Home
>
Blog
>
SG and NACL configurations for Amazon EKS
No items found.
No items found.
No items found.

SG and NACL configurations for Amazon EKS


Difference between NACLs and SGs

NACL and SG are both firewall rules, however they have notable differences that I have summarized in the following table:

NACLSG Scopes subnet or VPC - applies to all instances in the subnet or VPC instance - applies to all instances linked to the SG Cardinality 1 NACL per subnet or VPC 1 to many SG per instance or instance group Actions allow or deny allow - every unspecified rule defaults to deny States stateless - i.e. NACLs allow traffic looking at the IP and port regardless of the fact that it is a reply request statefull - i.e. SGs automatically allow a reply to be returned. They maintain a state table that tracks the origin and destination IP and port. Only one rule (inbound or outbound) is required Rule order rules are applied in order rules are applied simultaneously

 

Note that inbound traffic first passes through the NACL firewalls then to the SG firewalls. Outbound traffic goes the opposite way.

Firewall requirement for EKS

The AWS documentation specifies the following requirements:

  • traffic needs to be allowed between the control plane and managed node groups
  • traffic needs to be allowed between nodes
  • nodes and control plane should have outbound access to the internet.

Note that one of the possibilities your nodes might not join your cluster is if they do not have access to the internet. Indeed, they need access to the Amazon EKS API.

SG configuration for EKS

Taking into account above consideration, here is an SG proposition for EKS.

Inbound

ProtocolPortSource TCP 443 self TCP 1024 - 65535 self

 

Outbound

ProtocolPortDestination TCP 443 0.0.0.0/0 TCP 80 0.0.0.0/0 TCP 1024 - 65535 0.0.0.0/0

NACL configuration for EKS

Taking into account above consideration, here is a NACL proposition for EKS.

Inbound

Rule #ProtocolPortSourceAllow / Deny 100 TCP All self Allow 200 TCP 1024 - 65535 0.0.0.0/0 Allow 9000 All All All Deny

 

Outbound

Rule #ProtocolPortDestinationAllow / Deny 100 TCP All self Allow 200 TCP 1024 - 65535 0.0.0.0/0 Allow 300 TCP 80 0.0.0.0/0 Allow 400 TCP 443 0.0.0.0/0 Allow 9000 All All All Deny

 

I hope this article will help you set up your EKS security group (SG) and network access control list (NACL) firewalls easily. If you have other recommendations, questions or challenges please reach me in the comment section. Take care.

Last modification:
2.28.2023
17.12.2025
Auteur(s) :
No items found.
Share:

D'autres articles de notre blog

No items found.
Voir tous nos articles

No items found.
Contact us
Capabilities
AI Modernisation
Data
Intelligence Artificielle
Platforms
Cloud
Cybersecurity
Experience Design
Technology Operations
Staff Augmentation
Industries
Financial Services
Healthcare
Public Sector
Retail - Luxury - CPG
Media and Entertainment
Apparel
Insights
BlogRadarsWhite papersTalksPodcasts
About
HistoryLean Tech®LeadersPartnerships
Careers
JobsTech Careers
Legal noticesPrivacy policyCookie policy
© 2025 Theodo

Cookie settings

By clicking “Accept all cookies,” you agree to the storage of cookies on your device to improve your browsing experience on the site, analyze site usage, and facilitate our marketing efforts.

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Accept all cookiesSave settings
cookie icon

Cookie settings

We use cookies and similar technologies to personalize content, tailor and measure ads, and provide a better experience. By clicking OK or enabling an option in your cookie preferences, you agree to this use, as described in our cookie policy.

Allow allReject

Customize

No items found.