private vpc nodes not visible

[aliartiza75]

I have issues

When deploy an eks cluster using the existing public vpc everything works fine. But when I try to use the private vpc everything gets deployed but when I try to get nodes of eks cluster is get no resources found error, when i get pods of the cluster i found that the kube-dns pods are in the pending state.

Is there some kind of permission issue or configuration issue?

I'm submitting a...

• bug report
• feature request
• support request
• kudos, thank you, warm fuzzy

What is the current behaviour?

If this is a bug, how to reproduce? Please include a code sample if relevant.

Deploy the eks cluster on the private vpc.

What's the expected behaviour?

I should be able to get the nodes deployed on private subnet

Are you able to fix this problem and submit a PR? Link here if you have already.

No idea.

Environment details

• Affected module version: V5.0.1
• OS:
• Terraform version: 0.12.7

Any other relevant info

[aliartiza75]

@max-rocket-internet kindly have a look at this issue

[aliartiza75]

this is the log from one of the node in private subnet:

Sep 23 10:30:06 ip-172-31-124-177 kubelet: F0923 10:30:06.736075   14523 server.go:261] failed to run Kubelet: could not init cloud provider "aws": error finding instance : "error listing AWS instances: \"RequestError: send request failed\\ncaused by: Post https://ec2.us-X-X.amazonaws.com/: dial tcp XX.XX.XX.XX:443: i/o timeout\""

[dpiddockcmp]

Without knowing how you're configuring your VPC or calling this module, I'm going to go with the usual suspects:

• instances in your private subnet do not have general internet access, so cannot reach the EKS public endpoint (enabled by default in the module)
• you have not enabled the EKS private endpoint (disabled by default for historical reasons)

Fix: either add a NAT gateway/instance and allow the nodes to access the internet or enable the private endpoint via the cluster_endpoint_private_access module input variable.

[max-rocket-internet]

@dpiddockcmp bringing the knowledge as always.

This issue comes up A LOT:
#488
#413
#358
#310
#304
#522

Might be worth writing a sort of FAQ to point users at?

[max-rocket-internet]

dial tcp XX.XX.XX.XX:443: i/o timeout

The node cannot connect to the AWS API. Check internet or VPC settings.

[aliartiza75]

thank you @max-rocket-internet and @dpiddockcmp for quick response, vpc is configured properly. When nodes are deployed on the public subnet they are accessible but on the private subnet, nodes are not accessible.

@max-rocket-internet yes it would be good that a FAQ is written for this issue

[dpiddockcmp]

We're just guessing in the dark here. Please include your VPC and EKS module configs.

Another guess: do you have VPC DNS enabled? This is required for the private endpoint to work. Set enable_dns_hostnames = true on your aws_vpc resource. The terraform-aws-module/vpc/aws community module has a variable of the same name.

[aliartiza75]

@dpiddockcmp the VPC is managed by someone else so I can't provide information about the VPC and thank you for the FAQ.

Closing this issue.

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.