n

              <\/p>\n\n\n\n

              Comparing AWS PrivateLink (VPC Endpoint) vs. Self-Hosted Agent Runner for Private EKS Deployment<\/h1>\n\n\n\n

              When deciding between using AWS PrivateLink (VPC Endpoint)<\/strong> and deploying a self-hosted agent runner in your AWS VPC<\/strong> for private EKS deployment (e.g., with Terraform Cloud), each approach differs in setup complexity, ongoing management, and cost. Here\u2019s a practical, side-by-side breakdown:<\/p>\n\n\n\n

              1. AWS PrivateLink (VPC Endpoint) + Network Bridge<\/h2>\n\n\n\n

              Description<\/h2>\n\n\n\n
                \n
              • Exposes your EKS API or application endpoints privately within your VPC, accessible only to resources that reside within the same (or peered) VPCs.<\/li>\n\n\n\n
              • Requires a bridging mechanism: typically a bastion host, jumpbox, or session manager must be set up inside the VPC to bridge external systems (like TFC) to the private EKS API.<\/li>\n<\/ul>\n\n\n\n

                Pros<\/h2>\n\n\n\n
                  \n
                • Secure:<\/strong> Keeps traffic fully within AWS, never exposed to the public internet.<\/li>\n\n\n\n
                • Reduced data transfer cost:<\/strong> Eliminates the need for more expensive NAT Gateways in some setups, offering significant network cost savings per GB transferred.<\/li>\n\n\n\n
                • Simplifies network topology:<\/strong> Direct VPC-to-VPC or VPC-to-service communication; easy to scale by adding more endpoints for different services.<\/li>\n<\/ul>\n\n\n\n

                  Cons<\/h2>\n\n\n\n
                    \n
                  • Setup Complexity:<\/strong> You must configure PrivateLink endpoints and configure bastion hosts or equivalent network bridges, then securely manage bastion access.<\/li>\n\n\n\n
                  • Maintenance Overhead:<\/strong> Bastions require hardening, patching, and ongoing management.<\/li>\n\n\n\n
                  • Not a direct solution for TFC cloud:<\/strong> TFC (unless running an agent inside your VPC) cannot reach PrivateLink endpoints from the public internet. You’ll either need a bastion or to move to a self-hosted agent pattern anyway.<\/li>\n<\/ul>\n\n\n\n

                    Cost Summary (Per Month Example)<\/h2>\n\n\n\n
                    Item<\/th>Rate<\/th>Example (5,000hr + 10TB)<\/th><\/tr><\/thead>
                    Endpoint Hourly<\/td>$0.01\/hr<\/td>$50<\/td><\/tr>
                    Data Processing<\/td>$0.01\/GB<\/td>$100<\/td><\/tr>
                    Data Transfer (AWS)<\/td>Often free\/intra-region<\/td>$0<\/td><\/tr>
                    Total<\/strong><\/td><\/td>$150<\/strong><\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n
                    \n

                    In similar NAT Gateway scenarios, total network cost could be over $1,500\/month versus $150\/month with PrivateLink, showing 90%+ savings when substituting NAT Gateway for PrivateLink.<\/p>\n<\/blockquote>\n\n\n\n

                    2. Self-Hosted (Agent) Runner in Your VPC<\/h2>\n\n\n\n

                    Description<\/h2>\n\n\n\n
                      \n
                    • You deploy a self-hosted agent (an EC2 instance or Fargate task) within your VPC.<\/li>\n\n\n\n
                    • This agent executes all Terraform Cloud jobs: it can reach your private EKS API endpoint directly (no bastion, no extra bridge).<\/li>\n<\/ul>\n\n\n\n

                      Pros<\/h2>\n\n\n\n
                        \n
                      • Easy integration with private resources:<\/strong> Agent, being inside the VPC, talks directly to private EKS, RDS, etc..<\/li>\n\n\n\n
                      • Simpler architecture:<\/strong> No need for extra jumpboxes or manual session tunneling.<\/li>\n\n\n\n
                      • Secure:<\/strong> Keeps your infrastructure and API access within your secured VPC.<\/li>\n\n\n\n
                      • Recommended by Terraform Cloud for private infra:<\/strong> Official guidance from HashiCorp is to use self-hosted agents for deploying to private networks.<\/li>\n<\/ul>\n\n\n\n

                        Cons<\/h2>\n\n\n\n
                          \n
                        • EC2 instance cost:<\/strong> Running a dedicated agent incurs compute and (minor) storage cost.<\/li>\n\n\n\n
                        • Agent maintenance:<\/strong> Occasional need for patching, scaling, and log management, but infrastructure is much simpler than managing bastions with PrivateLink.<\/li>\n\n\n\n
                        • Still inside your AWS bill:<\/strong> Cost is very controllable\u2014typically a single t3.medium\/t3.large EC2 covers most needs.<\/li>\n<\/ul>\n\n\n\n

                          Cost Summary (Typical, per agent)<\/h2>\n\n\n\n
                          Item<\/th>Ballpark Rate\/Month<\/th>Example<\/th><\/tr><\/thead>
                          EC2 (t3.medium)<\/td>$32<\/td>$32<\/td><\/tr>
                          EBS Storage<\/td>$1-2<\/td>$1-2<\/td><\/tr>
                          Data Transfer<\/td>VPC-internal\/free<\/td>$0<\/td><\/tr>
                          Total<\/strong><\/td><\/td>$33-34<\/strong><\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n

                          Head-to-Head: Setup, Management, and Cost<\/h2>\n\n\n\n
                          Factor<\/th>PrivateLink + Bridge<\/th>Self-Hosted Agent Runner<\/th><\/tr><\/thead>
                          Ease of Setup<\/strong><\/td>Moderate to complex<\/td>Easier: just launch agent<\/td><\/tr>
                          Ongoing Management<\/strong><\/td>Must maintain bastion(s), IAM, patching<\/td>Just agent maintenance<\/td><\/tr>
                          Cost<\/strong><\/td>$150\/mo (with data)<\/td>~$33\/mo (agent typical)<\/td><\/tr>
                          Recommended by TFC?<\/strong><\/td>Not direct, requires extra bridging<\/td>Yes: official preferred<\/strong><\/td><\/tr>
                          Direct Integration with TFC<\/strong><\/td>No<\/td>Yes<\/strong><\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n

                          Recommendation<\/strong><\/h2>\n\n\n\n

                          For most teams deploying to private EKS with Terraform Cloud:<\/strong><\/p>\n\n\n\n

                            \n
                          • Deploying a Self-Hosted Agent Runner in your AWS VPC<\/strong> is the most recommended, easiest-to-manage, and most cost-effective solution.\n
                              \n
                            • No need for NAT Gateway or complex network bridges.<\/li>\n\n\n\n
                            • Lower running cost for typical CI\/CD workloads.<\/li>\n\n\n\n
                            • Direct compatibility with Terraform Cloud\u2019s automation tools.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n

                              Only use PrivateLink + Network Bridge if:<\/strong><\/p>\n\n\n\n

                                \n
                              • You need to share your application across VPCs\/account boundaries (e.g., SaaS with private endpoints), or you have other integration requirements that specifically need L4\/L7 networking via PrivateLink.<\/li>\n<\/ul>\n\n\n\n

                                Bottom line:<\/strong>
                                For seamless TFC-to-EKS automation that is easy to set up, maintain, and cost-optimal, choose a self-hosted agent runner in your AWS VPC.<\/p>\n\n\n\n