Networking
Private cluster
When Private cluster is enabled, Porter provisions the EKS cluster with both public and private API server endpoint access, and restricts the public endpoint to an IP allowlist containing Porter’s control-plane IPs plus any customer CIDRs you add. This configuration is SOC2 / HIPAA compliant.| Setting | Description |
|---|
| Private cluster | Restricts the EKS API server’s public endpoint to an IP allowlist (Porter’s IPs plus any customer-supplied CIDRs). The private endpoint inside your VPC remains reachable from VPC-attached resources. |
| CIDR allowlist | Additional CIDR ranges (beyond Porter’s required IPs) that may reach the public endpoint. |
Porter intentionally does not enable EKS “private-only” endpoint mode. Private-only forces every control-plane call — including Porter’s — through a VPN or VPC-peered path, which adds operational complexity and has historically caused outages for customers. Public + private with a tight IP allowlist meets the same compliance requirements and is significantly more reliable.
porter kubectl and porter helm commands; it does not control how the EKS API server endpoint itself is exposed.Load balancer
Configure the type of load balancer used for your cluster’s ingress. Changing this setting causes downtime while the load balancer is recreated.| Type | Description |
|---|
| NLB | Network Load Balancer — operates at Layer 4, routes TCP/UDP traffic, and provides ultra-low latency and high throughput. |
| ALB | Application Load Balancer — operates at Layer 7, routes HTTP/HTTPS traffic, and supports wildcard domains, ACM certificates, and WAFv2. |
| Setting | Description |
|---|
| Wildcard domains | Domains to issue ACM certificates for. Do not include the *. prefix — Porter creates a SAN for *.<domain> automatically. Comma-separate multiple domains. |
| IP allow list | Comma-separated list of CIDR ranges (e.g. 160.72.72.58/32,160.72.72.59/32) permitted to reach the ALB. |
| Certificate ARNs | Existing ACM certificate ARNs to attach to the ALB. |
| AWS tags | Key/value tags applied to the ALB and related AWS resources. |
| WAFv2 enabled | Attaches a Regional WAFv2 web ACL to the ALB. |
| WAFv2 ARN | ARN of the Regional WAFv2 web ACL to attach. Only Regional WAFv2 is supported. |
Private load balancer
In addition to the default public cluster load balancer, you can provision an internal load balancer that only accepts traffic from inside your VPC (or networks peered to it). Use this when you want to expose services to internal clients — for example, an internal admin tool, a service consumed only by other VPCs, or a workload that must not be reachable from the public internet.| Setting | Description |
|---|
| Add private load balancer | Provisions a private NLB alongside the existing public cluster load balancer. Only NLB private load balancers are supported. |
We recommend serving private ingress from a standalone zone dedicated to internal traffic (for example, internal.example.com) rather than reusing a zone that also serves production domains. A dedicated zone avoids record conflicts with existing production DNS, and it keeps DNS access scoped to internal hostnames only, which limits the blast radius away from your production domains.
| Setting | Description |
|---|
| DNS credentials | API token for Cloudflare. The token must have permission to create and delete TXT records on the zones used by your private ingress hostnames. |
When the cluster is on AWS, you can use Route53 instead of Cloudflare. Porter authenticates to Route53 through an EKS Pod Identity scoped to a single hosted zone, so no API tokens are stored.| Setting | Description |
|---|
| Route53 domain | The DNS zone the private ingress serves certificates for (for example, internal.example.com). At install time, Porter resolves the matching public Route53 hosted zone in the same AWS account and provisions a cert-manager pod identity scoped to that zone. |
example.com for a domain of internal.example.com), Porter cannot issue certificates for it, and the domain requires its own dedicated hosted zone. Observability
CloudWatch control plane logs
Configure which EKS cluster control plane log types are sent to AWS CloudWatch. These logs help with debugging, auditing, and monitoring your cluster’s control plane components.| Log Type | Description |
|---|
| API Server logs | Logs from the Kubernetes API server, useful for debugging API requests |
| Audit logs | Records of individual users, administrators, or system components that have affected the cluster |
| Authenticator logs | Logs from the AWS IAM authenticator, useful for debugging authentication issues |
| Controller manager logs | Logs from the controller manager, which manages core control loops |
| Scheduler logs | Logs from the scheduler, useful for debugging pod scheduling decisions |
CloudWatch Observability agent
You may also enable the CloudWatch Observability agent as an EKS add-on for enhanced cluster monitoring.| Setting | Description |
|---|
| AWS CloudWatch Observability agent installed on cluster | Enables the CloudWatch Observability add-on for metrics and logs collection |
Security
ECR scanning
Enable Amazon ECR image scanning to automatically scan container images for software vulnerabilities.| Setting | Description |
|---|
| ECR scanning enabled | When enabled, images pushed to ECR are automatically scanned for vulnerabilities |
AWS GuardDuty
AWS GuardDuty provides intelligent threat detection for your EKS cluster, monitoring for malicious activity and unauthorized behavior.When enabling GuardDuty, you must also configure the following in your AWS Console:
- Enable EKS Protection in the EKS Protection tab of the GuardDuty console
- Enable Runtime Monitoring
For automated agent configuration, enable both:
- EKS agent auto-configuration
- EC2 agent auto-configuration
| Setting | Description |
|---|
| AWS GuardDuty agent installed on cluster | Installs the GuardDuty security agent on your cluster nodes |
KMS encryption
Enable AWS Key Management Service (KMS) encryption for Kubernetes secrets stored in etcd.| Setting | Description |
|---|
| KMS encryption enabled | Encrypts Kubernetes secrets at rest using a customer-managed KMS key |
Advanced Networking Config
Modifying these advanced network settings can impact cluster connectivity and performance. Ensure you understand the implications before making changes.
| Setting | Description | Default |
|---|
| Egress NAT IPs Count | Number of egress NAT IPs. Cannot be decreased once set. | 1 |
| Min Ports per VM | Configures the minimum number of ports allocated per VM for GKE | 64 |
| Enable Endpoint Independent Mapping | Recommended for most use cases. Affects Cloud NAT behavior. | Enabled |
| Enable Dynamic Port Allocation | Allows GKE to dynamically allocate more ports to VMs that need them | Disabled |
Observability Settings
Configure observability features for the GKE cluster control plane.| Setting | Description |
|---|
| Enable Control Plane Logging | Enable the collection of logs from the Kubernetes control plane components (e.g., API server, scheduler) |
| Enable Control Plane Metrics | Enable the collection of metrics from the Kubernetes control plane components |
