惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

L
LangChain Blog
C
Check Point Blog
博客园 - Franky
V
Visual Studio Blog
云风的 BLOG
云风的 BLOG
aimingoo的专栏
aimingoo的专栏
Microsoft Security Blog
Microsoft Security Blog
V2EX - 技术
V2EX - 技术
AI
AI
Hacker News - Newest:
Hacker News - Newest: "LLM"
Jina AI
Jina AI
S
Security @ Cisco Blogs
Security Archives - TechRepublic
Security Archives - TechRepublic
H
Hacker News: Front Page
H
Hackread – Cybersecurity News, Data Breaches, AI and More
O
OpenAI News
Attack and Defense Labs
Attack and Defense Labs
Exploit-DB.com RSS Feed
Exploit-DB.com RSS Feed
爱范儿
爱范儿
H
Heimdal Security Blog
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
G
Google Developers Blog
G
GRAHAM CLULEY
V
V2EX
The Register - Security
The Register - Security
人人都是产品经理
人人都是产品经理
B
Blog RSS Feed
Schneier on Security
Schneier on Security
M
MIT News - Artificial intelligence
Stack Overflow Blog
Stack Overflow Blog
Help Net Security
Help Net Security
大猫的无限游戏
大猫的无限游戏
C
CERT Recently Published Vulnerability Notes
The GitHub Blog
The GitHub Blog
V
Vulnerabilities – Threatpost
The Last Watchdog
The Last Watchdog
J
Java Code Geeks
S
Secure Thoughts
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
量子位
NISL@THU
NISL@THU
K
Kaspersky official blog
Engineering at Meta
Engineering at Meta
T
Threatpost
Recent Commits to openclaw:main
Recent Commits to openclaw:main
宝玉的分享
宝玉的分享
Security Latest
Security Latest
T
The Exploit Database - CXSecurity.com
博客园_首页
A
Arctic Wolf

