Amazon Web Services on Northflank

You can integrate your Amazon Web Services account to create and manage clusters using Northflank.

To add your AWS account navigate to the clusters page in your account settings and create a new integration.

You can create an integration using a cross-account role (recommended), or with an IAM user (legacy method).

After integrating your account, you can create a new cluster.

When you create your AWS account integration you can select the features you want to use with Northflank, such as custom VPC and static egress. Additional features may require extra permissions.

After selecting the features you want to use you can review the required permissions in a table, or the entire inline policy as JSON, and copy it to your clipboard.

You can check existing integrations have all the necessary permissions by opening an integration from your team's clusters page and clicking verify all permissions.

You can view the inline policy required for Northflank to set up a cluster on AWS with a custom VPC and static egress below.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "Northflank",
      "Effect": "Allow",
      "Action": [
        "ec2:AllocateAddress",
        "ec2:AssociateRouteTable",
        "ec2:CreateNatGateway",
        "ec2:CreateRoute",
        "ec2:CreateRouteTable",
        "ec2:CreateSubnet",
        "ec2:CreateTags",
        "ec2:DeleteNatGateway",
        "ec2:DeleteRoute",
        "ec2:DeleteRouteTable",
        "ec2:DeleteSubnet",
        "ec2:DescribeAddresses",
        "ec2:DescribeNatGateways",
        "ec2:DescribeRouteTables",
        "ec2:DescribeSubnets",
        "ec2:DescribeVpcs",
        "ec2:DisassociateRouteTable",
        "ec2:ReleaseAddress",
        "eks:AssociateAccessPolicy",
        "eks:CreateAccessEntry",
        "eks:CreateAddon",
        "eks:CreateCluster",
        "eks:CreateNodegroup",
        "eks:DeleteAccessEntry",
        "eks:DeleteAddon",
        "eks:DeleteCluster",
        "eks:DeleteNodegroup",
        "eks:DescribeAccessEntry",
        "eks:DescribeAddon",
        "eks:DescribeCluster",
        "eks:DescribeNodegroup",
        "eks:DescribeUpdate",
        "eks:DisassociateAccessPolicy",
        "eks:ListAccessEntries",
        "eks:ListAccessPolicies",
        "eks:ListAddons",
        "eks:ListAssociatedAccessPolicies",
        "eks:ListClusters",
        "eks:ListIdentityProviderConfigs",
        "eks:ListInsights",
        "eks:ListNodegroups",
        "eks:ListTagsForResource",
        "eks:ListUpdates",
        "eks:TagResource",
        "eks:UntagResource",
        "eks:UpdateAccessEntry",
        "eks:UpdateAddon",
        "eks:UpdateClusterConfig",
        "eks:UpdateClusterVersion",
        "eks:UpdateNodegroupConfig",
        "eks:UpdateNodegroupVersion",
        "iam:AttachRolePolicy",
        "iam:CreateOpenIDConnectProvider",
        "iam:CreateRole",
        "iam:CreateServiceLinkedRole",
        "iam:DeleteOpenIDConnectProvider",
        "iam:DeleteRole",
        "iam:DeleteRolePolicy",
        "iam:DetachRolePolicy",
        "iam:GetOpenIDConnectProvider",
        "iam:GetRole",
        "iam:ListAttachedRolePolicies",
        "iam:PassRole",
        "iam:PutRolePolicy",
        "iam:SimulatePrincipalPolicy",
        "iam:TagOpenIDConnectProvider",
        "iam:TagRole"
      ],
      "Resource": [
        "*"
      ]
    }
  ]
}

It is recommended that you use a cross-account role to integrate your AWS account with Northflank. This method is more secure, as Northflank doesn't store a long-term secret but rather requests a new token every time account access is required.

To integrate AWS with a cross-account role:

1. Navigate to your Northflank account settings and open the clusters page
2. Create a new cloud provider integration and select Amazon Web Services as the provider
3. Select Amazon Web Services as the provider and choose the features you want to use with Northflank. Select cross account role as the credential method and copy the custom trust policy.
4. Open your AWS IAM console and open the roles page
5. Create a new role, select custom trust policy and paste in the trust policy from Northflank. Skip the remaining steps, name and save the role.
6. Return to Northflank and review the permissions required for your integration. Copy the AWS inline policy and return to your AWS console.
7. Find your new AWS IAM role in the list on the roles page, open it, click add permissions, and select create inline policy. Paste in and save the inline policy you copied from Northflank.
8. Copy the IAM role ARN to Northflank and create the integration

You can now configure and deploy new clusters in your AWS account. You can update your integration with a new shared secret and IAM role ARN. If this role does not have permission to manage existing clusters, you will be unable to edit those clusters and deleting them via AWS may leave orphaned resources.

