Answer-first summary for fast verification
Answer: Create interface VPC endpoints to allow nodes to access the control plane.
## Explanation When an Amazon EKS cluster is configured with: - **Endpoint private access = true** (control plane accessible only from within the VPC) - **Endpoint public access = false** (control plane not accessible from the internet) - **Data plane nodes in private subnets** (no internet access) The nodes cannot reach the EKS control plane because: 1. Private subnets have no internet access 2. The control plane is not publicly accessible 3. The nodes need to communicate with the EKS API server **Solution B is correct**: Create interface VPC endpoints to allow nodes to access the control plane. **Why this works**: - Interface VPC endpoints create private connectivity between your VPC and AWS services - They allow resources in private subnets to access EKS API without internet access - The nodes can communicate with the control plane through AWS PrivateLink **Why other options are incorrect**: - **A**: IAM permissions are important for node authentication, but the primary issue is network connectivity - **C**: Moving nodes to public subnets would violate security compliance requirements - **D**: Outbound traffic alone won't help since private subnets can't reach the private EKS endpoint without VPC endpoints **Key AWS concepts**: - EKS control plane endpoints (public vs private) - VPC endpoints (Interface endpoints for EKS) - Private subnets vs public subnets - AWS PrivateLink for private service access
Author: LeetQuiz Editorial Team
Ultimate access to all questions.
No comments yet.
A company is running a microservices application on Amazon EC2 instances. The company wants to migrate the application to an Amazon Elastic Kubernetes Service (Amazon EKS) cluster for scalability. The company must configure the Amazon EKS control plane with endpoint private access set to true and endpoint public access set to false to maintain security compliance. The company must also put the data plane in private subnets. However, the company has received error notifications because the node cannot join the cluster.
Which solution will allow the node to join the cluster?
A
Grant the required permission in AWS Identity and Access Management (IAM) to the AmazonEKSNodeRole IAM role.
B
Create interface VPC endpoints to allow nodes to access the control plane.
C
Recreate nodes in the public subnet. Restrict security groups for EC2 nodes.
D
Allow outbound traffic in the security group of the nodes.