In this section we will put in place the AWS infrastructure to deploy the AWS EKS cluster and the Calico Cloud Egress Gateway.
Note: During this workshop we'll set up some environment variables. If you're terminal session restarts, you may need to reload these variables. You can use that via the following command:
source ~/egwLabVars.env
-
Define the initial environment variables for your EKS cluster:
export CLUSTERNAME=calico-egw export REGION=ca-central-1 export K8SVERSION=1.25 export INSTANCETYPE=t3.large export KEYPAIRNAME=calico-egw-key
Persist the enviroment variables for later sessions in case of disconnetion.
echo "# Start Egress Gateway Lab Params" > ~/egwLabVars.env echo export CLUSTERNAME=$CLUSTERNAME >> ~/egwLabVars.env echo export REGION=$REGION >> ~/egwLabVars.env echo export K8SVERSION=$K8SVERSION >> ~/egwLabVars.env echo export INSTANCETYPE=$INSTANCETYPE >> ~/egwLabVars.env echo export KEYPAIRNAME=$KEYPAIRNAME >> ~/egwLabVars.env
-
Create a keypair if you don't have one or don't want to reuse any. Otherwise, just make sure that the KEYPAIRNAME environment variable is set with the name of your existing key pair.
aws ec2 create-key-pair \ --key-name $KEYPAIRNAME \ --key-type rsa \ --region $REGION \ --query 'KeyMaterial' \ --output text > ~/.ssh/$KEYPAIRNAME.pem
Change the permissions of the private key.
chmod 400 ~/.ssh/$KEYPAIRNAME.pem && \ ls -la ~/.ssh/$KEYPAIRNAME.pem
The expect output is:
-r-------- 1 regis staff 1679 17 Apr 11:07 /Users/regis/.ssh/calico-egw-key.pem
We will not need many IP addresses, so a /25 network is enough for demonstrating the concept. Let's create /27 subnets to be used for the EKS to deploy its nodes, and for the egress gateway to bind its interface.
The final subnet segmentation of the VPC IP address 192.168.0.0/25 will look like:
| Subnet address | Range of addresses | Description | | ---------------- | ------------------- | ------------------------------------------- | | 192.168.0.0/27 | 192.168.0.0 - 31 | EKS public subnet in AZ1 | | 192.168.0.32/27 | 192.168.0.32 - 63 | EKS public subnet in AZ2 | | 192.168.0.64/27 | 192.168.0.64 - 95 | Egress gateway IPPool public subnet in AZ1 | | 192.168.0.96/27 | 192.168.0.96 - 127 | Egress gateway IPPool public subnet in AZ2 |
The diagram below shows all the elements that will be created in this step.
-
Define the availability zones to ne used
As we will only use two AZ in this workshop, let's get them mapped into the environment variables AZ1 and AZ2:
AZ1=$(aws ec2 describe-availability-zones --region $REGION --query 'AvailabilityZones[0].ZoneName' --out text) # Persist for later sessions in case of disconnection. echo export AZ1=$AZ1 >> ~/egwLabVars.env
AZ2=$(aws ec2 describe-availability-zones --region $REGION --query 'AvailabilityZones[1].ZoneName' --out text) # Persist for later sessions in case of disconnection. echo export AZ2=$AZ2 >> ~/egwLabVars.env
-
Create a VPC.
aws ec2 create-vpc \ --region $REGION \ --cidr-block 192.168.0.0/25 \ --query 'Vpc.VpcId' \ --output text \ --tag-specification ResourceType=vpc,Tags=\[\{Key=Name,Value=$CLUSTERNAME-vpc\}\] \ | export VPCID=$(awk '{print $1}') && echo $VPCID # Persist for later sessions in case of disconnection. echo export VPCID=$VPCID >> ~/egwLabVars.env
-
Set the
DNS hostnamesparameter toEnabledin the VPC.aws ec2 modify-vpc-attribute \ --region $REGION \ --vpc-id $VPCID \ --enable-dns-hostnames "{\"Value\":true}"
-
Create an Internet Gateway
aws ec2 create-internet-gateway \ --region $REGION \ --query 'InternetGateway.InternetGatewayId' \ --output text \ | export INETGWID=$(awk '{print $1}') && echo $INETGWID # Persist for later sessions in case of disconnection. echo export INETGWID=$INETGWID >> ~/egwLabVars.env
-
Attach the Internet Gateway to the VPC
aws ec2 attach-internet-gateway \ --region $REGION \ --internet-gateway-id $INETGWID \ --vpc-id $VPCID
-
Create the subnets
aws ec2 create-subnet \ --vpc-id $VPCID \ --region $REGION \ --cidr 192.168.0.0/27 \ --availability-zone $AZ1 \ --query 'Subnet.SubnetId' \ --output text \ --tag-specifications ResourceType=subnet,Tags=\[\{Key=Name,Value=SubnetPublicEKS1A\}\] \ | export SUBNETPUBEKS1AID=$(awk '{print $1}') && echo $SUBNETPUBEKS1AID # Persist for later sessions in case of disconnection. echo export SUBNETPUBEKS1AID=$SUBNETPUBEKS1AID >> ~/egwLabVars.env
