What is AWS GovCloud?
AWS GovCloud is a secluded cloud platform for the US state, federal and local government with infrastructure and services designed to regulate customer-focused workloads, host sensitive data of US citizens, and address the most rigorous U.S. government security and compliance stipulations. The north-eastern and north-western regions of the US are considered as AWS GovCloud regions, isolated physically and logically (network isolation) from standard AWS regions.
Nevertheless, the AWS GovCloud can be accessed and used by any US citizen, US Federal, state, and local government agency, and their partners to architect secure cloud solutions for accelerating government services.
Currently, the AWS GovCloud addresses the following US compliance regimes: FedRAMP High baseline, the DOJ’s Criminal Justice Information Systems (CJIS) Security Policy, Export Administration Regulations (EAR), U.S. International Traffic in Arms Regulations (ITAR), Department of Defense (DoD) Cloud Computing Security Requirements Guide (SRG) for Impact Levels 2/4/5, IRS-1075, and FIPS 140-2.
Thereby, it is understandable how critical is the security and compliance component to AWS GovCloud platform as the storage warehouse, the information transaction medium, and the processor for personally identifiable information, sensitive patient medical records, financial data, law enforcement data, export-controlled data, and all other forms of Controlled Unclassified Information (CUI) at every stage of US government’s cloud journey.
Kubernetes on AWS GovCloud
Having already a secure architecture embedded in its platform, you might be wondering what is the use of Kubernetes on AWS GovCloud. This concept can be easily understood if you focus on the 4C’s of Cloud-Native Security. This layered approach mimics the ‘defense in depth’ computing approach to security, which is regarded as one of the best practices for securing software systems in the modern digital world.
The 4C’s of cloud-native security is a layered model built up boxing the Cloud, Clusters, Containers, and Code. If your cloud baseline is weak in security the system could be easily penetrated. If your cluster is built upon thin security policies, you will not be able to safeguard the system by addressing the security at the code level. Therefore, the need to adopt a secure cluster management system like Kubernetes was crucial for AWS GovCloud based applications.
Amazon EKS on AWS GovCloud
As a result, Amazon introduced Amazon Elastic Kubernetes solution (Amazon EKS) to the US East (Ohio and North Virginia) and the US West (Oregon) AWS GovCloud regions. Amazon EKS introduced to the GovCloud platform is a managed service that gives the capability to run Kubernetes without the need of maintaining your own Kubernetes control plane and simplify the ability to implement encryption, authentication, authorization, and policy-based security models including FIPS 140-2.
Amazon EKS consists of the following AWS services for scalability, availability, and security of your containerized applications.
- Amazon ECR to easily store, manage, and deploy Docker container images.
- Elastic Load Balancing service that supports Application Load Balancer, Network Load Balancer, and Classic Load Balancer for incoming application traffic management across multiple targets and to monitor the health of available registered targets.
- AWS Identity and Access Management (IAM) for secure authentication.
- Amazon Virtual Private Cloud (VPC) for isolation.
- AWS App Mesh to combine service mesh features with Kubernetes.
The odds and benefits of Amazon EKS GovCloud Solution
However, there are some differences between the EKS AWS GovCloud (US) solution and the standard Amazon EKS service as stated below.
AWS Fargate is not available in Amazon EKS AWS GovCloud (US).
AWS Fargate was initially launched for Amazon Elastic Cloud Service (ECS) and was later extended to Amazon EKS to run Kubernetes on serverless and nodeless environments. Thereby, as a Container-as-a-Service tool, AWS Fargate was able to get rid of the unnecessary headache from developers to provide and manage infrastructure for Kubernetes pods. Hence, developers need not create or manage EC2 instances for Amazon EKS clusters.
However, since the AWS Fargate tool is not provisioned for the AWS GovCloud platform, the government agencies will have to take care of the patching, scaling, and securing the cluster of EC2 instances or the underlying pod infrastructure to run Kubernetes applications in the cloud. But, on the other hand, this will allow the solution architects to design applications for deploying to on-premises environments as well in the government set up without relying on completely transitioning to the cloud.
The feature which advertises the private IP addresses of the Kubernetes API server over public DNS is not available for AWS GovCloud (US).
The public DNS resolution of the EKS cluster private endpoint is disabled in the AWS GovCloud platform due to the US security and compliance reasons.
In addition to the above, there is also an ITAR boundary defined to store ITAR-controlled data if using such data with the Amazon EKS service. According to the ITAR regulations it is allowed to enter, store, and process ITAR-controlled data within the Amazon EKS in the GovCloud. But, not permitted to enter ITAR-controlled data to cluster name fields, Fargate profile name fields, and node group name fields.
Also, the advised norm to process ITAR regulated data within the Amazon EKS Service is to use the SSL (HTTPS) endpoints.
Amazon EKS supports the operating systems which are compatible with Kubernetes such as Linux x86 and Windows Server operating system distributions. However, EKS provides optimized Amazon Machine Images for Windows Server 2019 and Amazon Linux 2.
Final Thoughts for AWS GovCloud Kubernetes Solutions
AWS GovCloud Kubernetes Solutions will introduce scalability, availability, and security for government applications that adopt containerization along with microservices, batch processing workers, and PaaS. The introduction of Amazon EKS provides a higher level management tool to the GovCloud to automate the deployment of Kubernetes clusters using a versatile control plane for managing clusters in hybrid clouds and multi-cloud environments.
However, being introduced very recently to the GovCloud platform, Amazon EKS is still a new services in GovCloud computing and as well as to a Government-as-a-Service (GaaP) platform. Therefore, we can expect more features and fewer limitations as the industry embraces this new technology to their realm, and as Amazon evolves its technology as per the increasing demand.