awsdocs · geoffcline · Jan 29, 2025 · Jan 27, 2025 · Jan 27, 2025
@@ -24,6 +24,16 @@ EKS Auto Mode creates and configures Application Load Balancers (ALBs). For exam
 * Kubectl configured to connect to your cluster
 ** You can use `kubectl apply -f <filename>` to apply the sample configuration YAML files below to your cluster.
 
+[NOTE]
+====
+EKS Auto Mode requires subnet tags to identify public and private subnets.
+
+If you created your cluster with `eksctl`, you already have these tags.
+
+Learn how to <<tag-subnets-auto>>. 
+====
+
+
 ## Step 1: Create IngressClassParams
 
 Create an `IngressClassParams` object to specify {aws} specific configuration options for the Application Load Balancer. Use the reference below to update the sample YAML file. 
@@ -39,8 +49,6 @@ spec:
   scheme: internet-facing
 ```
 
-
-
 ## Step 2: Create IngressClass
 
 Create an `IngressClass` that references the {aws} specific configuration values set in the `IngressClassParams` resource. Note the name of the `IngressClass` . In this example, both the `IngressClass` and `IngressClassParams` are named `alb`.

@@ -11,6 +11,15 @@ When you create a Kubernetes service of type `LoadBalancer` in EKS Auto Mode, EK
 
 EKS Auto Mode handles Network Load Balancer provisioning by default for all services of type LoadBalancer - no additional controller installation or configuration is required. The `loadBalancerClass: eks.amazonaws.com/nlb `specification is automatically set as the cluster default, streamlining the deployment process while maintaining compatibility with existing Kubernetes workloads.
 
+[NOTE]
+====
+EKS Auto Mode requires subnet tags to identify public and private subnets.
+
+If you created your cluster with `eksctl`, you already have these tags.
+
+Learn how to <<tag-subnets-auto>>. 
+====
+
 
 == Sample Service
 

@@ -139,6 +139,15 @@ spec:
   controller: eks.amazonaws.com/alb
 ----
 
+[NOTE]
+====
+EKS Auto Mode requires subnet tags to identify public and private subnets.
+
+If you created your cluster with `eksctl`, you already have these tags.
+
+Learn how to <<tag-subnets-auto>>.
+====
+
 Then create the Ingress resource. Create a file named `05-ingress.yaml`:
 
 [source,yaml]

@@ -0,0 +1,76 @@
+[#tag-subnets-auto]
+= Tag subnets for EKS Auto Mode
+:info_titleabbrev: Tag subnets
+
+include::../attributes.txt[]
+
+If you use the load balancing capability of EKS Auto Mode, you need to add {aws} tags to your VPC subnets. 
+
+== Background
+
+These tags identify subnets as associated with the cluster, and more importantly if the subnet is public or private. 
+
+Public subnets have direct internet access via an internet gateway. They are used for resources that need to be publicly accessible such as load balancers. 
+
+Private subnets do not have direct internet access and use NAT gateways for outbound traffic. They are used for internal resources such as EKS nodes that don't need public IPs.
+
+To learn more about NAT gateways and Internet gateways, see link:vpc/latest/userguide/extend-intro.html["Connect your VPC to other networks",type="documentation"] in the Amazon Virtual Private Cloud (VPC) User Guide. 
+
+== Requirement 
+
+At this time, subnets used for load balancing by EKS Auto Mode are required to have one of the following tags. 
+
+===  Public subnets
+Public subnets are used for internet-facing load balancers. These subnets must have the following tags:
+
+|===
+|Key |Value
+
+|`kubernetes.io/role/elb`
+|`1` or ``
+|===
+
+=== Private subnets
+Private subnets are used for internal load balancers. These subnets must have the following tags:
+
+|===
+|Key |Value
+
+|`kubernetes.io/role/internal-elb`
+|`1` or ``
+|===
+
+== Procedure
+
+Before you begin, identify which subnets are public (with Internet Gateway access) and which are private (using NAT Gateway). You'll need permissions to modify VPC resources.
+
+=== {aws} Management Console
+
+. Open the Amazon VPC console and navigate to Subnets
+. Select the subnet to tag 
+. Choose the Tags tab and select Add tag
+. Add the appropriate tag:
+* For public subnets: Key=`kubernetes.io/role/elb`
+* For private subnets: Key=`kubernetes.io/role/internal-elb`
+. Set Value to `1` or leave empty
+. Save and repeat for remaining subnets
+
+=== {aws} CLI
+
+For public subnets:
+[source,bash]
+----
+aws ec2 create-tags \
+    --resources subnet-ID \
+    --tags Key=kubernetes.io/role/elb,Value=1
+----
+
+For private subnets:
+[source,bash]
+----
+aws ec2 create-tags \
+    --resources subnet-ID \
+    --tags Key=kubernetes.io/role/internal-elb,Value=1
+----
+
+Replace `subnet-ID` with your actual subnet ID.