DEV Community

Authentication Security Deep Dive: From Brute Force to Salted Hashing (With Java Examples) Why AI Systems Don’t Fail — They Drift Spilling beans for how i learn for exam😁"Reinforcement Learning Cheat Sheet" I Replaced Chrome with Safari for AI Browser Automation. Here's What Broke (and What Finally Worked) How Python Borrows Other People's Work The $40 Architecture: Processing 1 Billion API Requests with 99.99% Uptime Vibe Coding: A Workflow Guide (From Zero to SaaS) Most webhook security guides protect the wrong side. The scary part is delivery. Headless CMS for TanStack Start: Build a Blog with Cosmic EU Age Verification App "Hacked in 2 Minutes" — What Actually Happened Comfy Cloud’s delete function does not actually remove files Running AI Models on GPU Cloud Servers: A Beginner Guide Event-driven media intelligence with AWS Step Functions and Bedrock I scored 500 AI prompts across 8 quality dimensions — here's what broke How to Call Google Gemini API from Next.js (Free Tier, No Backend Needed) The Portal Protocol: Reclaiming Human Connection in the Age of AI How to Fix Your Team's Scattered Knowledge Problem With a Self-Hosted Forum Intro to tc Cloud Functors: A Graph-First Mental Model for the Modern Cloud Designing Multi-Tenant Backends With Both Ownership and Team Access I Built a Neumorphic CSS Library with 77+ Components — Here's What I Learned PostgreSQL Performance Optimization: Why Connection Pooling Is Critical at Scale Cómo construí un SaaS multi-rubro para gestionar expensas en Argentina con FastAPI + Vue 3 🚀 I Built an Ethical Hacking Scanner Tool – Open Source Project I Replaced /usage and /context in Claude Code With a Single Statusline A Pythonic Way to Handle Emails (IMAP/SMTP) with Auto-Discovery and AI-Ready Design I Collected 8.9 Million Polymarket Price Points — Here's What I Found About How Markets Really Move EcoTrack AI — Carbon Footprint Tracker & Dashboard Everyone's Using AI. No One Agrees How. 5 self-hosted ebook managers worth trying in 2026 Building Your First AI Agent with LangChain: From Chatbot to Autonomous Assistant Common SOC 2 Failures (Real World) Stop Vibe-Checking Your AI App: A Practical Guide to Evals How to Use SonarQube and SonarScanner Locally to Level Up Your Code Quality Your Next To-Do App Is Dead — I Replaced Mine with an OpenClaw AI Sign a Nostr event in 60 lines of Python using coincurve — no nostr-sdk, no nbxplorer, no rust toolchain ITGC Audit Explained Like You’re in Big 4 Patch Tuesday abril 2026: Microsoft parcha 163 vulnerabilidades y un zero-day en SharePoint Stop scraping everything: a better way to track competitor price changes Listing on MCPize + the Official MCP Registry while routing payments OUTSIDE the marketplace — how I kept 100% of my x402 revenue Building an AI-Powered Risk Intelligence System Using Serverless Architecture Why We Ripped Function Overloading Out of Our AI Toolchain Testing AI-Generated Code: How to Actually Know If It Works SaaS Churn Is Killing Your Business. Here Is What to Do About It (Without a Support Team) The Speed of AI Is No Longer Linear - And Self-Improving Models Are Why How to Implement RBAC for MCP Tools: A Practical Guide for Engineering Teams From Standard Quote to Persuasive Proposal: AI Automation for Arborists I built a CLI that scaffolds complete multi-tenant SaaS apps Axios CVE-2025–62718: The Silent SSRF Bug That Could Be Hiding in Your Node.js App Right Now The dashboard that ended our friendship Data Pipelines Explained Simply (and How to Build Them with Python) The Hidden Cost of AI Systems Nobody Talks About. undefined vs undeclared, and how typeof behaves Switching from file-based jobs to NATS/Kafka in Rust without changing code io_uring Adventures: Rust Servers That Love Syscalls Why Agentic AI is Killing the Traditional Database The POUR principles of web accessibility for developers and designers Quantum Neural Network 3D — A Deep Dive into Interactive WebGL Visualization How To Install Caveman In Codex On macOS And Windows Automation Pipeline Reliability: Why Your Workflow Breaks When Nobody Is Watching I Built an 'Open World' AI Coding Agent — It Works From ANY Folder From Freelancing to Product: A Tech Service Company's SaaS Transformation China's AI Giants: Adding Tencent Hunyuan & ByteDance Doubao to AI University (74 Providers) On the Vibe Coders and Their Lies clerk: Auto-Summarize Your Claude Code Sessions AI Weekly — 2026/04/10–04/17 | The Model Lockdown Is Here, but the Toolchain Is the Real Battleground AI 週報 — 2026/04/10–2026/04/17 模型封鎖潮來了,但工具鏈才是真戰場 Maybe this is how Open-Source apps are born... 🚀 Fine-Tune LLMs with LoRA and QLoRA: 2026 Guide tRPC v11 + Next.js App Router: End-to-End Type Safety Without the Boilerplate ShadCN UI in 2026: Why I Stopped Installing Component Libraries and Started Owning My Components SaaS Billing in React Server Components: Stripe + Supabase Without a Single `useEffect` Join our DEV Weekend Challenge — $1,000 in Prizes Across TEN winners! Submissions Due April 20 at 6:59 AM UTC. Implementing FSRS Spaced Repetition in Flutter + Supabase — Adding Memory Science to an AI Learning App "I Texted My Localhost From the Train — Claude Code Fixed the Bug Before I Got Home" I Built a Sales Prep AI and It Went Deeper Than Expected Design to Code #2: One JSON, Eleven Outputs Solving the 100M-Row Problem: A Summary Table Pattern for High-Volume Push Notification Logs Flutter Web With Wasm: What Actually Changes For Developers I Built 50 Royalty-Free Soundtracks for My Side Project in a Weekend Using AI Music Generation The Vibe Coding Security Checklist: 7 Things to Check Before You Ship Stop Letting Googlebot Guess Fix Your React App's SEO Right Desconstruindo o Streaming do LinkedIn: Como Criar um Engine de Extração de Vídeo de Alta Performance com HLS e FFmpeg (EDA Part-1) EDA (Exploratory Data Analysis) Explained With Real Life — Why Looking at Your Data Is the Most Important Step in Machine Learning Brand Relationship Management at Scale: Our 4-Touch Outreach System for 200+ Brands Why String.fromEnvironment() Might Return an Empty String in Dart JGuardrails 1.0.0 — Hardening Java LLM Apps Against Jailbreaks, Toxicity, and Prompt Injection Plan and Schedule a Full Week of Threads Content From One Claude Conversation Coding Cat Oran Ep3, Five Tables Changed Everything Updated: BFF Pattern I'm done watching freelancers get buried by 200 proposals. So I'm building the alternative. This is my first post BFS Algorithm in Java Step by Step Tutorial with Examples Tracking LLM Pricing Monthly: An Open Dataset for 22 AI Models How We Measure Content ROI on a Comparison Site: Revenue Attribution Without Perfect Data Introducing Nova AI Ops: The AI-Native Operating System for SRE Teams I built a free desktop video downloader for Windows — Grabbit How Talkie OCR Helps Vision-Impaired & Dyslexic Users Read the World Around Them VRCFaceTracking安装和iPhone面捕配置教程,有bug Even CrowdStrike Can't See Your Agents The Automation Gold Rush: What n8n Workflows and Claude Are Opening Up for Developers Right Now
Amazon EKS Hybrid Nodes Gateway Deep Dive: VXLAN, Cilium VTEP, and Lease-Based Leader Election Redefining Hybrid Kubernetes Networking
daniel jeong · 2026-05-06 · via DEV Community

