This documentation is for the most recent version of Anthos clusters on AWS, released on September 29th. See the Release notes for more information. For documentation on the previous generation of Anthos clusters on AWS, see Previous generation.

Security groups for Anthos clusters on AWS

Stay organized with collections Save and categorize content based on your preferences.

This topic explains how Anthos clusters on AWS manages AWS security groups rules for the cluster, and how to modify the firewall rules for node pools and control plane replicas.

Security groups and hosted DNS

If you use a hosted DNS server instead of the AWS-provided DNS, your control plane and node pool security groups must allow outbound traffic on TCP and UDP port 53.

Control plane security groups

The control plane security groups define the firewall rules for inbound and outbound TCP traffic for each control plane replica.

The control plane consists of three EC2 instances behind an AWS Network Load Balancer (NLB). These instances accept connections from etcd instances on other nodes, node pool nodes, and the NLB. Control plane instances also make outbound HTTPS connections to Google and AWS services.

Anthos clusters on AWS creates and attaches a managed control plane security group to all control plane instances. You should not modify the rules in this group. If you need to add more security group rules, you can instead specify additional security group IDs to attach to the control plane when you Create a cluster.

Default control plane security group rules

These are the default rules Anthos clusters on AWS attaches to the control plane. These rules will not match your security groups exactly; each row in the table might expand to multiple AWS security group rules.

Type Protocol Port Address ranges or SG Description
Inbound TCP 443 VPC Primary CIDR range Allow HTTPS from node pool nodes
Inbound TCP 2380 Control plane SG Allow control plane etcd replication
Inbound TCP 2381 Control plane SG Allow control plane etcd event replication
Inbound TCP 8132 VPC Primary CIDR range Allow Konnectivity connections from node pools
Inbound TCP 11872 Control plane CIDR ranges HTTP health check for load balancer
Outbound TCP 443 0.0.0.0/0 Allow outbound HTTPS
Outbound TCP 2380 Control plane SG Allow control plane etcd replication
Outbound TCP 2381 Control plane SG Allow control plane etcd event replication

Node pool security groups

The node pool security groups define the firewall rules for inbound and outbound TCP traffic for the VMs in node pools.

Anthos clusters on AWS creates and attaches a managed node pool security group to all node pool instances. You should not modify the rules in this group. If you need to add more security group rules, you can instead specify additional security group IDs to attach to instances when you Create a node pool.

By default, node pool VMs do not have any open ports. To allow incoming traffic, you add a node pool security group when creating the node pool, and manage any desired inbound/outbound rules for the node pool through that security group.

Default node pool security group rules

These are the default rules Anthos clusters on AWS attaches to node pools. These rules will not match your security groups exactly; each row in the table might expand to multiple AWS security group rules.

Type Protocol Port Address range or SG Description
Inbound TCP All Node pool SG Allow pod-to-pod communication
Outbound TCP All Node pool SG Allow pod-to-pod communication
Outbound TCP 443 0.0.0.0/0 Allow outbound HTTPS
Outbound TCP 8132 Control plane SG Allow Konnectivity connections to the control plane
Outbound TCP 8132 Control plane CIDR ranges Allow Konnectivity connections to the control plane

Node pools in VPC Secondary CIDR blocks

When Anthos clusters on AWS creates managed control plane security groups, it doesn't create rules that support node pools with subnets in a secondary VPC CIDR block.

To work around this limitation, create a custom security group for your control plane. You pass the security group ID when creating a cluster using the --security-group-ids flag. Alternatively, you can Update your cluster's security groups.

Create the security group with the following rules:

Type Protocol Port Address ranges or SG Description
Inbound TCP 443 Node pool ranges (in VPC secondary CIDR blocks) Allow HTTPS from node pool nodes
Inbound TCP 8132 Node pool ranges (in VPC secondary CIDR blocks) Allow Konnectivity connections from node pools

What's next