AWS Certified Solutions Architect - Associate
Get started today
Ultimate access to all questions.
Deep dive into the quiz with AI chat providers.
We prepare a focused prompt with your quiz and certificate details so each AI can offer a more tailored, in-depth explanation.
A company is running a microservices application on Amazon EC2 instances. The company wants to migrate the application to an Amazon Elastic Kubernetes Service (Amazon EKS) cluster for scalability. The company must configure the Amazon EKS control plane with endpoint private access set to true and endpoint public access set to false to maintain security compliance. The company must also put the data plane in private subnets. However, the company has received error notifications because the node cannot join the cluster.
Which solution will allow the node to join the cluster?
Other
Community
UAnonymous
A
Grant the required permission in AWS Identity and Access Management (IAM) to the AmazonEKSNodeRole IAM role.
B
Create interface VPC endpoints to allow nodes to access the control plane.
C
Recreate nodes in the public subnet. Restrict security groups for EC2 nodes.
D
Allow outbound traffic in the security group of the nodes.
Explanation:
Explanation
When an Amazon EKS cluster is configured with:
- Endpoint private access = true (control plane accessible only from within the VPC)
- Endpoint public access = false (control plane not accessible from the internet)
- Data plane nodes in private subnets (no internet access)
The nodes cannot reach the EKS control plane because:
- Private subnets have no internet access
- The control plane is not publicly accessible
- The nodes need to communicate with the EKS API server
Solution B is correct: Create interface VPC endpoints to allow nodes to access the control plane.
Why this works:
- Interface VPC endpoints create private connectivity between your VPC and AWS services
- They allow resources in private subnets to access EKS API without internet access
- The nodes can communicate with the control plane through AWS PrivateLink
Why other options are incorrect:
- A: IAM permissions are important for node authentication, but the primary issue is network connectivity
- C: Moving nodes to public subnets would violate security compliance requirements
- D: Outbound traffic alone won't help since private subnets can't reach the private EKS endpoint without VPC endpoints
Key AWS concepts:
- EKS control plane endpoints (public vs private)
- VPC endpoints (Interface endpoints for EKS)
- Private subnets vs public subnets
- AWS PrivateLink for private service access
Comments
Loading comments...