AWS EKS with private endpoint enabled

“when only the private endpoint is enabled, Amazon EKS automatically advertises the private IP addresses of the private endpoint from the public endpoint. Clients (such as the kubectl CLI tool) use the public endpoint as a DNS resolver to connect to the private endpoint through a peered VPC automatically. Since these are always private IPs, clients without access to the private VPC may receive the IP, but are unable to connect to the cluster”

First, you can connect to an EKS private endpoint from a peered VPC, Private access does imply that it can only be accessed by hosts in the same VPC “or connected networks. If it’s private it’s only resolvable inside of the VPC and peered VPC’s.

If you set your EKS Cluster to “private” you have to have a node that gives you the possibility to get into your VPC.

So the solution like VPN (you can use the AWS managed VPN Service for that) to get into the private network(s) of your VPC. Client -> VPN -> AWS VPC Network -> EKS API.

Also, VPN is not required if you connect (for example) to a bastion host and run your kubectl commands from there. You can also jump from the Bastion Host to your EKS Worker Nodes and run your kubectl command there. But in general, you need a direct connection to the VPC you’re running your EKS Setup if you set the API to private.

Also, you have to set enableDnsHostnames and enableDnsSupport to true for your VPC.