Amazon EKS Hybrid Nodes Gateway Deep Dive — VXLAN, Cilium VTEP, and Lease-Based Leader Election Redefining Hybrid Kubernetes Networking in 2026

On April 28, 2026, alongside the OpenAI–Bedrock partnership announcement at the What's Next with AWS 2026 keynote, AWS quietly delivered one of the most operationally meaningful container updates of the year: the general availability of Amazon EKS Hybrid Nodes gateway. Since EKS Hybrid Nodes first shipped at re:Invent 2024, the single biggest operational tax on adopters has been a deceptively simple question: "How do we make on-premises pod CIDRs routable from the VPC?" That tax disappears with one Helm install. This post walks through the four-axis architecture of the new gateway, the AWS-maintained Cilium build with the CiliumVTEPConfig CRD, the VXLAN tunnel (VNI 2 / UDP 8472), the Kubernetes Lease-based leader election (3–5s failover), the automated VPC route table synchronization, IAM and CIDR design rules, and the parallel ECS announcements (EC2 Capacity Reservations integration and NLB Canary deployments) that landed in the same week — all from a hybrid-cluster operator's point of view.

1. Why the Gateway Is an Inflection Point — From 2024 GA to 2026 Gateway

EKS Hybrid Nodes went GA at re:Invent 2024 with a clear promise: "Manage cloud EC2 workers and on-prem bare metal under a single EKS control plane." The first year of adoption was rougher than the marketing implied. The biggest hurdle was networking. The AWS VPC CNI is incompatible with hybrid nodes, so operators had to deploy Cilium or Calico — and to make control-plane-to-webhook, EC2-pod-to-on-prem-pod, and ALB/NLB-to-on-prem-pod traffic work, they had to explicitly register on-prem pod CIDRs in VPC route tables, Transit Gateways, and Virtual Private Gateways.

That work created three persistent operational debts. First, every change to on-prem pod CIDRs required a coordinated change across VPC route tables, TGW, and VGW. Second, in some enterprises (finance, public sector) the routing policy simply forbids exposing pod CIDRs externally — which blocked EKS Hybrid Nodes adoption entirely. Third, BGP-level pod traffic exposure added a new monitoring and operational surface for IDC network teams.

