AWS
EKS
DNS
Private Subnet
Networking Issues

DNS problem on AWS EKS when running in private subnets

Master System Design with Codemia

Enhance your system design skills with over 120 practice problems, detailed solutions, and hands-on exercises.

Understanding DNS Issues in AWS EKS with Private Subnets

Amazon Elastic Kubernetes Service (EKS) is a managed container service that allows you to run and scale Kubernetes applications in the cloud. When deploying EKS in AWS, particularly in a private subnet environment, you may encounter DNS resolution problems. This article delves into the potential DNS issues experienced when running EKS in private subnets, presents technical explanations, examples, and offers solutions.

Introduction to AWS EKS and Private Subnets

AWS EKS abstracts the Kubernetes control plane setup and management, allowing users to focus on running their containers. When deploying an EKS Cluster into a Virtual Private Cloud (VPC), resources can be launched in public, private, or hybrid subnets. Private subnets are commonly used for security reasons, but they have their unique challenges, especially related to network connectivity and DNS resolution.

DNS Resolution in AWS EKS

In Kubernetes clusters, CoreDNS is the primary DNS server, handling domain name resolution for service discovery. When running EKS in private subnets, DNS resolution must be appropriately configured to ensure that pods can reach the necessary endpoints, including external APIs, S3, ECR, and other AWS services.

Common DNS Issues

  1. CoreDNS FQDN Configuration:
    • The default CoreDNS setup in EKS may not resolve Fully Qualified Domain Names (FQDN) correctly, especially for services hosted outside the cluster.
  2. DNS Traffic Not Routed:
    • Traffic from nodes in private subnets to Amazon-provided DNS servers might not be routed because of misconfigured route tables or missing NAT Gateway configurations.
  3. VPC DHCP Option Set Misconfiguration:
    • Incorrect settings in the VPC's DHCP option set can lead to DNS resolution failures, where nodes and pods cannot resolve needed external URLs.
  4. Network ACLs:
    • Network Access Control Lists (ACLs) might block UDP packets, which are primarily used for DNS queries.

Technical Insights and Solutions

Verifying CoreDNS Configuration

Check the CoreDNS configuration in your EKS cluster using:


Course illustration
Course illustration

All Rights Reserved.