Amazon EKS introduces enhanced network security policies

Amazon EKS Enhanced Network Security Policies

AWS has introduced enhanced network policy capabilities in Amazon Elastic Kubernetes Service (EKS), enabling improved network security for Kubernetes workloads and their integrations with external destinations. This enhancement builds on existing network segmentation features, allowing centralized enforcement of network access filters across the entire cluster and DNS-based policies to secure egress traffic.

EKS now supports Kubernetes NetworkPolicies in the Amazon VPC Container Network Interface (VPC CNI) plugin, allowing segmentation of pod-to-pod communication at a namespace level. This feature strengthens the defensive posture for Kubernetes network environments by enabling centralized management of network filters for the whole cluster. Additionally, cluster admins can now use egress rules to filter traffic to external endpoints based on their Fully Qualified Domain Name (FQDN), providing a more stable and predictable approach for preventing unauthorized access to cluster-external resources.

These new features are available in all commercial AWS Regions for new EKS clusters running Kubernetes version 1.29 or later, with support for existing clusters to follow in the coming weeks. ClusterNetworkPolicy is available in all EKS cluster launch modes using VPC CNI v1.21.0 or later. DNS-based policies are only supported in EKS Auto Mode-launched EC2 instances.

What to do

• Update your EKS clusters to Kubernetes version 1.29 or later to take advantage of the new network security features.
• Use ClusterNetworkPolicy for centralized management of network filters.
• Implement DNS-based policies for egress traffic filtering in EKS Auto Mode-launched EC2 instances.

Source: AWS release notes

If you need further guidance on AWS, our experts are available at AWS@westloop.io. You may also reach us by submitting the Contact Us form.