The April 28, 2026 EKS Hybrid Nodes gateway pays down all three debts at once. The core decision is to stop trying to make pod CIDRs routable; instead encapsulate the traffic with VXLAN inside the VPC and carry it to the hybrid nodes as opaque payloads. The VPC no longer needs to know that on-prem pod CIDRs exist. It only needs to know one thing: "send traffic destined for these pod CIDRs to the gateway EC2 ENI."

Aspect 2024 EKS Hybrid Nodes (BGP model) 2026 Hybrid Nodes Gateway (VXLAN model)
On-prem pod CIDR exposure Must register in VPC, TGW, VGW Not required (VXLAN encapsulation)
VPC route table management Manual or IaC-driven changes Auto-synced by gateway
On-prem ↔ AWS routing Requires BGP peering UDP 8472 inbound/outbound is sufficient
Control plane → webhook Routed via VGW/TGW Encapsulated via gateway ENI
EC2 pod ↔ on-prem pod Depends on BGP routing Direct VXLAN tunnel
ALB/NLB → on-prem pod Previously unsupported Native, at no additional charge
Failover time BGP reconvergence (tens of seconds) Lease-based leader election: 3–5 seconds
Pricing EKS Hybrid Nodes per-vCPU-hour Gateway itself: no extra charge (only standard EC2/EKS fees)

One-line summary: hybrid Kubernetes is finally free of BGP governance.

2. The Four-Axis Architecture — VPC, Gateway, VXLAN, On-Prem

The gateway can be reasoned about as four axes. Splitting responsibilities along these lines makes security design, observability, and troubleshooting fall into place at once.

2.1 Axis 1: VPC Route Table — "Send pod-CIDR traffic to the gateway ENI"

At install time the operator provides a list of VPC route table IDs. The gateway controller pod automatically inserts entries that point on-prem pod CIDRs at the active gateway pod's ENI. These entries are written by the gateway pod's IAM role calling EC2 APIs directly — no IaC is involved.

# Auto-inserted route table entries (example)
Destination          Target                                          Status
10.200.0.0/16        eni-0abc1234... (active gateway pod)             active
10.201.0.0/16        eni-0abc1234...                                  active
# On failover the ENI target is updated to the new active ENI.
# On clean shutdown the routes are removed automatically.

Enter fullscreen mode Exit fullscreen mode

Thanks to those routes, EC2 pods, ALBs/NLBs, and the EKS control plane ENIs (used for webhook calls) inside the VPC all have a deterministic path to the gateway whenever they target an on-prem pod IP.

2.2 Axis 2: Gateway EC2 — Active/Standby with Lease-Based Leader Election

The gateway is a Deployment of two pods. Both land on EC2 nodes labeled for gateway use (a dedicated node pool, managed node group, or self-managed nodes). Leader election uses a Kubernetes Lease object to decide which pod actively forwards traffic. Both Active and Standby create the hybrid_vxlan0 VXLAN interface at startup and run a node reconciler that watches CiliumNode CRs. Because both the VXLAN interface and the reconciler are pre-warmed on Standby, failover completes within 3–5 seconds when the Active pod dies.

Two operational implications follow. First, place the two gateway EC2 instances in different AZs. Second, choose a network-bandwidth-rich instance family (m6i/m7i large or above) — the gateway is the single path for all VPC-to-on-prem pod traffic.

2.3 Axis 3: VXLAN (VNI 2 / UDP 8472) — Cilium-Compatible by Default

VXLAN is implemented by the hybrid_vxlan0 interface inside the gateway EC2 instance. VNI 2 / UDP 8472 matches the Cilium default, so the gateway shares a data plane with the on-prem nodes' Cilium agents. When a new hybrid node registers, the gateway adds it as a remote VTEP, programming FDB entries, ARP entries, and routes on the VXLAN interface to complete the tunnel. Dynamic registration relies on the CiliumVTEPConfig CRD bundled with the AWS-maintained Cilium build — not present in upstream Cilium — which the gateway uses to register itself as the remote VTEP.

