You can limit, or completely disable, public access from the internet to your Kubernetes cluster endpoint.

Amazon Amazon EKS creates an endpoint for the managed Kubernetes API server that you use to communicate with your cluster (using Kubernetes management tools such as kubectl). By default, this API server endpoint is public to the internet, and access to the API server is secured using a combination of AWS Identity and Access Management (IAM) and native Kubernetes Role Based Access Control (RBAC).

You can, optionally, limit the CIDR blocks that can access the public endpoint. If you limit access to specific CIDR blocks, then it is recommended that you also enable the private endpoint, or ensure that the CIDR blocks that you specify include the addresses that worker nodes and Fargate pods (if you use them) access the public endpoint from.

You can enable private access to the Kubernetes API server so that all communication between your worker nodes and the API server stays within your VPC. You can limit the IP addresses that can access your API server from the internet, or completely disable internet access to the API server.

Let’s break it down in simpler terms with practical examples so you fully understand EKS API access modes.

1️⃣ Understanding EKS API Endpoints

Every EKS cluster has an API server endpoint that allows:

  • kubectl and other Kubernetes tools to communicate with the cluster.
  • Worker nodes to communicate with the control plane.

EKS supports three access modes:

  1. Public
  2. Public and Private
  3. Private

2️⃣ Public API Endpoint (🚨 Least Secure)

✅ What It Means

  • The EKS API endpoint is accessible from the internet.
  • Worker nodes in your VPC must connect to the API over the internet.
  • You can restrict access to specific IPs (cluster_endpoint_public_access_cidrs).

⚠️ Downsides

  • Security risk: If someone gets access to your cluster credentials, they can reach the API from anywhere (unless restricted by IP).
  • Worker nodes must access API over the internet, which is less secure and increases latency.

📌 Example Scenario

Imagine you work remotely and want to manage your EKS cluster from home.

Terraform Example:

cluster_endpoint_public_access       = true
cluster_endpoint_public_access_cidrs = ["182.169.72.245/32"]

✅ This allows only your laptop's IP (182.169.72.245/32) to access the cluster.

3️⃣ Public and Private API Endpoint (🔥 Recommended)

✅ What It Means

  • The EKS API endpoint is accessible from the internet (for administrators).
  • Worker nodes stay inside the VPC to communicate with the API server (does NOT use the internet).
  • You can still restrict public access to specific IPs.

🔥 Why It’s Recommended

  • Admin access from outside AWS is possible.
  • Worker nodes remain private (no need for internet access).
  • Best balance of security and usability.

📌 Example Scenario

Imagine:

  • Your admin team works remotely and needs kubectl access.
  • Your worker nodes should stay private and not access the API over the internet.

Terraform Example:

cluster_endpoint_public_access       = true
cluster_endpoint_public_access_cidrs = ["182.169.72.245/32"]

✅ Admins can access EKS API from 182.169.72.245, but worker nodes will use private networking.

4️⃣ Private API Endpoint (🔒 Most Secure)

✅ What It Means

  • The EKS API endpoint is NOT accessible from the internet (only inside AWS).
  • Worker nodes stay inside the VPC to communicate with the API server.
  • kubectl will NOT work from outside AWS unless using a VPN, Bastion Host, or Direct Connect.

🔐 Best for High Security

  • If you don’t need remote access to EKS, use this mode.
  • All API traffic stays private inside AWS.

📌 Example Scenario

Imagine:

  • Your entire team works inside AWS (e.g., using AWS Workspaces or a private VPN).
  • You want maximum security and do not need kubectl from outside.

Terraform Example:

cluster_endpoint_public_access       = false
cluster_endpoint_public_access_cidrs = []

✅ This ensures only services inside the VPC can communicate with EKS.

5️⃣ Summary: Choosing the Right Access Mode

| Access Mode | Who Can Access EKS API? | How Do Worker Nodes Connect? | Recommended For? |
|----------------------|--------------------------------|------------------------------|-----------------------|
| Public (❌ Not Secure) | Anyone on the internet (can restrict by IP) | Nodes go through the internet | Temporary setups, non-production |
| Public & Private (🔥 Recommended) | Admins via internet (with IP restriction) | Nodes stay inside the VPC | Secure, flexible access for admins & workloads |
| Private (🔒 Most Secure) | Only inside AWS (VPN, Bastion, etc.) | Nodes stay inside the VPC | High-security workloads, no internet exposure |

6️⃣ How Can You Access a Private EKS API?

If you choose Private mode (cluster_endpoint_public_access = false), you can still manage the cluster using:

  1. Bastion Host (EC2 instance inside the VPC)
    • SSH into the EC2 instance and run kubectl from there.
  2. AWS Systems Manager (SSM)
    • Use aws ssm start-session to access an EC2 in the VPC without needing SSH.
  3. VPN / AWS Direct Connect
    • Connect to AWS privately and access EKS as if inside the VPC.

✅ Final Answer

  • Public: You can access from your laptop, but worker nodes will communicate via the internet.
  • Public & Private (Recommended): Your laptop can access, and worker nodes will stay private.
  • Private: Only accessible inside AWS (VPN, Bastion, SSM).