aws ec2 create-subnet \ --vpc-id $VPCID \ --region $REGION \ --cidr 192.168.0.32/27 \ --availability-zone $AZ2 \ --query 'Subnet.SubnetId' \ --output text \ --tag-specifications ResourceType=subnet,Tags=\[\{Key=Name,Value=SubnetPublicEKS1B\}\] \ | export SUBNETPUBEKS1BID=$(awk '{print $1}') && echo $SUBNETPUBEKS1BID # Persist for later sessions in case of disconnection. echo export SUBNETPUBEKS1BID=$SUBNETPUBEKS1BID >> ~/egwLabVars.env
aws ec2 create-subnet \ --vpc-id $VPCID \ --region $REGION \ --cidr 192.168.0.64/27 \ --availability-zone $AZ1 \ --query 'Subnet.SubnetId' \ --output text \ --tag-specifications ResourceType=subnet,Tags=\[\{Key=Name,Value=SubnetPublicEGW1A\}\] \ | export SUBNETPUBEGW1AID=$(awk '{print $1}') && echo $SUBNETPUBEGW1AID # Persist for later sessions in case of disconnection. echo export SUBNETPUBEGW1AID=$SUBNETPUBEGW1AID >> ~/egwLabVars.env
aws ec2 create-subnet \ --vpc-id $VPCID \ --region $REGION \ --cidr 192.168.0.96/27 \ --availability-zone $AZ2 \ --query 'Subnet.SubnetId' \ --output text \ --tag-specifications ResourceType=subnet,Tags=\[\{Key=Name,Value=SubnetPublicEGW1B\}\] \ | export SUBNETPUBEGW1BID=$(awk '{print $1}') && echo $SUBNETPUBEGW1BID # Persist for later sessions in case of disconnection. echo export SUBNETPUBEGW1BID=$SUBNETPUBEGW1BID >> ~/egwLabVars.env
-
Change the Auto-assign public IPv4 address to Yes
aws ec2 modify-subnet-attribute \ --subnet-id $SUBNETPUBEKS1AID \ --region $REGION \ --map-public-ip-on-launch "{\"Value\":true}" aws ec2 modify-subnet-attribute \ --subnet-id $SUBNETPUBEKS1BID \ --region $REGION \ --map-public-ip-on-launch "{\"Value\":true}" aws ec2 modify-subnet-attribute \ --subnet-id $SUBNETPUBEGW1AID \ --region $REGION \ --map-public-ip-on-launch "{\"Value\":true}" aws ec2 modify-subnet-attribute \ --subnet-id $SUBNETPUBEGW1BID \ --region $REGION \ --map-public-ip-on-launch "{\"Value\":true}"
-
Retrieve the route table id from the default route table.
aws ec2 describe-route-tables \ --region $REGION \ --filters "Name=vpc-id,Values=$VPCID" \ --query 'RouteTables[*].RouteTableId' \ --output text \ | export RTTABLEID=$(awk '{print $1}') && echo $RTTABLEID # Persist for later sessions in case of disconnection. echo export RTTABLEID=$RTTABLEID >> ~/egwLabVars.env
-
Create the route for the default-gateway
aws ec2 create-route \ --region $REGION \ --route-table-id $RTTABLEID \ --destination-cidr-block 0.0.0.0/0 \ --gateway-id $INETGWID \ --no-cli-pager
-
Associate all subnets with the default route table
aws ec2 associate-route-table \ --region $REGION \ --route-table-id $RTTABLEID \ --subnet-id $SUBNETPUBEKS1AID \ --output text \ --no-cli-pager aws ec2 associate-route-table \ --region $REGION \ --route-table-id $RTTABLEID \ --subnet-id $SUBNETPUBEKS1BID \ --output text \ --no-cli-pager aws ec2 associate-route-table \ --region $REGION \ --route-table-id $RTTABLEID \ --subnet-id $SUBNETPUBEGW1AID \ --output text \ --no-cli-pager aws ec2 associate-route-table \ --region $REGION \ --route-table-id $RTTABLEID \ --subnet-id $SUBNETPUBEGW1BID \ --output text \ --no-cli-pager
-
Allocate two elastic IP addresses for the egress gateway in module 9.
aws ec2 allocate-address \ --region $REGION \ --domain vpc \ --no-cli-pager \ --output text \ | export EIPINFO=$(awk '{print $1, " ", $4}') export EIPALLOCATION1=$(echo $EIPINFO | awk '{print $1}') export EIPADDRESS1=$(echo $EIPINFO | awk '{print $2}') # Persist for later sessions in case of disconnection. echo export EIPALLOCATION1=$EIPALLOCATION1 >> ~/egwLabVars.env echo export EIPADDRESS1=$EIPADDRESS1 >> ~/egwLabVars.env
aws ec2 allocate-address \ --region $REGION \ --domain vpc \ --no-cli-pager \ --output text \ | export EIPINFO=$(awk '{print $1, " ", $4}') export EIPALLOCATION2=$(echo $EIPINFO | awk '{print $1}') export EIPADDRESS2=$(echo $EIPINFO | awk '{print $2}') # Persist for later sessions in case of disconnection. echo export EIPALLOCATION2=$EIPALLOCATION2 >> ~/egwLabVars.env echo export EIPADDRESS2=$EIPADDRESS2 >> ~/egwLabVars.env
-
Create the
tigera-egw-policyfor the egress gateway to be allowed to associate and disassociate IP addresses to the ENI. Make sure you are in the repository directory that you just cloned before running this command.aws iam create-policy \ --policy-name tigera-egw-policy \ --query 'Policy.Arn' \ --output text \ --no-cli-pager \ --policy-document file://scripts/egw-policy.json \ | export TIGERAEGWPOLICYARN=$(awk '{print $1}') && echo $TIGERAEGWPOLICYARN # Persist for later sessions in case of disconnection. echo export TIGERAEGWPOLICYARN=$TIGERAEGWPOLICYARN >> ~/egwLabVars.env
I will create a script to automate this tasks in a future version, I promisse. 😸