Amazon EKS now allows Kubernetes API server outbound traffic to be routed through customer-defined VPC interfaces, providing improved control over security, compliance, and network policies for regulated and enterprise deployments.
- Route Kubernetes control plane egress through customer VPC interfaces
- Apply existing VPC routing, security, and firewall controls to API server outbound traffic
- Supports compliance by keeping authentication and API calls inside private network perimeters
Infrastructure signal
Amazon EKS introduces a significant network architecture change by enabling control plane egress to flow through an Elastic Network Interface (ENI) within the customer’s VPC. This means Kubernetes API Server outbound requests, including admission webhooks and OIDC discovery, depart the cluster through customer-managed network paths, rather than the default EKS-managed control plane egress.
This approach allows organizations to leverage their existing VPC routing tables, security groups, PrivateLink endpoints, and AWS Network Firewall policies to enforce network segmentation and traffic filtering on control plane communication. As a result, the Kubernetes API Server’s external calls become subject to the same network perimeter protections as workload traffic, enhancing overall infrastructure security.
Developer impact
The new feature operates transparently with existing EKS features such as managed node groups, Fargate profiles, EKS add-ons, and familiar client tooling like kubectl and Helm. Enabling customer-routed control plane egress does not require developers to alter deployment workflows or application configurations, maintaining operational consistency for development teams.
However, the change has permanence at the cluster level: once enabled, the cluster’s control plane traffic egress mode cannot revert to the prior AWS-managed path. Developers and platform teams should coordinate with security operations early to confirm network policies and routing configurations are prepared to handle API Server traffic flows without disrupting cluster functionality.
What teams should watch
Governance and compliance teams in industries such as financial services, healthcare, and government should monitor the rollout of customer-routed control plane egress closely, as it provides essential controls required for audit and regulatory compliance by ensuring all Kubernetes control plane egress is visible and managed within the company-managed VPC.
Platform and network teams must plan and validate routing, security group rules, and endpoint policies to maintain control plane connectivity while supporting observability through tools like Amazon VPC Flow Logs. They should also be aware that some AWS-managed EKS control plane components and AWS STS calls remain on the default EKS-managed path, so these portions of traffic cannot be routed through customer VPCs.