Security groups for GKE on AWS

This topic explains the AWS security groups (SG) you need for GKE on AWS.

If you Install a management service or Use an existing AWS VPC, anthos-gke creates security groups for you. You can configure your AWSCluster and AWSNodePool CRDs with a list of additional security group IDs.

The following diagram outlines how GKE on AWS uses security groups to connect to Google Cloud and AWS services.

Diagram of ports and connections from GKE on AWS components to Google Cloud and AWS services.

Management service security group

The management service security group allows access to the management service API with HTTPS. If you have a bastion host configured, Inbound from the bastion security group is allowed.

If you create a GKE on AWS environment into an existing AWS VPC, you must have a security group that allows the following connections.

Type Protocol Port Address Description
Inbound TCP 443 VPC CIDR Allow HTTPS from the AWS VPC.
Inbound TCP 22 Bastion host SG Allow SSH tunneling from the bastion host (included in dedicated VPC only).
Outbound TCP 80 0.0.0.0/0 Allow outbound HTTP.
Outbound TCP 443 0.0.0.0/0 Allow outbound HTTPS.

Outbound domain access

The management service requires outbound access to the following domains.

  • gkeconnect.googleapis.com
  • gkehub.googleapis.com
  • oauth2.googleapis.com
  • storage.googleapis.com
  • www.googleapis.com
  • gcr.io
  • k8s.gcr.io
  • EC2-REGION.ec2.archive.ubuntu.com

Replace EC2-REGION with the AWS EC2 region where your GKE on AWS installation runs. For example, us-west-1.ec2.archive.ubuntu.com/.

If you are using Cloud Service Mesh with Prometheus and Kiali, allow outbound access from the following domains:

  • docker.io
  • quay.io

Bastion host security group (optional)

You use the bastion host security group connections allowed by his group to connect into your GKE on AWS management service and user clusters. This group is optional and only included if you use anthos-gke to create a GKE on AWS installation in a dedicated VPC.

Type Protocol Port Address Description
Inbound TCP 22 CIDR block from bastionAllowedSSHCIDRBlocks in the AWSManagementService configuration. Allow SSH to bastion host.
Outbound TCP 22 0.0.0.0/0 Allow outbound SSH.
Outbound TCP 80 0.0.0.0/0 Allow outbound HTTP.
Outbound TCP 443 0.0.0.0/0 Allow outbound HTTPS.

Control plane security group

The control plane security group allows connections between control plane nodes and the management service, and between control plane nodes and node pools.

The control plane consists of three EC2 instances behind an AWS Network Load Balancer (NLB). These instances accept connections from etcd instances on other nodes, node pool nodes, and the NLB. In order to update GKE on AWS components, all outbound HTTP/HTTPS traffic is allowed.

You specify the security group IDs in your AWSCluster definition.

Type Protocol Port Address Description
Inbound TCP 2380 This SG Allow control plane etcd replication.
Inbound TCP 2381 This SG Allow control plane etcd event replication.
Inbound TCP 443 Node pool SG Allow HTTPS from node pool nodes.
Inbound TCP 443 AWS VPC CIDR range Allow HTTPS from load balancer and management service.
Inbound TCP 11872 AWS VPC CIDR range HTTP health check for load balancer.
Outbound TCP 22 Node pool SG Allow SSH tunneling to node pools (for clusters v1.20 and lower).
Inbound TCP 8132 Node pool SG Allow Konnectivity connection from node pools (for clusters v1.21 and higher).
Outbound TCP 80 0.0.0.0/0 Allow outbound HTTP.
Outbound TCP 443 0.0.0.0/0 Allow outbound HTTPS.
Outbound TCP 2380 This SG Allow control plane etcd replication.
Outbound TCP 2381 This SG Allow control plane etcd event replication.
Outbound TCP 10250 Node pool SG Allow connections from the control plane to Kubelet.

Node pool security group

The node pool security group allows connections from the control plane and other node. You specify the security group IDs in your AWSNodePool definitions.

Type Protocol Port Address Description
Inbound TCP All This SG Allow pod-to-pod communication.
Inbound TCP 22 Control plane SG Allow SSH tunnelling from the control plane (for clusters v1.20 and lower).
Outbound TCP 8132 Control plane SG Allow Konnectivity connections to the control plane (for clusters v1.21 and higher).
Inbound TCP 443 Control plane SG Allow connections from the control plane to Kubelet.
Inbound TCP 10250 Control plane SG Allow connections from the control plane to Kubelet.
Outbound TCP All This SG Allow pod-to-pod communication.
Outbound TCP 80 0.0.0.0/0 Allow outbound HTTP.
Outbound TCP 443 0.0.0.0/0 Allow outbound HTTPS.