No matter how you like to participate in developer communities, Pulumi wants to meet you there. If you want to meet other Pulumi users to share use-cases and best practices, contribute code or documentation, see us at an event, or just tell a story about something cool you did with Pulumi, you are part of our community.

Pulumi Community

Hi all ! Is there a way to provision Private EKS clusters (EKS clusters within private subnets having NAT Gateways attached to them) using the Pulumi EKS package. I am able to bring up the cluster but it fails with the below traceback and does not forward with NodeGroup provisioning.

```error: configured Kubernetes cluster is unreachable: unable to load schema information from the API server: Get "<https://URL.eks.amazonaws.com/openapi/v2?timeout=32s>": dial tcp 10.1.3.211:443: i/o timeout```

hey Sushant, there's a lot of stuff this could be unfortunately. security groups configured correctly? route tables configured properly?

Hey Lee ! Thanks for getting back.
Security Group wise I havent configured anything , assuming that pulumi_eks will bring it up accordingly.

Route Tables wise I have created new route tables for the private subnets which have the traffic 0.0.0.0/0 routed to NAT Gateways (public in public subnet)

This is the code
```eks_cluster = eks.Cluster(
    cluster_name,
    name=cluster_name,
    private_subnet_ids=list(private_subnets.values()),
    tags={"Name": cluster_name, "Stack": stack_name},
    vpc_id=vpc_id,
    version="1.21",
    instance_role=eks_ec2_role,
    endpoint_public_access=False,
    endpoint_private_access=True,
    node_associate_public_ip_address=True,
    skip_default_node_group=True,
)


node_group = eks.ManagedNodeGroup(
    node_group_name,
    cluster=eks_cluster.core,
    capacity_type="SPOT",
    instance_types=["t3a.medium"],
    node_group_name=node_group_name,
    node_role=eks_ec2_role,
    tags={"Name": cluster_name, "Stack": stack_name},
    subnet_ids=list(private_subnets.values()),
    scaling_config=pulumi_aws.eks.NodeGroupScalingConfigArgs(
        desired_size=1,
        min_size=1,
        max_size=3,
    ),
)```

image.png

<@U02P71N61AM> that IP address is a private IP in one of your subnets?

It's been a wee while since I  made this work for me, but the most obvious difference between my cluster block and yours is

the serviceRole I have created and added to the cluster command.

The other thing to be aware of is that you will need various VPC Endpoints to make the cluster work in a private subnet.
<https://docs.aws.amazon.com/eks/latest/userguide/private-clusters.html> should have all the details

i bet its the VPC Endpoints, good find <@U01UELY9YUR>!