This topic explains the AWS security groups (SG) you need for GKE on AWS.
If you
Install a management service or
Use an existing AWS VPC,
anthos-gke creates security groups for you. You can configure your
AWSCluster and
AWSNodePool CRDs with a list of additional
security group IDs.
The following diagram outlines how GKE on AWS uses security groups to connect to Google Cloud and AWS services.
Management service security group
The management service security group allows access to the management service API with HTTPS. If you have a bastion host configured, Inbound from the bastion security group is allowed.
If you create a GKE on AWS environment into an existing AWS VPC, you must have a security group that allows the following connections.
| Type | Protocol | Port | Address | Description |
|---|---|---|---|---|
| Inbound | TCP | 443 | VPC CIDR | Allow HTTPS from the AWS VPC. |
| Inbound | TCP | 22 | Bastion host SG | Allow SSH tunneling from the bastion host (included in dedicated VPC only). |
| Outbound | TCP | 80 | 0.0.0.0/0 | Allow outbound HTTP. |
| Outbound | TCP | 443 | 0.0.0.0/0 | Allow outbound HTTPS. |
Outbound domain access
The management service requires outbound access to the following domains.
gkeconnect.googleapis.comgkehub.googleapis.comoauth2.googleapis.comstorage.googleapis.comwww.googleapis.comgcr.iok8s.gcr.ioEC2-REGION.ec2.archive.ubuntu.com
Replace EC2-REGION with the AWS EC2 region where your
GKE on AWS installation runs. For example,
us-west-1.ec2.archive.ubuntu.com/.
If you are using Cloud Service Mesh with Prometheus and Kiali, allow outbound access from the following domains:
docker.ioquay.io
Bastion host security group (optional)
You use the bastion host security group connections allowed by his group to
connect into your GKE on AWS management service and user
clusters. This group is optional and only included if you use anthos-gke to
create a GKE on AWS installation in a
dedicated VPC.
| Type | Protocol | Port | Address | Description |
|---|---|---|---|---|
| Inbound | TCP | 22 | CIDR block from bastionAllowedSSHCIDRBlocks in the
AWSManagementService
configuration. |
Allow SSH to bastion host. |
| Outbound | TCP | 22 | 0.0.0.0/0 | Allow outbound SSH. |
| Outbound | TCP | 80 | 0.0.0.0/0 | Allow outbound HTTP. |
| Outbound | TCP | 443 | 0.0.0.0/0 | Allow outbound HTTPS. |
Control plane security group
The control plane security group allows connections between control plane nodes and the management service, and between control plane nodes and node pools.
The control plane consists of three EC2 instances behind an AWS Network Load Balancer (NLB). These instances accept connections from etcd instances on other nodes, node pool nodes, and the NLB. In order to update GKE on AWS components, all outbound HTTP/HTTPS traffic is allowed.
You specify the security group IDs in your AWSCluster definition.
| Type | Protocol | Port | Address | Description |
|---|---|---|---|---|
| Inbound | TCP | 2380 | This SG | Allow control plane etcd replication. |
| Inbound | TCP | 2381 | This SG | Allow control plane etcd event replication. |
| Inbound | TCP | 443 | Node pool SG | Allow HTTPS from node pool nodes. |
| Inbound | TCP | 443 | AWS VPC CIDR range | Allow HTTPS from load balancer and management service. |
| Inbound | TCP | 11872 | AWS VPC CIDR range | HTTP health check for load balancer. |
| Outbound | TCP | 22 | Node pool SG | Allow SSH tunneling to node pools (for clusters v1.20 and lower). |
| Inbound | TCP | 8132 | Node pool SG | Allow Konnectivity connection from node pools (for clusters v1.21 and higher). |
| Outbound | TCP | 80 | 0.0.0.0/0 | Allow outbound HTTP. |
| Outbound | TCP | 443 | 0.0.0.0/0 | Allow outbound HTTPS. |
| Outbound | TCP | 2380 | This SG | Allow control plane etcd replication. |
| Outbound | TCP | 2381 | This SG | Allow control plane etcd event replication. |
| Outbound | TCP | 10250 | Node pool SG | Allow connections from the control plane to Kubelet. |
Node pool security group
The node pool security group allows connections from the control plane and other node. You specify the security group IDs in your AWSNodePool definitions.
| Type | Protocol | Port | Address | Description |
|---|---|---|---|---|
| Inbound | TCP | All | This SG | Allow pod-to-pod communication. |
| Inbound | TCP | 22 | Control plane SG | Allow SSH tunnelling from the control plane (for clusters v1.20 and lower). |
| Outbound | TCP | 8132 | Control plane SG | Allow Konnectivity connections to the control plane (for clusters v1.21 and higher). |
| Inbound | TCP | 443 | Control plane SG | Allow connections from the control plane to Kubelet. |
| Inbound | TCP | 10250 | Control plane SG | Allow connections from the control plane to Kubelet. |
| Outbound | TCP | All | This SG | Allow pod-to-pod communication. |
| Outbound | TCP | 80 | 0.0.0.0/0 | Allow outbound HTTP. |
| Outbound | TCP | 443 | 0.0.0.0/0 | Allow outbound HTTPS. |