-
Notifications
You must be signed in to change notification settings - Fork 4.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add no-public-ip option to instance groups #266
Comments
I think this should then co-incide with how nodes are put into (public/private) subnets as well to follow AWS best practices. That way we could have all our backend services in a private subnet and only frontend services on nodes in a public subnet |
We would be looking to run all nodes in private subnets including master nodes(which might actually be the only nodes depending on the deployment size). Any API or other traffic coming into the cluster from outside would be proxied through ELB's or or some other means. I can see the need to run an instance group in a public subnet for providing public services depending on the type of infrastructure being run. However, I would say this would be the exception in use cases for many AWS users who are trying to run some services in a VPC setup that won't raise red flags during security reviews. In that use case the bog standard minimal DMZ with bastions + private subnets for everything else is going to raise the fewest eyebrows.. |
@kris-nova here is another one for you :) |
This is implemented: we have topologies & a no-public-ip option on the instance group. If anything, we shouldn't have both options, but this is fixed. |
We should be able to configure instance groups to not get a public IP.
This won't work for the master unless users have a VPC or bastion host though. But it is a good idea for the nodes.
The text was updated successfully, but these errors were encountered: