Kubernetes on AWS

AWS EKS: 12 Key Features and 4 Deployment Options

What Is AWS EKS?

Amazon Elastic Kubernetes Service (EKS) is a cloud-based container orchestration service. It integrates natively with Kubernetes to manage workloads in the AWS cloud.

EKS automatically handles and scales clusters of infrastructure resources via AWS using Kubernetes. Kubernetes is an open-source tool used for container orchestration, which can be challenging for an organization to operate alone. With Amazon EKS, you may leverage the capabilities of Kubernetes on AWS without having to install, manage or operate the container orchestration software.

In this article:

Amazon EKS: 12 Key Features

Here are some of the primary features of the Amazon EKS managed Kubernetes service:

  1. Managed control plane—EKS runs Kubernetes control plane components, automatically scales them as needed, and ensures high availability by running them on three availability zones (AZs) and repairing masters automatically.
  2. Improved security—EKS provides a built-in secure Kubernetes configuration and provides access to Amazon services and third party offerings that can enhance security, such as Amazon Identity and Access Management (IAM) and Amazon Key Management Service (KMS).
  3. Service discovery—Amazon provides Cloud Map, a resource discovery service that lets you define names for applications or services in the Kubernetes cluster and allow other applications or services to discover their location. Cloud Map uses external-dns, an open-source Kubernetes connector.
  4. Service mesh—if you want to enhance service management in Kubernetes with a service mesh, you can use Amazon App Mesh to build and manage microservice lifecycles with high availability and improved visibility.
  5. Virtual Private Cloud (VPC)—by default, EKS clusters run in a VPC, which is a private network within the Amazon data center. This provides improved isolation and network security out of the box.
  6. AWS IAM—in an EKS cluster, Kubernetes role-based access control (RBAC) is automatically integrated with Amazon IAM authenticator, enabling granular access control for the Kubernetes control plane. The service also provides IAM management for Kubernetes service accounts, which can also be allocated to third party apps.
  7. Windows Support—EKS fully supports using Windows-based nodes and working with Windows containers, alongside Linux nodes and containers.
  8. Load Balancing—EKS lets you use regular Kubernetes load balancing or any other ingress controller. If you want to use Amazon services for load balancing, you can opt for Application Load Balancer (ALB), Network Load Balancer (NLB), and Classic Load Balancer (CLB).
  9. Logging—EKS provides advanced logging and visibility using CloudTrail, which documents all activity on the EKS API.
  10. Managed cluster updates—with EKS, you don’t need to develop new clusters or migrate workloads. You can update clusters in place, and workloads are transparently migrated to the updated cluster.
  11. Cluster Autoscaler—built into EKS, making it possible to dynamically add or remove pods to address scalability requirements. This can also be used together with EC2 auto scaling groups.
  12. Private and public access—you can gain access to EKS clusters through Public Access Points or Private Access Points. Private access uses a private Route 53 DNS zone, linked to your VPC.

Amazon EKS Deployment Options

When you select the deployment option that is right for your Kubernetes cluster, take the following into consideration.

Amazon EKS

The standard Amazon EKS managed service supports serverless infrastructure like Fargate and EC2.

Keep in mind:

  • AWS manages the hardware
  • Containers are deployed on Amazon EC2 instances or serverless infrastructure, using Amazon Fargate
  • AWS manages the control plane
  • The control plane is located in the AWS cloud
  • AWS manages update clusters for the data and control planes
  • You can use any compatible Container Network Interface (CNI) plugins - including third-party of Amazon VPC - for security and networking
  • AWS provides full support (including for the EKS console)

Learn more about the standard deployment option in our guide to AWS EKS architecture

Amazon EKS on AWS Outposts

AWS Outposts supports native AWS infrastructure, services, and operating models in on-site facilities.

This deployment is similar to EKS in Amazon cloud, except that:

  • Hardware is deployed on a managed Outposts device, which is deployed on-premises.
  • Amazon still manages the hardware, the EKS service and provides the same level of support.
  • Because EKS clusters are running locally, it is easier to integrate them with on-premises systems and achieve a higher level of security.

Amazon EKS Anywhere

This deployment option for Amazon EKS lets you simply operate and create Kubernetes clusters on-site. Both Amazon EKS Anywhere and Amazon EKS are established on the Amazon EKS Distro.

Keep in mind:

  • You are responsible for managing the hardware
  • You deploy it on your own infrastructure
  • You have to manage the control plane
  • The control plane is located in your data center
  • You have to manually update clusters for the control plane
  • You need to use the Cilium CNI plugin for security and networking
  • You can get support for the console via the Amazon EKS Connector, as well as general support via an Amazon EKS Anywhere support subscription

Learn more in EKS Anywhere & ECS Anywhere: The New AWS Hybrid and Multicloud Challengers

Amazon EKS Distro

This is a distribution of the same Kubernetes open-source software and dependencies carried out by Amazon EKS via the cloud. Amazon EKS Distro and Amazon EKS both use the same Kubernetes version release cycle. Amazon EKS Distro is offered as an open-source project.

Keep in mind:

  • You are responsible for managing the hardware
  • You deploy it on your own infrastructure
  • You have to manage the control plane
  • The control plane is located in your data center
  • You have to manually update clusters for the control plane
  • You need to use external CNI plugins for security and networking
  • AWS does not provide support

Amazon EKS Pricing

Amazon EKS offers you flexibility to run, scale, and start Kubernetes applications on-site or in the cloud. It offers highly secure and available clusters and automates central tasks, including node provisioning, updates, and patching.

You are charged $0.10 per hour for every Amazon EKS cluster that you develop. You can employ one EKS cluster to launch multiple applications by making use of Kubernetes IAM and namespaces security strategies. To run EKS on AWS, you can use AWS Fargate or Amazon EC2, or run it on-site via AWS Outposts.

If you use Amazon EC2, you will be charged for AWS resources (including EBS volumes or EC2 instances) you use to launch and maintain your Kubernetes worker nodes. You will only be charged for what you use. There are no upfront costs or minimum charges.

Amazon EKS on AWS Fargate

If you use AWS Fargate, cost is determined according to the memory resources and vCPU utilized from the moment you begin to download your container image up until the point the Amazon EKS pod ceases, calculated to the closest second. There is a minimum cost of one minute.

Amazon EKS via AWS Outposts

Amazon EKS via AWS Outposts has a straightforward pricing model—the Amazon EKS cluster is created via the cloud (and not via Outposts), and you are charged $0.10 per hour. The Kubernetes worker nodes are launched and continue on the capacity offered by Outposts EC2, with no additional costs.

Amazon Elastic Container Service (ECS) vs EKS

Amazon Elastic Container Service (Amazon ECS) offers fully managed container orchestration. Unlike EKS, ECS is not Kubernetes-specific and provides capabilities that simplify container management.

Pricing

ECS does not charge extra fees for Amazon Elastic Cloud Compute (EC2) launch types. You pay for the AWS resources you create to run and store your applications - billing is per usage.

EKS also offers a pay per use pricing model. However, the service charges additional fees for certain operations. Each EKS cluster costs $0.20/hour. You can optimize these costs by using one cluster to run several applications.

Security

Integration with IAM
ECS is deeply integrated with AWS identity and access management (IAM), which enables you to control access and permissions. You can assign granular access permissions to each container and use IAM to restrict access to each service. You can also delegate the resources each container is allowed to access.

EKS does not offer deep integration with IAM. However, it does allow you to create IAM roles for service accounts. By associating an IAM role with a certain Kubernetes service account, you allow all containers in any pod that uses that service account to use these permissions. To make API requests to authorized services, applications can use the command-line interface (CLI) or an AWS software development kit (SDK).

Integration with AWS Secrets Manager
ECS integrates with AWS Secrets Manager as well as AWS Systems Manager (SSM) Parameter Store. You can use it to reference parameters in container definitions to access secrets stored in those services.

It is possible to connect EKS and Secrets Manager. However, to effectively manage secrets you must also use third-party solutions like kubernetes-external-secrets or the EKS controller solution.

Compatibility

In the past, ECS ran only on AWS. In May 2021, AWS introduced ECS Anywhere, which enables customers to deploy ECS tasks on their own infrastructure or in third-party environments.

AWS also offers EKS Anywhere, which enables compatibility with third-party infrastructure. Additionally, as a Kubernetes-as-a-Service (KaaS) offering, EKS can be ported to run on any Kubernetes infrastructure. You can also set it up as part of a large, federated cluster architecture.

Both EKS and ECS work with AWS Fargate - a serverless compute engine service that lets you pay only for those resources running your containers. There is no need to choose instances and scale cluster capacity, because the service handles these aspects.

