From 7db305d9fb2c773241c93bb84db6847cc829fa3c Mon Sep 17 00:00:00 2001 From: Tristan Otterpohl <82106086+Otterpohl@users.noreply.github.com> Date: Thu, 18 Dec 2025 14:55:17 +0000 Subject: [PATCH 1/4] Route 53 Resolver now supports AWS PrivateLink --- latest/ug/clusters/private-clusters.adoc | 1 - 1 file changed, 1 deletion(-) diff --git a/latest/ug/clusters/private-clusters.adoc b/latest/ug/clusters/private-clusters.adoc index 9018288b2..af85a8929 100644 --- a/latest/ug/clusters/private-clusters.adoc +++ b/latest/ug/clusters/private-clusters.adoc @@ -128,7 +128,6 @@ We recommend that you link:vpc/latest/privatelink/interface-endpoints.html#enabl |=== * Any self-managed nodes must be deployed to subnets that have the VPC interface endpoints that you require. If you create a managed node group, the VPC interface endpoint security group must allow the CIDR for the subnets, or you must add the created node security group to the VPC interface endpoint security group. * *EFS storage* - If your Pods use Amazon EFS volumes, then before deploying the <>, the driver's https://github.com/kubernetes-sigs/aws-efs-csi-driver/blob/master/deploy/kubernetes/overlays/stable/kustomization.yaml[kustomization.yaml] file must be changed to set the container images to use the same {aws} Region as the Amazon EKS cluster. -* Route53 does not support {aws} PrivateLink. You cannot manage Route53 DNS records from a private Amazon EKS cluster. This impacts Kubernetes https://github.com/kubernetes-sigs/external-dns[external-dns]. * If you use the EKS Optimized AMI, you should enable the `ec2` endpoint in the table above. Alternatively, you can manually set the Node DNS name. The optimized AMI uses EC2 APIs to set the node DNS name automatically. * You can use the <> to deploy {aws} Application Load Balancers (ALB) and Network Load Balancers to your private cluster. When deploying it, you should use https://kubernetes-sigs.github.io/aws-load-balancer-controller/latest/deploy/configurations/#controller-command-line-flags[command line flags] to set `enable-shield`, `enable-waf`, and `enable-wafv2` to false. https://kubernetes-sigs.github.io/aws-load-balancer-controller/latest/guide/ingress/cert_discovery/#discover-via-ingress-rule-host[Certificate discovery] with hostnames from Ingress objects isn't supported. This is because the controller needs to reach {aws} Certificate Manager, which doesn't have a VPC interface endpoint. + From 9cbb5402f7c19d38ecd4bd2ca8f6769ba56c208a Mon Sep 17 00:00:00 2001 From: Tristan Otterpohl <82106086+Otterpohl@users.noreply.github.com> Date: Thu, 18 Dec 2025 14:59:13 +0000 Subject: [PATCH 2/4] Update private-clusters.adoc with Route 53 detail Added Amazon Route 53 service information to the documentation. --- latest/ug/clusters/private-clusters.adoc | 3 +++ 1 file changed, 3 insertions(+) diff --git a/latest/ug/clusters/private-clusters.adoc b/latest/ug/clusters/private-clusters.adoc index af85a8929..a8c4801d1 100644 --- a/latest/ug/clusters/private-clusters.adoc +++ b/latest/ug/clusters/private-clusters.adoc @@ -125,6 +125,9 @@ We recommend that you link:vpc/latest/privatelink/interface-endpoints.html#enabl |Amazon EKS |com.amazonaws.[.replaceable]`region-code`.eks +|Amazon Route 53 +|com.amazonaws.[.replaceable]`region-code`.route53 + |=== * Any self-managed nodes must be deployed to subnets that have the VPC interface endpoints that you require. If you create a managed node group, the VPC interface endpoint security group must allow the CIDR for the subnets, or you must add the created node security group to the VPC interface endpoint security group. * *EFS storage* - If your Pods use Amazon EFS volumes, then before deploying the <>, the driver's https://github.com/kubernetes-sigs/aws-efs-csi-driver/blob/master/deploy/kubernetes/overlays/stable/kustomization.yaml[kustomization.yaml] file must be changed to set the container images to use the same {aws} Region as the Amazon EKS cluster. From 61f20250bc496b7856b2debdb9d5c837b6cf9caa Mon Sep 17 00:00:00 2001 From: Tristan Otterpohl <82106086+Otterpohl@users.noreply.github.com> Date: Thu, 18 Dec 2025 15:01:15 +0000 Subject: [PATCH 3/4] Route 53 VPC Endpoint is global --- latest/ug/clusters/private-clusters.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/latest/ug/clusters/private-clusters.adoc b/latest/ug/clusters/private-clusters.adoc index a8c4801d1..6e46a1a91 100644 --- a/latest/ug/clusters/private-clusters.adoc +++ b/latest/ug/clusters/private-clusters.adoc @@ -126,7 +126,7 @@ We recommend that you link:vpc/latest/privatelink/interface-endpoints.html#enabl |com.amazonaws.[.replaceable]`region-code`.eks |Amazon Route 53 -|com.amazonaws.[.replaceable]`region-code`.route53 +|com.amazonaws.[.replaceable].route53 |=== * Any self-managed nodes must be deployed to subnets that have the VPC interface endpoints that you require. If you create a managed node group, the VPC interface endpoint security group must allow the CIDR for the subnets, or you must add the created node security group to the VPC interface endpoint security group. From 5a0183bd1b8a2b6a4fbc70d67d20a438bbff041f Mon Sep 17 00:00:00 2001 From: Tristan Otterpohl <82106086+Otterpohl@users.noreply.github.com> Date: Thu, 18 Dec 2025 15:11:18 +0000 Subject: [PATCH 4/4] Fix Amazon Route 53 service identifier in documentation Corrected the Amazon Route 53 service identifier format. --- latest/ug/clusters/private-clusters.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/latest/ug/clusters/private-clusters.adoc b/latest/ug/clusters/private-clusters.adoc index 6e46a1a91..8f503f02a 100644 --- a/latest/ug/clusters/private-clusters.adoc +++ b/latest/ug/clusters/private-clusters.adoc @@ -126,7 +126,7 @@ We recommend that you link:vpc/latest/privatelink/interface-endpoints.html#enabl |com.amazonaws.[.replaceable]`region-code`.eks |Amazon Route 53 -|com.amazonaws.[.replaceable].route53 +|com.amazonaws.route53 |=== * Any self-managed nodes must be deployed to subnets that have the VPC interface endpoints that you require. If you create a managed node group, the VPC interface endpoint security group must allow the CIDR for the subnets, or you must add the created node security group to the VPC interface endpoint security group.