For administrators
Enabling VPN-only access
3 min
introduction the default value of eks cluster endpoint is to expose the api endpoint available to the public internet, so that on the cluster spin up all resources can be created inside the cluster properly however, for security reasons we strongly recommend either disabling public access (and using built in vpn connection to the cluster) or limiting ips from where the eks cluster can be accessed to the trusted ip addresses (i e company vpn) it limits access to the cluster resources (projects) to people who are connected to the cluster via vpn prerequesties to connect to vpn, you need to have openvpn client installed connect to vpn in order to disable public access to the cluster, you need to be ready for private access through vpn visit the vpn \<hostedzonename> s3 bucket through aws console and download \<yourusername> \<clustername> ovpn file double click the file to import it into openvpn client (or just drag and drop it into the open application window) once imported make sure you can connect to the vpn disable public cluster access (access only through vpn) open main tf and scroll down to the section with the cluster you want to disable public access to within the cluster section find cluster endpoing access control variables module "cluster unicorn" { \# \#cluster endpoint public access = false cluster endpoint public access = true cluster endpoint public access cidrs = \["0 0 0 0/0"] \# other variables } uncomment the cluster endpoint public access = false line comment out the cluster endpoint public access = true and cluster endpoint public access cidrs = \["0 0 0 0/0"] lines while making sure you still have an active vpn connection perform tofu apply command once changes are applied successfully, you shouldn't be able to access hosting infrastructure without vpn connection