This topic explains how GKE on AWS manages AWS security groups rules for the cluster, and how to modify the firewall rules for node pools and control plane replicas.
Security groups and hosted DNS
If you use a hosted DNS server instead of the AWS-provided DNS, your control plane and node pool security groups must allow outbound traffic on TCP and UDP port 53.
Control plane security groups
The control plane security groups define the firewall rules for inbound and outbound TCP traffic for each control plane replica.
The control plane consists of three EC2 instances behind an AWS Network Load Balancer (NLB). These instances accept connections from etcd instances on other nodes, node pool nodes, and the NLB. Control plane instances also make outbound HTTPS connections to Google and AWS services.
GKE on AWS creates and attaches a managed control plane security group to all control plane instances. You should not modify the rules in this group. If you need to add more security group rules, you can instead specify additional security group IDs to attach to the control plane when you Create a cluster.
Default control plane security group rules
These are the default rules GKE on AWS attaches to the control plane. These rules will not match your security groups exactly; each row in the table might expand to multiple AWS security group rules.
| Type | Protocol | Port | Address ranges or SG | Description |
|---|---|---|---|---|
| Inbound | TCP (cluster version < 1.26) | 443 | VPC Primary CIDR range | Allow HTTPS from node pool nodes |
| Inbound | TCP (cluster version >= 1.26) | 443 | Subnet CIDR range of node pool | Allow HTTPS from node pool nodes (one rule per subnet used by node pools) |
| Inbound | TCP | 2380 | Control plane SG | Allow control plane etcd replication |
| Inbound | TCP | 2381 | Control plane SG | Allow control plane etcd event replication |
| Inbound | TCP (cluster version < 1.26) | 8132 | VPC Primary CIDR range | Allow Konnectivity connections from node pools |
| Inbound | TCP (cluster version >= 1.26) | 8132 | Subnet CIDR range of node pool | Allow Konnectivity connections from node pool nodes (one rule per subnet used by node pools) |
| Inbound | TCP | 11872 | Control plane CIDR ranges | HTTP health check for load balancer |
| Outbound | TCP | 443 | 0.0.0.0/0 | Allow outbound HTTPS |
| Outbound | TCP | 2380 | Control plane SG | Allow control plane etcd replication |
| Outbound | TCP | 2381 | Control plane SG | Allow control plane etcd event replication |
Node pool security groups
The node pool security groups define the firewall rules for inbound and outbound TCP traffic for the VMs in node pools.
GKE on AWS creates and attaches a managed node pool security group to all node pool instances. You should not modify the rules in this group. If you need to add more security group rules, you can instead specify additional security group IDs to attach to instances when you Create a node pool.
By default, node pool VMs do not have any open ports. To allow incoming traffic, you add a node pool security group when creating the node pool, and manage any desired inbound/outbound rules for the node pool through that security group.
Default node pool security group rules
These are the default rules GKE on AWS attaches to node pools. These rules will not match your security groups exactly; each row in the table might expand to multiple AWS security group rules.
| Type | Protocol | Port | Address range or SG | Description |
|---|---|---|---|---|
| Inbound | TCP | All | Node pool SG | Allow pod-to-pod communication |
| Outbound | TCP | All | Node pool SG | Allow pod-to-pod communication |
| Outbound | TCP | 443 | 0.0.0.0/0 | Allow outbound HTTPS |
| Outbound | TCP | 8132 | Control plane SG | Allow Konnectivity connections to the control plane |
| Outbound | TCP | 8132 | Control plane CIDR ranges | Allow Konnectivity connections to the control plane |
Node pools in VPC Secondary CIDR blocks
GKE on AWS version 1.26 and later automatically creates and manages the necessary security group rules to support node pools using subnets in secondary VPC CIDR blocks. If you're using one of these versions, you don't need to create custom security groups or update them manually.
However, when creating managed control plane security groups, earlier versions of GKE on AWS don't create rules that support node pools with subnets in a secondary VPC CIDR block.
To work around this limitation, create a custom security group for your control
plane. You pass the security group ID when creating a cluster using the
--security-group-ids
flag. Alternatively, you can
Update your cluster's security groups.
Create the security group with the following rules:
| Type | Protocol | Port | Address ranges or SG | Description |
|---|---|---|---|---|
| Inbound | TCP | 443 | Node pool ranges (in VPC secondary CIDR blocks) | Allow HTTPS from node pool nodes |
| Inbound | TCP | 8132 | Node pool ranges (in VPC secondary CIDR blocks) | Allow Konnectivity connections from node pools |