diff --git a/latest/ug/automode/auto-change.adoc b/latest/ug/automode/auto-change.adoc index 2d25ed841..7fca364fd 100644 --- a/latest/ug/automode/auto-change.adoc +++ b/latest/ug/automode/auto-change.adoc @@ -14,6 +14,11 @@ To receive notifications of all source file changes to this specific documentati https://github.com/awsdocs/amazon-eks-user-guide/commits/mainline/latest/ug/automode/auto-change.adoc.atom ---- +== August 6, 2025 + +*Feature:* Added new configuration on the NodeClass `spec.advancedNetworking.associatePublicIPAddress` which can be used to prevent public IP addresses from being assigned to EKS Auto Mode Nodes + + == June 30, 2025 *Feature:* The Auto Mode NodeClass now uses the configued custom KMS key to encrypt the read-only root volume of the instance, in addition to the read/write data volume. Previously, the custom KMS key was only used to encrypt the data volume. diff --git a/latest/ug/automode/auto-controls.adoc b/latest/ug/automode/auto-controls.adoc index 0d07db2a8..f90815333 100644 --- a/latest/ug/automode/auto-controls.adoc +++ b/latest/ug/automode/auto-controls.adoc @@ -81,3 +81,23 @@ It's important *not* to use the `ec2:Owner` context key. Amazon owns the EKS Aut |us-west-1 |975050035094 |us-west-2 |767397842682 |=== + +== Associate Public IP address + +When `ec2:RunInstances` is called the `AssociatePublicIpAddress` field for an instance launch is determined automatically by the type of subnet that the instance is being launched into. +An SCP may be used to enforce that this value is explicitly set to false, regardless of the type of subnet being launched into. +In this case the NodeClass field `spec.advancedNetworking.associatePublicIPAddress` can also be set to false to satisfy the requirements of the SCP. + +```json + { + "Sid": "DenyPublicEC2IPAddesses", + "Effect": "Deny", + "Action": "ec2:RunInstances", + "Resource": "arn:aws:ec2:*:*:network-interface/*", + "Condition": { + "BoolIfExists": { + "ec2:AssociatePublicIpAddress": "true" + } + } + } +``` diff --git a/latest/ug/automode/create-node-class.adoc b/latest/ug/automode/create-node-class.adoc index 9e21065fb..e6fe70855 100644 --- a/latest/ug/automode/create-node-class.adoc +++ b/latest/ug/automode/create-node-class.adoc @@ -175,9 +175,13 @@ spec: # Key Alias Name # Key Alias ARN - # Optional: Forward proxy, commonly requires certificateBundles as well - #for EC2, see https://repost.aws/knowledge-center/eks-http-proxy-containerd-automation advancedNetworking: + # Optional: Controls whether public IP addresses are assigned to instances that are launched with the nodeclass. + # If not set, defaults to the MapPublicIpOnLaunch setting on the subnet. + associatePublicIPAddress: false + + # Optional: Forward proxy, commonly requires certificateBundles as well + # for EC2, see https://repost.aws/knowledge-center/eks-http-proxy-containerd-automation httpsProxy: http://192.0.2.4:3128 #commonly port 3128 (Squid) or 8080 (NGINX) #Max 255 characters #httpsProxy: http://[2001:db8::4]:3128 # IPv6 address with port, use [] noProxy: #Max 50 entries