# CiliumVTEPConfig CR — auto-generated and managed by the gateway
apiVersion: cilium.io/v2alpha1
kind: CiliumVTEPConfig
metadata:
  name: eks-hybrid-gateway
  namespace: kube-system
spec:
  vtepEndpoints:
    - ip: 10.10.1.42         # active gateway ENI primary IP
      mac: "0a:1b:2c:3d:4e:5f"
      cidr: "10.0.0.0/16"    # VPC CIDR — encapsulate traffic for these pods
  vni: 2
  port: 8472                 # UDP 8472, Cilium default
  mtu: 1450                  # 50 bytes for VXLAN header
status:
  active: true
  lastReconciledAt: "2026-05-06T08:30:00Z"

Enter fullscreen mode Exit fullscreen mode

2.4 Axis 4: On-Prem Nodes (Cilium VTEP Decoder)

Each on-prem node's Cilium agent reads the CiliumVTEPConfig and registers the gateway IP as a remote VTEP. When an encapsulated packet arrives, it strips the VXLAN header and routes inline to the destination pod. The reverse direction (on-prem pod → VPC) uses the same tunnel. Cilium unifies both directions into one data plane, so policies (NetworkPolicy / CiliumNetworkPolicy) apply consistently across the cluster.

3. Prerequisites — IAM, Security Groups, CIDR Design

Three pre-flight tasks must be completed before deployment. Skipping any one of them either blocks the gateway from updating the VPC routes or yields a cluster where packets reach the on-prem side but never come back.

3.1 Gateway IAM Permissions — Scoped via IRSA

The gateway pod must update its own node's ENI-pointing routes, which requires EC2 permissions. Bind the following policy via IRSA (IAM Roles for Service Accounts).

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "DescribeRouteTables",
      "Effect": "Allow",
      "Action": [
        "ec2:DescribeRouteTables",
        "ec2:DescribeNetworkInterfaces"
      ],
      "Resource": "*"
    },
    {
      "Sid": "ManagePodCidrRoutes",
      "Effect": "Allow",
      "Action": [
        "ec2:CreateRoute",
        "ec2:ReplaceRoute",
        "ec2:DeleteRoute"
      ],
      "Resource": [
        "arn:aws:ec2:ap-northeast-2:123456789012:route-table/rtb-aaaa1111",
        "arn:aws:ec2:ap-northeast-2:123456789012:route-table/rtb-bbbb2222"
      ],
      "Condition": {
        "StringEquals": {
          "aws:ResourceTag/eks-hybrid-nodes-gateway": "true"
        }
      }
    }
  ]
}

Enter fullscreen mode Exit fullscreen mode

Design note: never use a wildcard for Resource. Pin the route-table ARNs the gateway is allowed to manage, and add a tag-based Condition so that only route tables explicitly tagged eks-hybrid-nodes-gateway=true are eligible. This contains the blast radius if anything goes wrong.

3.2 Security Groups and On-Prem Firewalls

VXLAN needs a single bidirectional UDP port (8472) open in both places.

Where Direction Protocol/Port Source/Destination
Gateway EC2 SG Inbound UDP 8472 On-prem node IP CIDR
Gateway EC2 SG Outbound UDP 8472 On-prem node IP CIDR
On-prem firewall Inbound/Outbound UDP 8472 Gateway EC2 ENI IP range
EKS cluster SG Inbound TCP 443 / 10250 On-prem node IP CIDR (kubelet ↔ API)

3.3 CIDR Design — RFC-1918 / RFC-6598, Non-Overlapping

On-prem node and pod CIDRs must come from one of these ranges:

  • RFC-1918: 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16
  • RFC-6598 (CGNAT): 100.64.0.0/10

And they must not overlap with any of:

  1. The VPC CIDR (e.g., 10.0.0.0/16)
  2. The Kubernetes service CIDR (e.g., 10.100.0.0/16)
  3. Each other (on-prem node CIDR ↔ on-prem pod CIDR)
  4. Any peered or TGW-routed CIDR

Practical recommendation: pick 100.64.0.0/16 or 100.65.0.0/16 from RFC-6598 for on-prem pod CIDRs. They almost never collide with internal RFC-1918 corporate ranges, and since the VPC never has to know about them, you get extra freedom.

