Select your cookie preferences

We use essential cookies and similar tools that are necessary to provide our site and services. We use performance cookies to collect anonymous statistics, so we can understand how customers use our site and make improvements. Essential cookies cannot be deactivated, but you can choose “Customize” or “Decline” to decline performance cookies.

If you agree, AWS and approved third parties will also use cookies to provide useful site features, remember your preferences, and display relevant content, including relevant advertising. To accept or decline all non-essential cookies, choose “Accept” or “Decline.” To make more detailed choices, choose “Customize.”

Preferences
Contact Us
Feedback
AWS Documentation
Create an AWS Account

Learn about VPC Networking and Load Balancing in EKS Auto Mode

PDF
RSS
Focus mode
Learn about VPC Networking and Load Balancing in EKS Auto Mode - Amazon EKS
Networking capabilityLoad balancing

Help improve this page

To contribute to this user guide, choose the Edit this page on GitHub link that is located in the right pane of every page.

Help improve this page

To contribute to this user guide, choose the Edit this page on GitHub link that is located in the right pane of every page.

This topic explains how to configure Virtual Private Cloud (VPC) networking and load balancing features in EKS Auto Mode. While EKS Auto Mode manages most networking components automatically, you can still customize certain aspects of your cluster’s networking configuration through NodeClass resources and load balancer annotations.

When you use EKS Auto Mode, AWS manages the VPC Container Network Interface (CNI) configuration and load balancer provisioning for your cluster. You can influence networking behaviors by defining NodeClass objects and applying specific annotations to your Service and Ingress resources, while maintaining the automated operational model that EKS Auto Mode provides.

Networking capability

EKS Auto Mode has a new networking capability that handles node and pod networking. You can configure it by creating a NodeClass Kubernetes object.

Configuration options for the previous AWS VPC CNI will not apply to EKS Auto Mode.

Configure networking with NodeClass

The NodeClass resource in EKS Auto Mode allows you to customize certain aspects of the networking capability. Through NodeClass, you can specify security group selections, control node placement across VPC subnets, set SNAT policies, configure network policies, and enable network event logging. This approach maintains the automated operational model of EKS Auto Mode while providing flexibility for network customization.

You can use a NodeClass to:

  • Select a Security Group for Nodes

  • Control how nodes are placed on VPC Subnets

  • Set the Node SNAT Policy to random or disabled

  • Set the Network Policy to Default Deny or Default Allow

  • Enable Network Event Logging to a file.

Learn how to Create an Amazon EKS NodeClass.

Considerations

EKS Auto Mode supports:

  • EKS Network Policies.

  • The HostPort and HostNetwork options for Kubernetes Pods.

  • Pods in public or private subnets.

EKS Auto Mode does not support:

  • Security Groups per Pod (SGPP).

  • Custom Networking. The IP Addresses of Pods and Nodes must be from the same CIDR Block.

  • Warm IP, warm prefix, and warm ENI configurations.

  • Minimum IP targets configuration.

  • Enabling or disabling prefix delegation.

  • Other configurations supported by the open-source AWS CNI.

  • Network Policy configurations such as conntrack timer customization (default is 300s).

  • Exporting network event logs to CloudWatch.

Load balancing

You configure AWS Elastic Load Balancers provisioned by EKS Auto Mode using annotations on Service and Ingress resources.

For more information, see Create an IngressClass to configure an Application Load Balancer or Use Service Annotations to configure Network Load Balancers.

Considerations for load balancing with EKS Auto Mode

  • The default targeting mode is IP Mode, not Instance Mode.

  • EKS Auto Mode only supports Security Group Mode for Network Load Balancers.

  • AWS does not support migrating load balancers from the self managed AWS load balancer controller to management by EKS Auto Mode.

  • The networking.ingress.ipBlock field in TargetGroupBinding spec is not supported.

  • If your worker nodes use custom security groups (not eks-cluster-sg- naming pattern), your cluster role needs additional IAM permissions. The default EKS-managed policy only allows EKS to modify security groups named eks-cluster-sg-. Without permission to modify your custom security groups, EKS cannot add the required ingress rules that allow ALB/NLB traffic to reach your pods.

On this page

PrivacySite termsCookie preferences
© 2025, Amazon Web Services, Inc. or its affiliates. All rights reserved.