Accessing internal applications hosted on EKS with AWS Verified Access

AWS Verified Access is a managed service that is used for providing secure access to internal applications. It is like a reverse proxy with an authentication feature. It was released as General Availability in late April 2023. Organisations who are looking at VPN-less solution or to replace their costly VPN can consider using AWS Verified Access. For authentication, AWS Verified Access can be integrated with AWS IAM Identity, AWS Cognito or even third party identity providers such as Okta.

This blog post will show you how to set up AWS Verified Access to provide secure access to an internal application hosted on EKS.

Note: At the point of writing this blog post, AWS Verified Access only supports the following regions — US East (Ohio), US East (N. Virginia), US West (N. California), US West (Oregon), Asia Pacific (Sydney), Canada (Central), Europe (Frankfurt), Europe (Ireland), Europe (London), and South America (São Paulo).

Prerequisites setup

First, we will set the environment variables needed for the setup…

export CLUSTER_NAME=<your cluster name>
export SUBNET_IDS=("<subnet 1>" "<subnet 2>" "<subnet 3>")
export AWS_DEFAULT_REGION=<your region>
export AWS_ACCOUNT_ID="$(aws sts get-caller-identity --query Account --output text)"
export HOSTED_ZONE_ID=<your public route53 hosted zone id>
export VPC_ID=<your VPC ID>