This topic explains the AWS security groups (SG) you need for Anthos clusters on AWS (GKE on AWS).
If you
Install a management service or
Use an existing AWS VPC,
anthos-gke creates security groups for you. You can configure your
AWSCluster and
AWSNodePool CRDs with a list of additional
security group IDs.
The following diagram outlines how Anthos clusters on AWS uses security groups to connect to Google Cloud and AWS services.
Management service security group
The management service security group allows access to the management service API with HTTPS. If you have a bastion host configured, Inbound from the bastion security group is allowed.
If you create a Anthos clusters on AWS environment into an existing AWS VPC, you must have a security group that allows the following connections.
| Type | Protocol | Port | Address | Description |
|---|---|---|---|---|
| Inbound | TCP | 443 | VPC CIDR | Allow HTTPS from the AWS VPC. |
| Inbound | TCP | 22 | Bastion host SG | Allow SSH tunneling from the bastion host (included in dedicated VPC only). |
| Outbound | TCP | 80 | 0.0.0.0/0 | Allow outbound HTTP. |
| Outbound | TCP | 443 | 0.0.0.0/0 | Allow outbound HTTPS. |
Outbound domain access
The management service requires outbound access to the following domains.
gkeconnect.googleapis.comgkehub.googleapis.comoauth2.googleapis.comstorage.googleapis.comwww.googleapis.comgcr.iok8s.gcr.ioEC2-REGION.ec2.archive.ubuntu.com
Replace EC2-REGION with the AWS EC2 region where your
Anthos clusters on AWS installation runs. For example,
us-west-1.ec2.archive.ubuntu.com/.
If you are using Anthos Service Mesh with Prometheus and Kiali, allow outbound access from the following domains:
docker.ioquay.io
Bastion host security group (optional)
You use the bastion host security group connections allowed by his group to
connect into your Anthos clusters on AWS management service and user
clusters. This group is optional and only included if you use anthos-gke to
create a Anthos clusters on AWS installation in a
dedicated VPC.
| Type | Protocol | Port | Address | Description |
|---|---|---|---|---|
| Inbound | TCP | 22 | CIDR block from bastionAllowedSSHCIDRBlocks in the
AWSManagementService
configuration. |
Allow SSH to bastion host. |
| Outbound | TCP | 22 | 0.0.0.0/0 | Allow outbound SSH. |
| Outbound | TCP | 80 | 0.0.0.0/0 | Allow outbound HTTP. |
| Outbound | TCP | 443 | 0.0.0.0/0 | Allow outbound HTTPS. |
Control plane security group
The control plane security group allows connections between control plane nodes and the management service.
The control plane consists of three EC2 instances behind an AWS Network Load Balancer (NLB). These instances accept connections from etcd instances on other nodes, node pool nodes, and the NLB. In order to update Anthos clusters on AWS components, all outbound HTTP/HTTPS traffic is allowed.
You specify the security group IDs in your AWSCluster definition.
| Type | Protocol | Port | Address | Description |
|---|---|---|---|---|
| Inbound | TCP | 2380 | This SG | Allow control plane etcd replication. |
| Inbound | TCP | 2381 | This SG | Allow control plane etcd event replication. |
| Inbound | TCP | 443 | Node pool SG | Allow HTTPS from node pool nodes. |
| Inbound | TCP | 443 | AWS VPC CIDR range | Allow HTTPS from load balancer and management service. |
| Inbound | TCP | 11872 | AWS VPC CIDR range | HTTP health check for load balancer. |
| Outbound | TCP | 22 | Node pool SG. | Allow SSH tunneling to node pool nodes. |
| Outbound | TCP | 80 | 0.0.0.0/0 | Allow outbound HTTP. |
| Outbound | TCP | 443 | 0.0.0.0/0 | Alowl outbound HTTPS. |
| Outbound | TCP | 2380 | This SG | Allow control plane etcd replication. |
| Outbound | TCP | 2381 | This SG | Allow control plane etcd event replication. |
| Outbound | TCP | 10250 | Node pool SG | Allow connections from the control plane to Kubelet. |
Node pool security group
The node pool security group allows connections from the control plane and other node. You specify the security group IDs in your AWSNodePool definitions.
| Type | Protocol | Port | Address | Description |
|---|---|---|---|---|
| Inbound | TCP | All | This SG | Allow pod-to-pod communication. |
| Inbound | TCP | 22 | Control plane SG | Allow SSH connections from the control plane. |
| Inbound | TCP | 443 | Control plane SG | Allow connections from the control plane to Kubelet. |
| Inbound | TCP | 10250 | Control plane SG | Allow connections from the control plane to Kubelet. |
| Outbound | TCP | All | This SG | Allow pod-to-pod communication. |
| Outbound | TCP | 80 | 0.0.0.0/0 | Allow outbound HTTP. |
| Outbound | TCP | 443 | 0.0.0.0/0 | Allow outbound HTTPS. |