We previously compared two PaaS Solutions: AWS Elastic Beanstalk and Red Hat Openshift. AWS Elastic Beanstalk is likely a good choice for newly started applications and systems already using AWS. In addition, AWS Beanstalk offers multi-container Docker. It uses the Amazon Elastic Container Service to coordinate the deployment of multiple Docker containers to an Amazon ECS cluster in an Elastic Beanstalk environment. The instances in the environment each run the same set of containers. Though it provides the ease of using Elastic Beanstalk, it also loses independently schedule a replicated set of queue workers on the cluster. Thus, Elastic Beanstalk is ideal if one wants to leverage the benefits of containers but just wants the simplicity of deploying applications from development to production by uploading a container image. If one wants more control over custom application architectures and container orchestration, one should take a look at the AWS Elastic Container Service for Kubernetes (EKS). AWS EKS was released June 2018. At the time of this article’s writing, it has Kubernetes 1.11. Here is the cheatsheet on AWS EKS:

AWS Elastic Container Service for Kubernetes (EKS)

Kubernetes, originally designed by Google, is an open-source container-orchestration system for automating deployment, scaling, and management of containerized applications. Using Kubernetes, one can run containerized applications including microservices, batch processing workers, and platforms as a service (PaaS) using the same toolset on-premises and in the cloud. Please go to Kubernetes and Docker to learn more about container orchestration.

AWS EKS is a managed service that makes it easy for one to run Kubernetes on AWS without needing to install and operate one’s own Kubernetes control plane. Kubernetes groups containers into logical groupings for management and discoverability then launches them onto clusters of EC2 instances. Therefore, there are three main reasons to use AWS EKS:

• PaaS
• Microservices
• Enterprise applications migrations

AWS EKS Components

Let’s take a look at the components of K8 with Amazon EKS (the diagram below is derived from AWS re:Invent 2018):

According to this diagram, the endpoint is the orange rectangle EKS master endpoint. AWS EKS provides the flexibility for one to configure the rest of the components as needed. The DevOps team can integrate automated Continuous Integration and Continuous Delivery (CI/CD) through the connectivity to cluster on EKS master endpoint. The user can access the system through ALB/NLB ingress controller. One can collect the monitoring and logging information using other graphics tools such as Kibana and Grafana besides AWS’ CloudWatch, CLoudTrail, and ElasticSearch.

Set Up Steps

Run AWS EKS in four steps:

1. Create an AWS EKS cluster
   • Setup IAM role for AWS EKS cluster
   • Use CloudFormation template to create VPC
   • Install kubectl for AWS EKS
   • Install Heptio AWS IAM Authenticator for Kubernetes
2. Use the CloudFormation template to launch worker nodes that register with the AWS EKS cluster
3. Connect to EKS with kubectl
4. Deploy and manage applications on the AWS EKS cluster as with any other Kubernetes environment

The details can be found in the AWS EKS Getting Started Guide.

Features

The following features on AWS EKS:

High Availability and Scalability

AWS EKS runs the Kubernetes management infrastructure for one across three AWS availability zones to eliminate a single point of failure. AWS EKS service automatically manages the availability and scalability of the Kubernetes API servers and the etcd persistence layer for each cluster. It automatically detects and replaces unhealthy masters.

Standardization and Extensibility

AWS EKS is certified Kubernetes conformant so one can use existing tooling and plugins from partners and the Kubernetes community. Applications running on any standard Kubernetes environment are fully compatible and can be easily migrated to Amazon EKS.

Authentication and Authorization

AWS EKS uses Heptio AWS IAM Authenticator to achieve authentication on Kubernetes cluster. However, it still relies on native Kubernetes Role Based Access Control (RBAC) for authorization.

This means that IAM is only used for authentication of valid IAM entities. All permissions for interacting with AWS EKS cluster’s Kubernetes API are managed through the native Kubernetes RBAC system.

Networking and Security

VPC Networking

AWS EKS utilizes AWS VPC’s features on networking and security. There are three layers of IP addresses:

• Cluster layer
• Pod layer
• AWS VPC address

AWS EKS supports native VPC networking via the Amazon VPC CNI plugin for Kubernetes. Using this CNI plugin allows Kubernetes pods to have the same IP address inside the pod as they do on the VPC network.

AWS EKS utilizes VPC security group and VPC subnet NACL. If one has created a VPC and worker node group through AWS CloudFormation, then EKS cluster control plane and worker node security groups are configured with AWS recommended settings. One can then add extra inbound or outbound access rules from the control plane or worker nodes in the security groups associated with EKS cluster.

Calico Network Policy Enforcement

To implement network segmentation and tenant isolation, one can install Calico network policy enforcement. Project Calico is a network policy engine for Kubernetes. Please go to the AWS user guide on how to install Calio and define network policy documents to access microservices.

ALB/NLB Ingress Controller

Kubernetes allows one to configure an ingress controller in order to route traffic to containers, a management resource that authorizes external traffic to be routed within the Kubernetes application. So AWS EKS adds ALB/NLB ingress controller to trigger and route HTTP(S) traffic to different endpoints within the cluster.

Cost

Two costs apply to AWS EKS:

• AWS EKS Cluster: $0.20 per hour for each AWS EKS cluster
• Worker Node Group: AWS resources (e.g. EC2 instances or EBS volumes) for Kubernetes worker nodes

To optimize the cost, one can run one’s Kubernetes Workloads on Amazon EC2 Spot Instances with Amazon EKS.

Conclusion

Kubernetes is a great container-orchestration system, but it is not easy to set up and run. Thus, with the AWS EKS managed service, it definitely keeps you from having to install and operate Kubernetes. If you provision and manage Kubernetes in your own cloud, you should take a look at OpenShift. But if you need to move all of your applications into the public cloud environment to lower the cost, then you may want to consider EKS.