You can add your account to Northflank by providing the access and secret keys for an IAM user. This is a legacy method, it is recommended that you instead integrate using a cross-account role.

To add your AWS account to Northflank with an IAM user:

1. Navigate to your Northflank account settings and open the clusters page
2. Create a new cloud provider integration
3. Select Amazon Web Services as the provider and choose the features you want to use with Northflank
4. Review the required permissions and copy the AWS inline policy
5. Open your AWS IAM console , open the users page and create a new user without console access. Skip the remaining steps and save the user.
6. In the new user click add permissions and select create inline policy. Paste in and save the inline policy you copied from Northflank.
7. Open security credentials in your new user and click create access key. Select the third-party service use case and click next. Enter a description that will help you recognise your key (e.g. Northflank BYOC) and create access key.
8. Enter the access key and secret key for the user you created into the Northflank integration form and create the integration

You can edit the integration at any time to update the secrets, if required. If the new secrets do not have permission to manage existing clusters, you will be unable to edit those clusters and deleting them via AWS may leave orphaned resources.

To successfully deploy a cluster on AWS using Northflank you must have the required resources available to your account for your desired region.

Check the node types you wish to deploy and ensure your cluster has access to the relevant resources. The specific quotas for each provider may differ, you will need to ensure you have sufficient quotas for your required node type, vCPU, and disk type for your desired regions.

You can change your AWS service quotas by selecting the relevant region in the console and navigating to the service quotas page. You may need to opt-in to a region first. Choose the relevant AWS service from the dashboard, or search for it on the AWS services page, then search for the relevant resource quotas to increase.

For example, to increase the number of node pools you can deploy on AWS using the m5.large node type select the relevant region in the console, search for and open the AWS service Amazon Elastic Compute Cloud (Amazon EC2), search for Running On-Demand Standard (A, C, D, H, I, M, R, T, Z) instances and click request quota increase.

To add a new cluster, navigate to the clusters page in your account settings and click create cluster.

Enter a name for the cluster and select AWS as the cloud provider. Choose your integration credentials and select the region to deploy in.

Select a Virtual Private Cloud

When you create a cluster you can select which Virtual Private Cloud to use. The VPC defines public and private networks in your clusters, allowing access to other AWS services and the internet.

If you do not need custom networking for your AWS cluster you can select the default VPC . You cannot modify the components of the default VPC, and it includes public subnets for each availability zone.

You may want to use a custom VPC to deploy into a private node pool with no public access, or to access other services in your AWS account. Separate VPCs are defined for each region.

Configure node pools

You can now configure the node pools for your cluster. Node pools can also be added, deleted, and updated after creating your cluster. Click add node pool to add another pool.

See deploy and scale node pools for more information on configuring nodes and node pools.

Configure advanced options

After adding your initial node pools you can configure advanced options for the cluster, such as build infrastructure, resource request modifiers, and volume deletion options.

When you create the cluster Northflank will begin installing system components in node pools according to their capacity. This may take up to 20 minutes.

When you create a new cluster you can select a custom VPC that you have defined in your account and selected region. You can create and manage your VPCs in the AWS console . You must create a subnet in each availability zone that you want to use.

Each public subnet requires an internet gateway, and each private subnet requires a NAT gateway. Read more about connecting your VPC here .

Workloads on a private node will be able to communicate with other resources in your VPC and initiate internet connections via the NAT gateway, but will not be exposed to unsolicited ingress requests.

Cluster subnet selection

You can select which subnets (and therefore availability zones) will host the control plane components for your cluster. This has no impact on the subnets that you can select for node pools.

Your VPC must have one public subnet to allow Northflank to manage the cluster, although you are recommended to have at least two public subnets in different availability zones. You do not need to select a public subnet for the cluster.

If you are using the default VPC you can enable static egress to route the cluster’s outgoing traffic through a static IP. This is useful if you use external services that only accept requests from specified IP addresses, as AWS default VPCs do not have a static egress IP and cannot be modified.

If you are using a custom VPC, you must set up your own static egress IP for your cluster in AWS.

You can use Northflank to deploy workloads to nodes in private subnets. This prevents public ingress and egress networking to and from these workloads, and they will only be able to communicate with other resources in your VPC.

You will need to create a cluster with a custom VPC that has private subnets configured on it, then select an availability zone in a private subnet when you create a new node pool.

You can then create a project on your cluster, and use node pool labels and Northflank tags to schedule workloads to your private nodes.