This message was deleted Pulumi Community #python

Join Slack

This message was deleted.

# python

sparse-intern-71089

10/04/2023, 5:49 PM

This message was deleted.

stocky-restaurant-98004

10/04/2023, 6:17 PM

NAT Gateways are for private subnets to access the internet, and have to be placed in public subnets. Specify a subnet spec that only includes Isolated subnets and set NAT Gateway strategy to "None".

stocky-restaurant-98004

10/04/2023, 6:17 PM

But if you do not have public subnets, you cannot use a public-facing ALB (unless you have Transit Gateway set up or something).

stocky-restaurant-98004

10/04/2023, 6:19 PM

The most common use case is that you want an ALB in public subnets and then place your workload in private subnets so that they can only access the internet via NAT. This example shows it for an ECS on Fargate workload: https://pulumi.awsworkshop.io/25_intro_modern_iac_python/40_ecs.html

damp-salesmen-74351

10/04/2023, 6:56 PM

Thanks, So If I need to expose services to the internet using ALB AWS, such as app1.example.com, app2.example.com, and these services also require access to the internet, Do I need to have public subnet? And I should set these options?

'<http://kubernetes.io/role/elb|kubernetes.io/role/elb>': '1'

and

Copy code

nat_gateways=pulumi_awsx.ec2.NatGatewayConfigurationArgs(
    strategy=pulumi_awsx.ec2.NatGatewayStrategy.SINGLE,
)

stocky-restaurant-98004

10/04/2023, 8:32 PM

Yes you need public subnets, because the ALB has to have a public IP address, and the only way to get that public IP address is to be in a public subnet for a VPC-based service (like EKS).

stocky-restaurant-98004

10/04/2023, 8:33 PM

All your EKS nodes should be in a private subnet tho. Nothing goes in a public subnet (usually, there are rare exceptions) but your load balancers. EKS can create and manage the LBs for you. That'll probably be easier.

stocky-restaurant-98004

10/04/2023, 8:37 PM

A single NAT Gateway is good for cost savings if you're doing a proof of concept. For a production workload, you want 3 AZs (this is the default) and you'll want a NAT Gateway in each AZ. One per AZ (also the default) is more reliable. I A single NAT Gateway is cheaper.

damp-salesmen-74351

10/04/2023, 9:53 PM

@stocky-restaurant-98004 Do I need one Elastic IP for each public subnet I have? Because when I change it to

strategy=pulumi_awsx.ec2.NatGatewayStrategy.ONE_PER_AZ

, It tries to create three public Elastic IPs.

damp-salesmen-74351

10/04/2023, 10:18 PM

What are these Elastic IPs used for? In the scenario where the AWS Load Balancer Controller is used, aren't Amazon's own general public IPs used for its load balancer? For example gcloud have these general public IPs:

Copy code

216.239.36.21
216.239.38.21
216.239.32.21
216.239.34.21

• https://artifacthub.io/packages/helm/aws/aws-load-balancer-controller • https://github.com/kubernetes-sigs/aws-load-balancer-controller/

6 Views

Open in Slack

Previous Next