Amazon EKS overview
Amazon Elastic Kubernetes Service (EKS) runs the Kubernetes control plane for you: API server, etcd, and scheduler are managed by AWS. You attach worker capacity (managed node groups, self-managed nodes, or Fargate) and run workloads with standard Kubernetes APIs (kubectl, manifests, Helm).
EKS vs ECS vs self-managed Kubernetes
Section titled “EKS vs ECS vs self-managed Kubernetes”| Approach | You manage | AWS manages |
|---|---|---|
| EKS | Nodes (or Fargate profiles), add-ons, workloads, RBAC | Control plane, control-plane patches |
| ECS | Task definitions, services | Orchestration engine (no Kubernetes API) |
| Self-managed K8s on EC2 | Control plane + nodes + etcd backups | Underlying EC2 only |
Choose EKS when you need the Kubernetes ecosystem (operators, CNCF tools, portable YAML) and are OK with AWS-specific wiring for networking, IAM, and storage. Choose ECS when you want simpler AWS-native orchestration without Kubernetes.
What the guides in this section build
Section titled “What the guides in this section build”The follow-up page walks through a production-oriented cluster with Terraform:
- VPC — Multi-AZ private subnets for nodes, public subnets for load balancer–facing traffic where needed, NAT for outbound from private subnets.
- API endpoint — Private Kubernetes API (not reachable from the public internet); you reach it via VPN, Direct Connect, or a bastion / jump host in the VPC (see the Terraform page).
- Nodes — Managed node groups (AWS maintains AMIs and rolling updates for the worker layer).
- Add-ons — Core EKS add-ons (VPC CNI, CoreDNS, kube-proxy) and EBS CSI for persistent volumes.
- Security — Control-plane encryption (KMS), least-privilege IAM for nodes and cluster role; IRSA (IAM Roles for Service Accounts) introduced as the pattern for pod-level AWS permissions.
This is a baseline suitable for learning and many internal platforms—not every enterprise control (e.g. multi-account guardrails, full IRSA for every app) fits in one tutorial.
Prerequisites
Section titled “Prerequisites”Before Create cluster with Terraform, you should be comfortable with:
| Topic | Why it matters |
|---|---|
| Setting up basic access | AWS CLI, credentials, region |
| IAM | Roles and policies for EKS cluster and nodes |
| Networking | VPC, subnets, route tables, security groups |
| VPC connectivity | How you’ll reach a private API (VPN, etc.) |
Tools on your machine: Terraform 1.5+ (or current supported 1.x), AWS CLI, kubectl (aligned with the cluster Kubernetes version).
Suggested reading order
Section titled “Suggested reading order”- Skim Architecture and AWS networking if subnets/NAT are fuzzy.
- Work through Terraform: production cluster step by step in a non-prod account first.
- Configure
kubectland run a smoke test (kubectl get nodes). - For deploying applications, continue with Core objects, Manifests, and the rest of this Kubernetes section.
Next step
Section titled “Next step”Create an EKS cluster with Terraform — VPC module, EKS module, private API, managed node groups, add-ons, and operational notes.