4. Deployment — One Helm Install, 30-Second Failover Test

The gateway ships as a Helm chart alongside the AWS-maintained Cilium build. Deployment is four steps.

4.1 Provision the Gateway Node Pool

# eksctl: dedicated gateway node group across two AZs
apiVersion: eksctl.io/v1alpha5
kind: ClusterConfig
metadata:
  name: prod-hybrid
  region: ap-northeast-2
  version: "1.32"

managedNodeGroups:
  - name: gateway-pool
    instanceType: m7i.large       # generous network bandwidth
    desiredCapacity: 2
    minSize: 2
    maxSize: 4
    availabilityZones: ["ap-northeast-2a", "ap-northeast-2c"]
    labels:
      role: hybrid-gateway
    taints:
      - key: hybrid-gateway
        value: "true"
        effect: NoSchedule
    privateNetworking: true

Enter fullscreen mode Exit fullscreen mode

4.2 Install the AWS-Maintained Cilium

helm repo add eks https://aws.github.io/eks-charts
helm upgrade --install cilium eks/cilium-eks \
  --namespace kube-system \
  --version 1.16.7-eks.1 \
  --set kubeProxyReplacement=true \
  --set tunnelProtocol=vxlan \
  --set ipv4NativeRoutingCIDR=100.64.0.0/16 \
  --set hybridNodes.enabled=true

Enter fullscreen mode Exit fullscreen mode

4.3 Install the Gateway Components + Bind IRSA

helm upgrade --install eks-hybrid-gateway eks/eks-hybrid-nodes-gateway \
  --namespace kube-system \
  --version 1.0.0 \
  --set serviceAccount.create=true \
  --set serviceAccount.annotations."eks\.amazonaws\.com/role-arn"=arn:aws:iam::123456789012:role/eks-hybrid-gateway \
  --set nodeSelector.role=hybrid-gateway \
  --set tolerations[0].key=hybrid-gateway \
  --set tolerations[0].operator=Equal \
  --set tolerations[0].value=true \
  --set tolerations[0].effect=NoSchedule \
  --set vpcRouteTableIds="{rtb-aaaa1111,rtb-bbbb2222}" \
  --set podAntiAffinity.topologyKey=topology.kubernetes.io/zone

Enter fullscreen mode Exit fullscreen mode

4.4 Verify — 30-Second Failover Test

# 1) Identify the leader gateway pod
kubectl -n kube-system get lease eks-hybrid-gateway -o yaml | grep holderIdentity

# 2) Confirm the auto-inserted VPC route entries
aws ec2 describe-route-tables \
  --route-table-ids rtb-aaaa1111 \
  --query "RouteTables[].Routes[?DestinationCidrBlock=='100.64.0.0/16']"

# 3) Reach an on-prem pod from a VPC pod
kubectl run curl --rm -it --image=curlimages/curl -- \
  curl -fsS http://100.64.0.50:8080/healthz

# 4) Failover test — kill the active pod
kubectl -n kube-system delete pod eks-hybrid-gateway-79bc6f5c5d-abcde
# Standby becomes leader within 3–5 seconds; ENI target on the VPC route flips automatically.

Enter fullscreen mode Exit fullscreen mode

5. Traffic Matrix — Four Flows You Must Recognize

Once installed, the cluster carries traffic in four distinct patterns. Recognizing each pattern keeps policy, observability, and cost design coherent.

