[Question] Routing Ingress Traffic to Spoke EKS Cluster

[sudosoul]

I've currently deployed this network-hub solution to a dedicated subaccount (hub-account) in my AWS Organization, and have also deployed the provided example-spoke-vpc solution to a separate subaccount (spoke-account) in the same AWS Organization.

---

Please correct me if I am wrong here, but... I am currently under the impression that, out-the-box, my spoke-account is currently only capable of Egress with this setup. Specifically, that my EKS Cluster deployed into the spoke-account's spoke-vpc subnets is only capable of connecting outbound to the Internet.

And so if I wanted to be able to connect to this EKS Cluster from the Internet, that I would have to deploy an ALB into the hub-account using the inspection_internet_* public subnets [that is, the subnets which have a 0.0.0.0/0 route to an IGW]. And then from here, have the ALB forward traffic to the Private IPs of a NLB in the spoke-account.

---

Is my [general] understanding of the Ingress networking above correct, in that in order to enable Ingress to my spoke workload I'd have to take additional steps of deploying an ALB into the hub-account and forward it to the specific Private IPs of my workload machines?

If so, is the hub-account ALB to spoke-account NLB the general recommended solution architecture for this as well? Or is there a better approach to this? Like sharing the hub-account internet/public subnets with the spoke-account, and deploying the ALB into the spoke-account?

Apologies for my confusion, and thanks in advance for your time.

Best,

[sudosoul]

I opened a PR with what I think is a nice baked-in feature to allow RAM sharing of the public subnets to spoke-accounts.

https://github.com/aws-samples/aws-network-hub-for-terraform/pull/28