In this topic, you configure an existing AWS
Virtual Private Cloud (VPC) with
public and private subnets and run
anthos-gke to complete the installation
of a management service.
Before you begin
To complete the following steps, you need the following:
AWS IAM permissions as described in Requirements.
An existing AWS VPC with:
- At least one public subnet.
- At least one private subnet.
- An internet gateway with a route to the public subnet.
- A NAT gateway with a route to the private subnet.
- DNS hostnames enabled.
For more information on configuring your AWS VPC, see VPC with public and private subnets.
Your existing VPC's public and private subnet IDs. For example,
Choose or create an AWS security group that allows SSH (port 22) inbound from the security groups or IP ranges where you will be managing your GKE on AWS clusters.
Creating the workspace
Create a file named
anthos-gke.yamlin a text editor. Paste the following contents into the file.
apiVersion: multicloud.cluster.gke.io/v1 kind: AWSManagementService metadata: name: management spec: version: aws-1.5.0-gke.6 region: AWS_REGION authentication: awsIAM: adminIdentityARNs: - ADMIN_AWS_IAM_ARN kmsKeyARN: KMS_KEY_ARN databaseEncryption: kmsKeyARN: DATABASE_KMS_KEY_ARN securityGroupIDs: - SECURITY_GROUP_IDS googleCloud: projectID: GCP_PROJECT_ID serviceAccountKeys: managementService: MANAGEMENT_KEY_PATH connectAgent: HUB_KEY_PATH node: NODE_KEY_PATH existingVPC: subnetID: VPC_SUBNET_ID allowedSSHSecurityGroupIDs: - SSH_SECURITY_GROUP # Optional bastionHost: subnetID: BASTION_HOST_SUBNET_ID allowedSSHCIDRBlocks: - SSH_CIDR_BLOCK proxy: PROXY_JSON_FILE
Replace the following values:
- AWS_REGION with the AWS region to run your cluster in.
- ADMIN_AWS_IAM_ARN with the Amazon Resource Name of the admin AWS IAM key.
- KMS_KEY_ARN with the Amazon Resource Name of the AWS KMS key that secures your management service's data when the management service is created.
- DATABASE_KMS_KEY_ARN with the Amazon Resource Name of the
AWS KMS key that
- SECURITY_GROUP_IDS with additional security group IDs allowed access to your management service VMs.
- GCP_PROJECT_ID with the Google Cloud project that hosts your Anthos environment.
- MANAGEMENT_KEY_PATH with the location of your Google Cloud management service account key.
- HUB_KEY_PATH with the location of your Google Cloud Connect service account key.
- NODE_KEY_PATH with the location of your GKE on AWS node service account key.
- VPC_SUBNET_ID with the subnet ID where the management service runs.
- SSH_SECURITY_GROUP with the list of security group IDs allowed SSH access within the management service instances.
- BASTION_HOST_SUBNET_ID with the subnet ID where the bastion host runs. Make sure VPC_SUBNET_ID allows inbound connections from BASTION_HOST_SUBNET_ID.
- SSH_CIDR_BLOCK with the CIDR block that your
bastion host allows inbound SSH connection from. For example,
203.0.113.0/24. If you want to allow SSH from any IP address, use
- PROXY_JSON_FILE with the relative path of the proxy configuration file.
anthos-gke aws management initto create configuration files:
anthos-gke aws management init
anthos-gke aws management applyto create the cluster.
anthos-gke aws management apply
anthos-gke aws management applycommand might take up to ten minutes to complete. When
anthos-gkefinishes, your management service runs on AWS.
Tag your subnets with your cluster name
If you are using existing AWS subnets with GKE on AWS and want to
create load balancers, you need to tag your VPC and subnets with your management
service's name. If you created your VPC with
anthos-gke or have already tagged
your subnets, skip this step.
To tag your subnets, perform the following steps:
Change to the directory with your GKE on AWS configuration. You created this directory when Installing the management service.
Export your cluster ID as the environment variable
export CLUSTER_ID=$(terraform output cluster_id)
Export your AWS VPC ID as the environment variable
export VPC_ID=$(terraform output vpc_id)
Get your private subnet IDs with the
aws ec2 describe-subnets \ --filters "Name=vpc-id,Values=$VPC_ID" "Name=tag:Name,Values=*private*" \ --query "Subnets[*].SubnetId" \ --output text
Tag your subnets with your cluster ID. Run the following command for each of your subnets.
aws ec2 create-tags \ --resources SUBNET_IDS \ --tags Key=gke:multicloud:cluster-id,Value=$CLUSTER_ID
Replace SUBNET_IDS with the list of subnet IDs, separated by spaces. For example,
subnet-012345678abcdef subnet-abcdef123456789 subnet-123456789abcdef.
Connecting to the management service
The documentation for GKE on AWS assumes that you use an SSH tunnel
on localhost port 8118 to access your cluster. If you use another type of
connection to your VPC, such as a direct interconnect, VPN, or other method, you
can remove the line
env HTTP_PROXY=http://localhost:8118 from commands.
kubeconfigfor authentication. Use
anthos-gketo append credentials to your configuration stored in
anthos-gke aws management get-credentials
Check that you're able to connect to the management service with
env HTTP_PROXY=http://localhost:8118 \ kubectl cluster-info
terraformto generate a script that opens an SSH tunnel to the bastion host.
terraform output bastion_tunnel > bastion-tunnel.sh chmod 755 bastion-tunnel.sh
Terraform creates the
bastion-tunnel.shscript that references the bastion host's SSH key at
To open the tunnel, run the
bastion-tunnel.shscript. The tunnel forwards from
localhost:8118to the bastion host.
To open a tunnel to the bastion host, run the following command:
Messages from the SSH tunnel appear in this window. When you are ready to close the connection, stop the process by using Control+C or closing the window.
Change to the directory with your GKE on AWS configuration.