Learn about VPC networking and load balancing in EKS Auto Mode
This topic explains how to configure Virtual Private Cloud (VPC) networking and load balancing features in EKS Auto Mode. While EKS Auto Mode manages most networking components automatically, you can still customize certain aspects of your cluster’s networking configuration through NodeClass resources and load balancer annotations.
When you use EKS Auto Mode, AWS manages the VPC Container Network Interface (CNI) configuration and load balancer provisioning for your cluster. You can influence networking behaviors by defining NodeClass objects and applying specific annotations to your Service and Ingress resources, while maintaining the automated operational model that EKS Auto Mode provides.
VPC CNI networking
With EKS Auto Mode, you do not directly configure the AWS VPC CNI. AWS manages node and pod networking. Instead, you create a NodeClass
Kubernetes object.
Configure VPC CNI with NodeClass
The NodeClass resource in EKS Auto Mode allows you to customize certain aspects of the VPC Container Network Interface (CNI) configuration without directly managing the CNI plugin. Through NodeClass, you can specify security group selections, control node placement across VPC subnets, set SNAT policies, configure network policies, and enable network event logging. This approach maintains the automated operational model of EKS Auto Mode while providing flexibility for network customization.
You can use a NodeClass to:
-
Select a Security Group for Nodes
-
Control how nodes are placed on VPC Subnets
-
Set the Node SNAT Policy to
random
ordisabled
-
Set the Network Policy to Default Deny or Default Allow
-
Enable Network Event Logging to a file.
Learn how to Create an Amazon EKS NodeClass.
Considerations
EKS Auto Mode supports:
-
EKS Network Policies.
-
The
HostPort
andHostNetwork
options for Kubernetes Pods. -
Pods in public or private subnets.
EKS Auto Mode does not support:
-
Security Groups per Pod (SGPP).
-
Custom Networking. The IP Addresses of Pods and Nodes must be from the same CIDR Block.
-
Warm IP, warm prefix, and warm ENI configurations.
-
Minimum IP targets configuration.
-
Enabling or disabling prefix delegation.
-
Other configurations supported by the open-source AWS CNI.
-
Network Policy configurations such as conntrack timer customization (default is 300s).
-
Exporting network event logs to CloudWatch.
Load balancing
You configure AWS Elastic Load Balancers provisioned by EKS Auto Mode using annotations on Service and Ingress resources.
For more information, see Create an IngressClass to configure an Application Load Balancer or Use Service Annotations to configure Network Load Balancers.
Considerations for load balancing with EKS Auto Mode
-
The default targeting mode is IP Mode, not Instance Mode.
-
EKS Auto Mode only supports Security Group Mode for Network Load Balancers.
-
AWS does not support migrating load balancers from the self managed AWS load balancer controller to management by EKS Auto Mode.
-
The
networking.ingress.ipBlock
field inTargetGroupBinding
spec is not supported. -
If your worker nodes use custom security groups (not
0—
naming pattern), your cluster role needs additional IAM permissions. The default EKS-managed policy only allows EKS to modify security groups named1—
. Without permission to modify your custom security groups, EKS cannot add the required ingress rules that allow ALB/NLB traffic to reach your pods. -
You cannot bring your own target groups.