Source → Destination Path Encapsulation Use Case
EKS control plane → on-prem pod (Webhook) EKS ENI → VPC route → gateway ENI → VXLAN → on-prem pod VXLAN Admission webhook, aggregated APIServer
VPC EC2 pod → on-prem pod EC2 ENI → VPC route → gateway ENI → VXLAN → on-prem pod VXLAN Microservice-to-microservice calls
On-prem pod → VPC EC2 pod On-prem Cilium → VXLAN → gateway ENI → EC2 pod VXLAN (reverse) IDC workload calling cache/services next to RDS
ALB/NLB → on-prem pod ALB/NLB → gateway ENI → VXLAN → on-prem pod VXLAN External user traffic reaching IDC GPU/licensed workloads

The fourth flow (ALB/NLB → on-prem pod) is the highest-impact change in 2026. Previously, sending external user traffic to an IDC workload meant placing a separate ALB/NLB inside the IDC or detouring via Direct Connect; now a single ALB can target both EC2 pods and IDC pods in the same target group. That unlocks two important workload classes — AI inference tied to GPU licenses anchored in the IDC, and compliance-bound data-processing that cannot leave the IDC — by letting them participate in the cloud-native ingress flow without extra infrastructure.

6. Operations — Metrics, Failover Scenarios, and Five Common Pitfalls

6.1 Metrics and Logs

The gateway exposes Prometheus metrics. The standard pattern is to scrape them with the OpenTelemetry Collector and ship to CloudWatch or Grafana.

# Prometheus scrape example
- job_name: eks-hybrid-gateway
  kubernetes_sd_configs:
    - role: pod
      namespaces:
        names: [kube-system]
  relabel_configs:
    - source_labels: [__meta_kubernetes_pod_label_app]
      action: keep
      regex: eks-hybrid-gateway
  metrics_path: /metrics
# Key metrics:
#   eks_hybrid_gateway_lease_holder{pod}             1=leader, 0=standby
#   eks_hybrid_gateway_vtep_count                    number of registered remote VTEPs
#   eks_hybrid_gateway_vxlan_packets_total{dir}      tx/rx packet counts
#   eks_hybrid_gateway_route_reconcile_errors_total  VPC route update failures

Enter fullscreen mode Exit fullscreen mode

6.2 Four Failover Scenarios

Failure Recovery Time Operator Action
Active gateway pod crash 3–5s None — Lease flips automatically
Active node OS crash 5–10s (Lease TTL + route update) None — ASG replaces the node
VPC route update failure Alert only; previous routes remain Verify IAM Condition and route-table ARN scoping
UDP 8472 blocked between sites Total cutoff Inspect firewalls / VPN / Direct Connect ACLs

6.3 Five Common Pitfalls

  1. Pod CIDR collision — even one bit of overlap with VPC CIDR breaks the routes. Run aws ec2 describe-vpcs and review every peering and TGW entry.
  2. MTU 1450 missing — the VXLAN header eats 50 bytes; leaving MTU at 1500 yields fragmentation errors. Set tunnelMTU=1450 in the Cilium chart.
  3. Unidirectional UDP 8472 — both the security group and the on-prem firewall must allow traffic in both directions. Half-open kills the handshake.
  4. IAM Resource wildcard — letting the gateway touch arbitrary route tables is a foot-gun. Pin ARNs and use a tag Condition.
  5. Missing anti-affinity — if both gateway pods land on the same node or AZ, failover loses meaning. Enforce topologyKey=topology.kubernetes.io/zone.

7. The Same Week: ECS Capacity Reservations and NLB Canary

The What's Next with AWS 2026 keynote also delivered two meaningful ECS updates that hybrid-cluster operators should review in the same quarter.

7.1 ECS Managed Instances + EC2 Capacity Reservations

ECS Managed Instance capacity providers gained a new option, capacityOptionType=reserved, allowing tasks to consume previously reserved EC2 capacity. Three strategies are available.

Strategy Meaning Recommended Use
reservations-only Launch only into reserved capacity License/GPU/BYOL workloads
reservations-first Prefer reservations, fall back to on-demand Predictable baseline plus spike handling
reservations-excluded Never use reservations Spot-heavy cost-optimized workloads
# Bind a Capacity Reservation to an ECS capacity provider
aws ecs create-capacity-provider \
  --name reserved-baseline \
  --auto-scaling-group-provider 'autoScalingGroupArn=arn:aws:autoscaling:...' \
  --managed-instances-provider '{
    "capacityOptionType": "reserved",
    "capacityReservationGroupArn": "arn:aws:resource-groups:ap-northeast-2:123456789012:group/cr-baseline",
    "reservationStrategy": "reservations-first"
  }'

Enter fullscreen mode Exit fullscreen mode

7.2 ECS Linear/Canary Deployments on NLB

ECS already supported linear/canary on ALB; NLB was the gap. With the new release, NLB-backed services can shift traffic in fractional steps, integrated with CloudWatch alarms for automatic rollback when P99 latency or 5xx error rates breach thresholds.

