Amazon EKS-Anywhere on Equinix Metal

Since September 2021 you can create your own EKS clusters outside of AWS.

Starting in the Summer of 2022, you can run EKS Anywhere directly on bare metal, alleviating the need to run it in a virtualized environment. To test out the latest and greatest (and experimental!) EKS-A deployments, checkout our EKS-A Terraform repository in GitHub. It contains both manual setup instructions and automation for running EKS Anywhere on bare metal.

What's in this guide?

In this guide, we have deployed EKS Anywhere on a virtualized environment layer on top of Equinix Metal, providing an extended environment in hybrid mode between AWS and our platform.

Additionally, we will show you how to keep the communication private and secure between both sides using Network Edge, skipping the connection through Internet.

You will need

• An AWS account
• An Equinix Fabric account, with Network Edge services enabled
• An Equinix Metal account
• A Billing Account in Equinix

How the deployment looks like:

There are three different parts within this deployment:

• The first is set up the connectivity part between the Equinix Metal service and AWS using a Network Edge appliance. Here we share an example of how to connect the two resources automatically for ECS Anywhere use case.

IMPORTANT As the ECS guide explains, you need to verify that the VLAN that you are linking to the primary port is attached to the ESXi host as well, in order to achieve the private connectivity between ESXi hosts and AWS.

• The second one is configure the servers like the diagram to create a private cluster but with a Bastion host that allows you to interact during the EKS-A cluster installation. For this specific purpose the network model used for Bastion host is Hybrid mode, and for the ESXi hosts is Layer2. You can check this link for more details.

• Third, the deployment of the virtualization solution at the top of Equinix Metal. As you probably know we have our VMWARE ESXi flavour for Metal servers and you can manually create your vCenter cluster to install EKS clusters there.

After we have both deployments in place we will have a vSphere console like this:

Now that we have the virtual environment you can install the EKS-Anywhere deployment from the Bastion host server.

EKS-A deployment

You can use your bastion host as administrative machine to run the installation. Here is the AWS EKS-A binary guide installation you can follow in order to set up the environment before the cluster creation.

After the installation of all the requisites you are good to begin the EKS-A cluster creation following AWS guide

Accessing to vSphere console you will see something like this:

Using the bastion host, and after the kubeconfig set up, you can have the information about the cluster nodes using kubectl.

Good job! If the output of the command is the correct status of the cluster nodes, the cluster is fully operational. From AWS is attached a deployment workload test that ensure the optimal state for the resource.

If there is an issue related with the performance of the EKS Cluster you can check out the troubleshooting section from EKS Anywhere home page.

Private connection & routing

If you have deployed from the Network Edge appliance and the connections to Metal and AWS as mentioned in point 1 of the "How the deployment looks like" section we would only need to add the static route to the ESXi hosts to be able to route the traffic from the workloads on Metal to AWS.

route add -net [aws_private_network_cidr] netmask [aws_private_network_mask] gw [vmware_private_network_gateway]

Where:

• aws_private_network_cidr: IP range for your subnet in AWS

• aws_private_network_mask: Netmask for your subnet in AWS

• vmware_private_network_gateway: Gateway defined for the private network in VMWARE environment. This network is defined with the same VLAN connected to Network Edge device in the Metal connection.

Now you only have to use private routing for the resources you want to consume on AWS and the traffic will be routed over the direct and secure Equinix connection.

Testing the private connectivity

We have used a container-based application that displays a page with the result of a database query and we have directly configured private access to the resource.

The database is MYSQL from the AWS RDS service (only private access allowed). This will be running the application from the EKS cluster on Equinix Metal and without querying the AWS service:

Here we run the query to RDS table using the private connection previously created:

Conclusions

Migrate your EKS workloads to Equinix Metal service is simpler than ever with EKS Anywhere. Just define the private connection from Metal to your virtual network device (as in this example) or your Equinix Fabric port and connect directly to AWS services.

After installing the cluster on the virtual environment, you only need to add the routes to the Amazon private space, to be able to communicate with the resources in AWS in the same way you were doing it working directly on a cluster in the cloud.