Learn more in our detailed guide to AWS ECS vs EKS

EKS vs Google Kubernetes Service (GKS) vs Azure Kubernetes Service (AKS)

Here is a comparison of the pros and cons of the Kubernetes services offered by the three main cloud providers.

Amazon Elastic Kubernetes Service (EKS)

EKS is the most commonly used managed Kubernetes service. However, EKS offers the least amount of pre-configured solutions, and requires more manual configuration than other services. This provides more control over clusters but also requires more time spent on operations.

Pros:

  • Offers integration with other AWS services.
  • Provides a 99.95% Service Level Agreement (SLA).
  • Simplifies the use of Pod Security Policies, which can be applied across the entire cluster.
  • Supports the AWS GovCloud region.

Considerations:

  • EKS requires manual configuration to upgrade cluster components.
  • Does not provide automated node health repair.
  • You can configure logging and monitoring in Amazon CloudWatch Container Insights. However, the service is not intuitive.
  • More expensive than AKS (Azure Kubernetes Service).
  • Requires manual installation of upgrades for VPC CNI.
  • Requires manual installation of Calico CNI.
  • Does not provide an IDE extension for EKS code development.

Google Kubernetes Engine (GKE) - Pros and Cons

GKE is ideal for organizations that have a multi-cloud setup or do not have an on-premises facility. GKE provides the most out-of-the-box features and the most automated capabilities.

Pros:

  • Of the three managed services, GKE supports the widest range of Kubernetes versions.
  • Provides automatic upgrades for nodes as well as the control plane.
  • Lets you subscribe to Regular, Stable, or Rapid release channels as needed, and automatically test any new version.
  • Offers automatic node health repair.
  • Lets you use a container-optimized operating system for nodes that are maintained by Google. This provides a higher level of stability and security.
  • Provides an intuitive, integrated dashboard, including logging and monitoring of all components via the Google Cloud operations suite.
  • Lets you use the Cloud Code extension for Visual Studio Code and IntelliJ for your developer environment.

Considerations:

  • Offers only one zonal cluster for free.
  • Matches the EKS 99.95% SLA only when you use Regional Clusters that cost $0.10 per cluster per hour.
  • Does not offer a government cloud or government cloud support.

Learn more in our detailed guide to EKS vs GKE

Azure Kubernetes Service (AKS) - Pros and Cons

AKS is offered by Microsoft Azure. The service integrates with other Microsoft Azure services, including Azure Active Directory (AD), and does not charge for use of the Control Plane.

Pros:

  • Quick to adopt the latest Kubernetes versions and any minor patches.
  • Offers automatic node health repair.
  • Provides free use of the Control Plane - charging only per node.
  • Integrates with Azure Policy.
  • Supports monitoring and logging through Application Insights and Azure Monitor.
  • Let you automatically set Calico Network Policies and Azure Network Policies when a cluster is created.
  • Seamlessly integrates with Azure AD.
  • Available in Azure Government.
  • Provides a convenient developer environment, via tools like the Kubernetes Visual Studio Code extension and Bridge to Kubernetes.

Considerations:

  • While GKE is fully automatic, AKS offers a semi-manual process for upgrading cluster components. Currently, a fully automatic solution for AKS is in development.
  • You must enable network policies when creating a cluster. You cannot enable these policies on existing clusters.
  • Azure only matches the EKS 99.95% SLA when you use Availability Zones (AZs). As of February 2021, AZs incur charges.

Learn more in our detailed guide to EKS vs AKS

AWS EKS Storage with Cloud Volumes ONTAP

NetApp Cloud Volumes ONTAP, the leading enterprise-grade storage management solution, delivers secure, proven storage management services on AWS, Azure and Google Cloud. Cloud Volumes ONTAP capacity can scale into the petabytes, and it supports various use cases such as file services, databases, DevOps or any other enterprise workload, with a strong set of features including high availability, data protection, storage efficiencies, Kubernetes integration, and more.

In particular, Cloud Volumes ONTAP supports Kubernetes Persistent Volume provisioning and management requirements of containerized workloads.

Learn more about how Cloud Volumes ONTAP helps to address the challenges of containerized applications in these Kubernetes Workloads with Cloud Volumes ONTAP Case Studies.

New call-to-action

Yifat Perry, Product Marketing Lead

Product Marketing Lead

-
X