# Apply NLB canary deployment policy to an ECS service
aws ecs update-service \
  --cluster prod \
  --service api-grpc \
  --deployment-configuration '{
    "deploymentCircuitBreaker": {"enable": true, "rollback": true},
    "strategy": "CANARY",
    "stepWeights": [10, 25, 50, 100],
    "stepDuration": 300
  }'

Enter fullscreen mode Exit fullscreen mode

Latency-critical workloads that require NLB — gRPC services, financial matching engines — finally get the same deployment freedom that ALB users have had for years.

8. A 4-Week Migration Checklist

The 4-week plan a hybrid-cluster operator can use to migrate an existing EKS 1.32 + IDC GPU node deployment to the new gateway:

Week Work Done When
Week 1 CIDR redesign, IAM role, security groups, Direct Connect ACL review On-prem pod CIDR fixed in non-overlapping RFC-6598 range; IAM Resource ARN/tag scoped
Week 2 Deploy gateway pool + AWS-maintained Cilium + gateway chart in Dev Lease holder, VTEP count, 3–5s failover verified; P99 RTT measured
Week 3 Run all four traffic flows end-to-end in Staging Bidirectional reachability across all flows; consistent NetworkPolicy enforcement
Week 4 Prod cutover + retire BGP routing + apply ECS Capacity Reservations / NLB Canary Manually-registered pod CIDRs removed from VPC route tables; cost & latency SLOs healthy

8.1 Cost Model

The gateway itself is free. Total cost is driven by three things: (1) the EC2 cost of two gateway instances (or managed node group equivalents); (2) data-transfer fees through the gateway ENIs; (3) the existing EKS Hybrid Nodes per-vCPU-hour fee. As long as you reuse an existing Direct Connect / VPN circuit, the gateway cuts operational burden while adding only the cost of two EC2 instances.

8.2 Recommended SLOs

  • VTEP registration latency: new hybrid node visible to the VTEP within 30 seconds (P95)
  • VXLAN packet drop rate: below 0.001% per minute
  • Gateway failover time: under 5 seconds (P99)
  • VPC route update failures: zero (critical alert)
  • ALB → on-prem pod RTT overhead: within +1–2 ms over Direct Connect baseline

9. Conclusion — Hybrid Kubernetes Has a New Default

As of May 2026, EKS Hybrid Nodes gateway settles two things. First, the default network model for hybrid Kubernetes is encapsulation, not BGP. Not exposing pod CIDRs externally shortens compliance and security review, and reduces IaC churn around route tables to zero. Second, ALB and NLB can now treat EC2 pods and IDC pods as members of the same target group — letting "external user → cloud → IDC GPU" flow through a single ingress for the first time. That is the thread that pulls license-bound and data-sovereignty-bound workloads back into a cloud-native posture without separate infrastructure.

For us at ManoIT, the next-quarter roadmap has three legs. First, walk Dev → Staging → Prod over four weeks and pin gateway metrics into the front row of our SRE dashboard. Second, shift equivalent ECS workloads to NLB Canary, wired to P99-latency-driven automatic rollback. Third, anchor GPU and licensed baselines on ECS Managed Instances + Capacity Reservations while keeping a Spot fallback strategy. When those three land, our container infrastructure becomes one platform with three faces — EKS, ECS, and hybrid — visible from a single operational surface.


This article was produced with assistance from AI (Claude) and reviewed for technical accuracy.

© 2026 ManoIT — www.manoit.co.kr


Originally published at ManoIT Tech Blog.