Hi there! I'm currently working on organizing our AWS Elastic Kubernetes Service (EKS) setup. We already have two EKS clusters: one for development and another for production. My Director has now asked me to create two additional clusters for staging (QA) and corporate use (internal). I've got the Terraform code ready to go, but I'm trying to nail down the best networking practices. We're planning to create a separate VPC CIDR for each environment like staging and corporate, similar to what we did for dev and production. In my previous job, we actually shared a VPC CIDR between QA and PROD for testing, where we routed a small percentage of traffic to the QA environment using the production infrastructure. I'd love to get your thoughts on whether this is a recommended practice and how to best structure our network setup moving forward!
5 Answers
There's really no strong reason to mix environments in a single VPC. I'd suggest having a dedicated VPC for each cluster. This minimizes the risk of running out of IPs as you scale. If you're hosting databases outside of the cluster, put them in their own VPC and connect them to the Kubernetes VPC. For your testing approach, consider using blue/green or canary deployments—it gives you better control.
While not exactly what you’re asking, I would recommend separating AWS accounts for production and non-production environments. Having distinct VPCs for staging and UAT compared to lower environments is a good compromise if separate accounts aren’t an option. It makes budgeting and resource management easier as you grow.
The ideal setup also depends on how many environments you plan to create and the workload on your pods. This will guide your choice of network plugins and how your networking is structured. Always plan ahead!
Having a dedicated VPC CIDR for each environment is definitely a good approach, especially to keep production separate from non-production. You should avoid any traffic going from production to non-production environments too, just to keep everything secure and isolated.
In AWS, subnets don’t dictate reachability; they just designate CIDRs for instance IP allocation. Everything in a single VPC is reachable from anywhere else in that VPC. Therefore, to ensure proper isolation between your clusters, set up separate VPCs. You don’t want dev environments communicating with production—it could lead to major issues!
Related Questions
How To Get Your Domain Unblocked From Facebook
How To Find A String In a Directory of Files Using Linux