Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Option to disable NAT gateway #694

Closed
mcfedr opened this issue Apr 2, 2019 · 5 comments · Fixed by #861

Comments

@mcfedr
Copy link
Contributor

commented Apr 2, 2019

Why do you want this feature?

Creating the NAT gateway is an unneeded cost when nodes are going to be in public nodegroups anyway.

What feature/behavior/change do you want?

I dont know if its best to disable private subnets and the gateway with the same flag, probably makes it a much more complicated feature request, but is an option.

I'm thinking just '--no-nat-gateway' for create cluster.

See also

Seems that gateway provisioning is of limited usefulness anyway, #392

@cdenneen

This comment has been minimized.

Copy link

commented Apr 2, 2019

@mcfedr you can have public subnets with Managed-NAT (really depends upon VPC topology and how network routing tables are configured) as well in some cases so maybe an option to disable NAT gateway should be completely independent of public/private use case.

@errordeveloper

This comment has been minimized.

Copy link
Member

commented Apr 3, 2019

I'm thinking just '--no-nat-gateway' for create cluster.

@mcfedr yes, something of that sort, but let's consider making this a config file option to begin with, as it's relatively advanced.

Perhaps something like

vpc:
   natGateway:
     mode: <none|single|ha>

We might want to provide more options here in the future, such as using pre-allocated IPs or flexible per-zone config, so seems plausible to add a sub-section.

an option to disable NAT gateway should be completely independent of public/private use case

@cdenneen I suppose it could be, at least in theory, as one should be able to deploy private nodegroup without access to the internet... however until recently EKS control plane was only reachable via the internet, and that's not been fixed. One other thing to look into is ECR, as all of the default add-on images are in ECR.

@mcfedr

This comment has been minimized.

Copy link
Contributor Author

commented Apr 3, 2019

Maybe the simple option then is '--no-private-subnets' - I guess for me, this was an unexpected cost, and one i dont need, and i wanted a simple way to disable it - in my mind the private subnets are a more advanced option - if it was me i'd default to not having private subnets, but seems that would be a bigger change as it changes the existing behaviour

or maybe --num-private-subnets and it defaults to 3, with a nat gateway in each (for HA) and then i can set it to 0

@errordeveloper

This comment has been minimized.

Copy link
Member

commented Apr 3, 2019

@mcfedr

This comment has been minimized.

Copy link
Contributor Author

commented Apr 3, 2019

So far I've been using the commands, but actually very much in favour of the config file approach

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
3 participants
You can’t perform that action at this time.