Question #1951
A company is deploying a multi-tenant application on Amazon Elastic Kubernetes Service (Amazon EKS). Each tenant's pods must be placed in isolated subnets within the company's VPC to meet compliance requirements. The company also needs to ensure that pods can communicate securely within the VPC without exposure to the public internet.
Which solution will meet these requirements?
Use AWS CloudMap to register pod IP addresses within the custom subnets and enforce security groups.
Set up an AWS Site-to-Site VPN to connect the on-premises network to the EKS cluster's custom subnets.
Deploy the Amazon VPC CNI plugin and specify the custom subnets in the VPC for pod networking.
Apply Kubernetes taints and tolerations to ensure pods are scheduled on nodes in the correct subnets.
Explanation
Option C is correct because the Amazon VPC CNI plugin enables Kubernetes pods to use native AWS networking, assigning IP addresses directly from the VPC subnets. By configuring the CNI plugin to use specific isolated subnets, each tenant's pods are placed in dedicated subnets, meeting compliance requirements. Communication between pods occurs within the VPC's private network, avoiding public internet exposure.
Other options are incorrect because:
- A: AWS CloudMap focuses on service discovery, not subnet isolation.
- B: Site-to-Site VPN connects on-premises networks, which is irrelevant here.
- D: Taints/tolerations manage node scheduling but do not directly assign pods to subnets.
Key Points:
1. VPC CNI plugin integrates EKS with AWS VPC for pod networking.
2. Custom subnets ensure isolation and compliance.
3. VPC private routing keeps traffic internal and secure.
Answer
The correct answer is: C