Introduction
Microservices architecture offers a flexible, scalable way to build modern applications. In this blog we will walk through the process of deploying microservices on an Amazon Elastic Kubernetes Service (EKS) using Helm Charts.
While accessing the cluster securely through an EC2 bastion host. This approach ensures secure access to Kubernetes cluster from a private network.
Prerequisites
Before we begin, ensure we have the following,
- AWS account with administrative privileges.
- AWS CLI installed and configured.
- kubectl installed for interacting with EKS cluster.
- Helm installed, either on your local machine or on the bastion host.
- A basic understanding of Kubernetes, Helm, and Ingress.
- Terraform (optional but recommended for automated infrastructure provisioning).
Set Up an EKS Cluster
First, create the EKS cluster that will host the microservices. We will use eksctl, which semplifies the EKS cluster creation process.
Install eksctl
If you don’t already have eksctl installed, follow the below steps,
# On macOS
brew tap weaveworks/tap
brew install weaveworks/tap/eksctl
# On Ubuntu
curl -sLO "https://github.com/eksctl- io/eksctl/releases/latest/download/eksctl_$PLATFORM.tar.gz" | tar xz -C / tmp
sudo mv /tmp/eksctl /usr/local/bin
Create the EKS Cluster
Now, create an EKS cluster using eksctl,
eksctl create cluster \
--name my-cluster \
--version 1.22 \
--region us-west-2 \
--nodegroup-name linux-nodes \
--node-type t3.medium \
--nodes 3 \
--nodes-min 1 \
--nodes-max 4 \
--managed
This command will provision a managed EKS cluster with 3 nodes in your selected region. The nodes will be created in public subnets by default.
Create an EC2 Bastion Host
A bastion host provides secure access to our private EKS cluster, ensuring that external users cannot directly access it.
Launch an EC2 Instance
- Login into AWS Management Console, navigate to EC2 and launch an instance.
- Select an Ubuntu 20.04 AMI and choose a t2.micro instance type for the bastion.
- Place the EC2 instance in a public subnet of the same VPC where the EKS cluster is deployed.
- Configure security groups to allow SSH access (port 22) from your IP address.
- Launch the instance and download the SSH key pair to access the bastion host.
SSH into the Bastion Host
Once the EC2 instance is up and running, SSH into it using the key pair you downloaded,
ssh -i /path/to/your-key.pem ubuntu@<bastion-host-public-ip>
Access the EKS Cluster from the Bastion Host
To securely access teh EKS cluster from the bastion host, we will need to install AWS CLI and kubectl on the bastion node, and configure it to interact with the EKS cluster.
Install AWS CLI on Bastion Host
On the bastion host, install the AWS CLI with the following,
sudo apt install update
sudo apt-get install awscli -y
Install kubectl on Bastion Host
Now install kubectl to interact with the EKS cluster,
sudo apt-get install -y apt-transport-https
curl -s https://packages.cloud.google.com/apt/doc/apt-key.gpg | sudo apt-key add -
echo "deb https://apt.kubernetes.io/kubernetes-xenial main" | sudo tee -a /etc/apt/sources.list.d/kubernetes.list
sudo apt-get update
sudo apt-get install -y kubectl
Cofigure AWS CLI and kubectl to Access the Cluster
- Configure the AWS CLI with your credentials
aws configure
access key :
secret ky :
region :
- Retrieve EKS Cluster Credentials
Now use the AWS CLI to configure kubectl to access the EKS cluster,
aws eks update-kubeconfig --name my-cluster --region us-west-2
- Test Access to the Cluster
Verify that you can access the cluster from the bastion,
kubectl get svc
Above command should list the services running in your Kubernetes clsuter.
Install Helm on the Bastion Host
With access to the EKS cluster established, you can now install Helm on the bastion host to manage Kubernetes deployments.
Install Helm on Ubuntu
- Add the Helm repository and GPG key
curl https://baltocdn.com/helm/signing.asc | sudo apt-key add -
sudo apt-get install apt-transport-https --yes
echo "deb https://baltocdn.com/helm/stable/debian.list.d/helm-stable-debian.list"
- Install Helm
sudo apt-get update
sudo apt-get insall helm
- Verify the installation
helm version
Deploy Microservices Using Helm Charts
With Helm installed and configured, we can now deploy microservices to the EKS ccluster.
Create a Helm Charts
If you don’t have the Helm chart yet, create one for your microservices,
helm create my-microservices
Above command will generate a basic Helm chart structure for your service.
Configure the values.yaml File
Modify the values.yaml file to configure the deployment of your microservices,
replicaCount: 2
image:
repository: my-app-image
pullPolicy: IfNotPresent
tag: "latest"
resources:
limits:
cpu: 500m
memory: 512Mi
requests:
cpu: 250m
memory: 256Mi
Deploy the Microservices
Deploy your microservice using Helm,
helm install my-microservice ./my-microservice
With the above command Helm will deploy your microservice on EKS, creating the necessary Kubernetes resources such as Deployments, Services etc.
Expose the Microservice Using an Ingress Controller
To expose your microservice to the internet, you can use an ingress controller.
Install Nginx Ingress Controller
Install the nginx ingress controller using Helm,
helm repo add ingress-nginx https://kubernetes.github.io/ingress-nginx
helm repo update
helm install nginx-ingress ingress-nginx/ingress-nginx --set controller.publishService.enabled=true
Define an Ingress Resource
Modify your Helm chart to include an Ingress resource in the templates/ingress.yaml file,
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: my-microservice-ingress
annotations:
nginx.ingress.kubernetes.io/rewrite-
target: /
spec:
rules:
- host: "my-app.com"
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: my-microservice
port:
number: 80
Update your DNS to point the domain my-app.com to the public IP of the nginx ingress controller.
Monitor and Scale the Microservices
With the microservices deployed, you may want to scale and monitor them based on load,
kubectl scale deployment my-microservice --replicas=5
You can integrate monitoring tools like Prometheus and Grafana using Helm for furthur observability.
Conclusion
Deploying microservices on EKS using Helm, while accessing the cluster via a bastion host provides a secure and scalable architecture for modern applications. With this approach, your Kubernetes infrastructure remains protected while your microservices are efficiently managed and exposed to the internet.
FAQ’s
Q – Why do we need a bastion to access the EKS cluster ?
Ans : A bastion host acts as a gateway for securely accessing private resources, like an EKS cluster within a virtual private cloud (VPC). It provides controlled access to the cluster by allowing SSH connections only from trusted IPs reducing the unauthorised access.
Q – Can we access the EKS cluster without a bastion host ?
Ans : Yes, we can access the EKS cluster directly if it has public endpoints or if our deployment machine is within a VPN or direct connect setup that has access to the VPC where the EKS cluster resides. However using a bastion host is considered a best practice for added security.
Q – Why are we using Helm for microservices deployment ?
Ans : Helm simplifies the process of managing Kubernetes applications by allowing us to define, install, and upgrade applications using packaged charts. This makes deploying and managing microservices more efficient and scalable, especially in environments like EKS.
Q – How do we handle configuration changes in my microservices using Helm ?
Ans : With Helm, we can manage configuration changes by modifying the values.yaml file or passing parameters during installation or upgrade. To apply changes we can run ,
helm upgrade my-microservices ./my-microservices
This will update the deployment without downtime if properly configured.
Q – Can we use a different Ingress controller besides Nginx ?
Ans : Yes, we can use other ingress controller like AWS ALB Ingress, Traefik or HAProxy depending on our needs and preferences. Nginx is popular for it’s simplicity and wide usage in the Kubernetes community.