Skip to content

add docs for the new associatePublicIPAddress field #1085

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
geoffcline merged 2 commits into from
Aug 8, 2025
Merged

add docs for the new associatePublicIPAddress field #1085

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
e058a11
add docs for the new associatePublicIPAddress field
tzneal Aug 6, 2025
dd49a78
add change log
geoffcline Aug 7, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 5 additions & 0 deletions latest/ug/automode/auto-change.adoc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,11 @@ To receive notifications of all source file changes to this specific documentati
https://github.com/awsdocs/amazon-eks-user-guide/commits/mainline/latest/ug/automode/auto-change.adoc.atom
----

== August 6, 2025

*Feature:* Added new configuration on the NodeClass `spec.advancedNetworking.associatePublicIPAddress` which can be used to prevent public IP addresses from being assigned to EKS Auto Mode Nodes


== June 30, 2025

*Feature:* The Auto Mode NodeClass now uses the configued custom KMS key to encrypt the read-only root volume of the instance, in addition to the read/write data volume. Previously, the custom KMS key was only used to encrypt the data volume.
Expand Down
20 changes: 20 additions & 0 deletions latest/ug/automode/auto-controls.adoc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -81,3 +81,23 @@ It's important *not* to use the `ec2:Owner` context key. Amazon owns the EKS Aut
|us-west-1 |975050035094
|us-west-2 |767397842682
|===

== Associate Public IP address

When `ec2:RunInstances` is called the `AssociatePublicIpAddress` field for an instance launch is determined automatically by the type of subnet that the instance is being launched into.
An SCP may be used to enforce that this value is explicitly set to false, regardless of the type of subnet being launched into.
In this case the NodeClass field `spec.advancedNetworking.associatePublicIPAddress` can also be set to false to satisfy the requirements of the SCP.

```json
{
"Sid": "DenyPublicEC2IPAddesses",
"Effect": "Deny",
"Action": "ec2:RunInstances",
"Resource": "arn:aws:ec2:*:*:network-interface/*",
"Condition": {
"BoolIfExists": {
"ec2:AssociatePublicIpAddress": "true"
}
}
}
```
8 changes: 6 additions & 2 deletions latest/ug/automode/create-node-class.adoc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -175,9 +175,13 @@ spec:
# Key Alias Name
# Key Alias ARN

# Optional: Forward proxy, commonly requires certificateBundles as well
#for EC2, see https://repost.aws/knowledge-center/eks-http-proxy-containerd-automation
advancedNetworking:
# Optional: Controls whether public IP addresses are assigned to instances that are launched with the nodeclass.
# If not set, defaults to the MapPublicIpOnLaunch setting on the subnet.
associatePublicIPAddress: false

# Optional: Forward proxy, commonly requires certificateBundles as well
# for EC2, see https://repost.aws/knowledge-center/eks-http-proxy-containerd-automation
httpsProxy: http://192.0.2.4:3128 #commonly port 3128 (Squid) or 8080 (NGINX) #Max 255 characters
#httpsProxy: http://[2001:db8::4]:3128 # IPv6 address with port, use []
noProxy: #Max 50 entries
Expand Down