Blog

How to use security groups for pods on Amazon EKS

Dec 16, 2021 | Announcements, Migration, MSP

What are security groups for pods on Amazon EKS?

Security groups are one of the keystone building blocks in any AWS cloud deployment. Security groups are like instance-level network firewalls. Since security groups are associated with Amazon Elastic Compute Cloud (Amazon EC2) instances, they offer protection at the ports and protocol access levels. AWS realized that the capability to integrate security groups with Kubernetes pods would be a vital feature for the Amazon Elastic Kubernetes Service (Amazon EKS) public roadmap and recently brought that to fruition. Security groups for pods now integrate Amazon EC2 security groups with Kubernetes pods. You can use Amazon EC2 security groups to define rules that allow inbound and outbound network traffic to and from pods that you deploy to nodes running on many Amazon EC2 instance types and Fargate.

nClouds recognizes that this recent AWS security innovation is necessary to enhance network traffic management. Therefore, this blog is about how to assign specific Amazon EC2 security groups directly to pods running in Amazon EKS clusters. However, this blog is only applicable for Amazon Elastic Kubernetes Service (Amazon EKS). It will not work for any other Kubernetes clusters.

Security group scenarios

One area where we could have possible security issues is in the databases running in our private subnets. Our applications require us to expose our ports to public access through third-party software. What we do not want, and what has proven to be devastating to businesses, large and small, is the deployment and running of malicious software. Now, unlike the previous work-arounds we had to configure, we can protect our infrastructure with best practices by assigning separate security groups for each pod, which means that only the applications requiring the database have access to it. And this is only one of the scenarios where AWS’s innovation is proving to be very useful.

What if we are a small company but want to use other networking plugins for Kubernetes, like the Cloud Deployment Model (CDM), Cilium, or Calico? Previously, we had to go with the enterprise version, which comes at a cost and raises our overhead significantly. For that kind of scenario, security groups for pods are very useful. In fact, with security groups for pods, you can assign an existing security group to a collection of pods.

Step-by-step tutorial

For a step-by-step tutorial on how to use security groups for pods on Amazon EKS, here is my video tutorial:

To learn more about how to protect your infrastructure, stop malicious software, better control network traffic from inside and outside the cluster, and drive cost optimization for smaller organizations, go to:

https://aws.amazon.com/blogs/containers/introducing-security-groups-for-pods/
https://aws.github.io/aws-eks-best-practices/security/docs/network/

To learn more about Kubernetes on AWS, check out our related blogs and webinars:

Blogs:

How to set up serverless Kubernetes Pods using AWS Fargate and Amazon EKS
Drive Continuous Delivery (CD) on Kubernetes with GitOps
Increase your productivity with this handy Kubernetes cheat sheet
How to deploy a Kubernetes cluster on AWS with Terraform & kops

On-demand webinars:

Kubernetes on AWS: Observability
Kubernetes on AWS: GitOps
Kubernetes on AWS: Multi-Arch Workloads with AWS Graviton2
Hassle-Free Kubernetes on AWS

Need help with Kubernetes on AWS? The nClouds team is here to help with that and all your AWS infrastructure requirements.

Contact Us

nClouds Insights

Join thousands of DevOps and cloud professionals. Sign up for our newsletter for updated informaion and insights