How can I connect to private EKS endpoint from a Lambda function

Question

I have an EKS cluster in a secured setup. But as part of CI/CD, I wanted to create a lambda function that when triggered can connect to the private EKS cluster and run some deployments.

Using https://github.com/aws-samples/aws-lambda-layer-kubectl I was able to set up a lambda function and this was able to connect to public EKS clusters.

While switching to private, I added same VPC as EKS, all subnets, and SG with all VPC access. However, I keep getting timeout errors without any explicit logs making it very difficult to identify the issue.

Answer 1

The lambda function within a VPC could get deployed in any of the subnets that you have provided. If it gets deployed in one of the public subnets, it won't be able to access the Internet, as the ENI for lambda functions do not receive a public IP. In a Private subnet, you could setup a route to a NAT Gateway in a Public subnet to access the Internet. So deploying the Lambda in such private subnets is the right way to go.

Regarding, connectivity to the EKS cluster - you need to ensure that the Lambda is deployed with the right security group, i.e., the EKS Control Plane should be able to receive HTTPS traffic (for API Server access) from the Lambda.

References:

1. https://docs.aws.amazon.com/eks/latest/userguide/cluster-endpoint.html#modify-endpoint-access
2. https://github.com/aws-samples/aws-lambda-layer-kubectl/issues/32
3. https://docs.aws.amazon.com/lambda/latest/dg/configuration-vpc.html#vpc-internet
4. https://aws.amazon.com/premiumsupport/knowledge-center/internet-access-lambda-function/