Hey everyone! I'm currently working with four VPCs—dev, stage, production, and internal—and I'm planning to set up our GitLab server, Grafana stack, and VPN server within the internal VPC CIDR. We'll host the Grafana stack and GitLab runners on our EKS cluster. My main question is whether it's a good idea to set the EKS cluster's "Cluster Endpoint access" to "Private" and utilize Transit Gateway to allow communication between the internal VPC and the other VPCs (dev, stage, production). I've seen some setups implementing a "Public and Private" model with a strong focus on Security Groups for access. Any insights or helpful documentation on this would be greatly appreciated!
4 Answers
It’ll be easier to manage different environments by using AWS Organizations, and you can apply the same Terraform code across accounts with different tags or variables. Setting private endpoints will ensure your apps can access the EKS API without routing through the public internet, which is great for your runners. Public access might be necessary depending on your needs, but prioritizing private access along with VPN is generally safer. Also, if you’re just starting out, consider keeping things simple. Starting with ECS, EC2, or Lambda might be more cost-effective than jumping straight into a comprehensive Kubernetes setup.
Before you proceed, it's essential to set up an AWS Organization. This involves creating a billing account, an org account, and separate accounts for dev, stage, production, and internal. Doing so will keep your billing organized and clear.
I support your plan! Go for the private cluster endpoint and connect it through the Transit Gateway. Just make sure you're setting up DNS and routing correctly to avoid any hiccups.
While I'm not completely sure about the endpoint configuration, I recommend enhancing your isolation by creating separate AWS accounts for your dev, prod, and infrastructure environments. You can connect them under an organization, which keeps everything streamlined while managing only one bill. This separation reduces the risk of issues in dev affecting prod and allows for tighter restrictions on production resources.
Absolutely! Organizing your billing this way is far cleaner than trying to manage it through tags.