Understanding How Worker Nodes Connect to the EKS API Server

Let's break this down into simple terms so you can fully understand how worker nodes communicate with the EKS control plane.

How Worker Nodes Communicate with EKS API Server

Your EKS cluster has two main components:

  1. Control Plane (API Server) → Managed by AWS.
  2. Worker Nodes (EC2 instances or Fargate pods) → Run your applications inside a VPC.

When worker nodes need to communicate with the EKS API server, they must send requests to:

  • Register themselves with the cluster.
  • Join the cluster (via kubelet).
  • Get instructions from the Kubernetes API server.

What Happens When the API is Public?

If the EKS API is Public (cluster_endpoint_public_access = true), the control plane only provides a public IP address for communication.

🚨 Problem:
Worker nodes in the private VPC now have to leave the VPC and access the API via the internet. This happens because:

  • The API endpoint is public, but worker nodes don't have direct internet access.
  • They need a NAT Gateway to route traffic to the public EKS API.
  • If you don’t have a NAT Gateway, worker nodes can’t talk to the API.

✅ Solution:
Use Public and Private API Mode so worker nodes can communicate internally.

What Happens When the API is Private?

If the EKS API is Private (cluster_endpoint_public_access = false), the control plane gets a private IP address.

🔥 Good News:

  • Worker nodes stay inside the VPC and connect to the API without needing the internet.
  • This means no need for a NAT Gateway, which saves cost and increases security.

🚨 Problem:

  • kubectl will not work from your laptop unless you are inside the AWS VPC.
  • You will need a Bastion Host, VPN, or AWS Direct Connect to access it.

How to Configure These Options in Terraform

Here’s how you can configure Public, Public & Private, and Private API modes in Terraform.

Option 1️⃣: Public API Endpoint (Public Mode)

  • The API is accessible over the internet.
  • Worker nodes will use a NAT Gateway to reach the API.
  • You can restrict access to your laptop’s IP.
resource "aws_eks_cluster" "my-cluster" {
  name     = "my-cluster"
  role_arn = aws_iam_role.eks_role.arn
  version  = "1.27"

  vpc_config {
    endpoint_public_access       = true
    endpoint_private_access      = false  # ❌ Private access is disabled
    public_access_cidrs          = ["182.169.72.245/32"]  # Restrict to your laptop IP
    subnet_ids                   = [aws_subnet.public1.id, aws_subnet.public2.id]
  }
}

✅ Who can access the API?

  • Your laptop (182.169.72.245).
  • Worker nodes use the internet (NAT Gateway needed).

Option 2️⃣: Public & Private API Endpoint (🔥 Recommended)

  • Your laptop can access the API (public access allowed for specific IPs).
  • Worker nodes stay inside the VPC and do NOT use the internet.
  • Best balance between security and usability.
resource "aws_eks_cluster" "my-cluster" {
  name     = "my-cluster"
  role_arn = aws_iam_role.eks_role.arn
  version  = "1.27"

  vpc_config {
    endpoint_public_access       = true
    endpoint_private_access      = true  # ✅ Private access is enabled
    public_access_cidrs          = ["182.169.72.245/32"]  # Restrict to your laptop
    subnet_ids                   = [aws_subnet.private1.id, aws_subnet.private2.id]
  }
}

✅ Who can access the API?

  • Your laptop (182.169.72.245).
  • Worker nodes talk directly inside the VPC (NO internet needed).

Option 3️⃣: Private API Endpoint (Private Mode)

  • The API is NOT accessible from the internet.
  • Only worker nodes inside the VPC can communicate with the API.
  • You CANNOT use kubectl from your laptop unless using a Bastion Host or VPN.
resource "aws_eks_cluster" "my-cluster" {
  name     = "my-cluster"
  role_arn = aws_iam_role.eks_role.arn
  version  = "1.27"

  vpc_config {
    endpoint_public_access       = false  # ❌ No public access
    endpoint_private_access      = true   # ✅ Only private access allowed
    public_access_cidrs          = []
    subnet_ids                   = [aws_subnet.private1.id, aws_subnet.private2.id]
  }
}

✅ Who can access the API?

  • Only worker nodes inside the VPC.
  • Your laptop CANNOT access EKS directly (need VPN or Bastion).

Summary: Which Mode Should You Use?

| Access Mode | Who Can Access API? | How Do Worker Nodes Connect? | Best For? |
|-------------------------|-----------------------------|--------------------------------|--------------|
| Public API (true + false) | Anyone (with IP restriction) | 🚨 Through the internet (NAT required) | Development & Testing |
| Public & Private (true + true) | Your laptop & worker nodes (private VPC access) | ✅ Direct VPC connection (NO internet needed) | Best for Production |
| Private API (false + true) | Only inside AWS (VPN/Bastion needed) | ✅ Direct VPC connection (NO internet needed) | High Security Workloads |

Which Mode is Right for You?

  • If you need access from your laptop → Choose "Public & Private API" (Recommended).
  • If security is your highest concern → Use "Private API" (But need VPN/Bastion).
  • If it's just a test environment → Use "Public API" (But NOT for production).