VPC

Note

Terraform code: aws-eks-terraform. Clone it and follow along — all resources in this section live under modules/vpc/.

Tip

New to VPCs, subnets, or EKS subnet tags? Read Networking concepts first. This page focuses on the build.

Progress checklist

• VPC created with DNS hostnames enabled
• Public subnets created (one per AZ)
• Private subnets created (one per AZ)
• Internet Gateway attached
• NAT Gateway provisioned
• Route tables configured
• Subnet tags applied for EKS discovery
• EKS API endpoint set to Public + Private

Overview

The VPC VPC
Virtual Private Cloud — an isolated, private network in AWS where your cluster resources run. is the network boundary for the entire cluster. EKS worker nodes run in private subnets and reach the internet through a NAT NAT
NAT Gateway — allows instances in private subnets to reach the internet without being directly reachable from it. . Public subnets host the NAT Gateway and any public-facing load balancers. See Networking concepts for why each piece exists.

Repository layout

• Directorymodules/ - vpc/ - main.tf VPC, subnets, IGW, NAT, and route tables - variables.tf - outputs.tf - walkthrough/ - main.tf Entry point — calls the vpc module - variables.tf - terraform.tfvars.example Copy to terraform.tfvars and fill in values

  • …

Steps

1. Initialise Terraform. Required

   walkthrough/

   terraform init

2. Create the VPC. Required

   modules/vpc/main.tf

   resource "aws_vpc" "main" {
     cidr_block           = var.cidr
     enable_dns_support   = true
     enable_dns_hostnames = true
   
     tags = merge(var.tags, { Name = var.name })
   }

   Tip

   enable_dns_hostnames = true is required so EKS nodes can resolve the API server endpoint by hostname. See VPC basics for details.

3. Create public and private subnets. Required

   Spread subnets across three Availability Zones (as in the concepts diagram) for high availability. EKS requires subnet tags so it can discover them — see EKS subnet tags for why each tag is needed.

   This walkthrough uses /24 for private subnets (matching the diagram); see VPC CNI and IP planning for larger clusters. See VPC CNI and IP address planning.

   modules/vpc/main.tf

   resource "aws_subnet" "public" {
     for_each          = var.public_subnets
     vpc_id            = aws_vpc.main.id
     cidr_block        = each.value.cidr
     availability_zone = each.value.az
   
     tags = merge(var.tags, {
       Name                                        = each.key
       "kubernetes.io/cluster/${var.cluster_name}" = "shared"
       "kubernetes.io/role/elb"                    = "1"
     })
   }
   
   resource "aws_subnet" "private" {
     for_each          = var.private_subnets
     vpc_id            = aws_vpc.main.id
     cidr_block        = each.value.cidr
     availability_zone = each.value.az
   
     tags = merge(var.tags, {
       Name                                        = each.key
       "kubernetes.io/cluster/${var.cluster_name}" = "shared"
       "kubernetes.io/role/internal-elb"           = "1"
     })
   }

4. Attach an Internet Gateway and NAT Gateway. Required

   modules/vpc/main.tf

   resource "aws_internet_gateway" "main" {
     vpc_id = aws_vpc.main.id
     tags   = merge(var.tags, { Name = var.name })
   }
   
   resource "aws_eip" "nat" {}
   
   resource "aws_nat_gateway" "main" {
     allocation_id = aws_eip.nat.id
     subnet_id     = values(aws_subnet.public)[0].id
     tags          = merge(var.tags, { Name = var.name })
   }

5. Apply and verify. Required

   terraform apply

   terraform output vpc_id
   terraform output private_subnet_ids