/
How-to configure AWS EKS API endpoint access

How-to configure AWS EKS API endpoint access

Sept 25, 2025

This guide explains how to securely allow a SaaS-based Checkmk site to access your AWS EKS cluster by restricting Kubernetes API access to specific IP ranges.

LAST TESTED ON CLOUD CHECKMK 2.4.0p8

Table of Contents


To enable a SaaS-based Checkmk site to monitor a Kubernetes cluster, the Kubernetes API must be accessible from the internet. However, exposing the API publicly can pose security risks. To mitigate this, you can restrict access to only the IP ranges used by the Checkmk SaaS gateway.

By doing so, the SaaS site will be able to connect to your EKS cluster and perform monitoring without unnecessary exposure.

Prerequisites

  • An AWS EKS cluster with the API server endpoint access configured as Public and Private
  • AWS CLI installed and configured
  • Checkmk Cluster Collector deployed using Helm (in this setup, the LoadBalancer option is used)
  • Kubernetes monitoring configured in the Checkmk SaaS site

Step-by-step guide


All European egress:

  • IPv4 traffic goes through one of these three IP addresses: 18.185.218.1683.65.66.13763.177.12.7
  • IPv6 traffic goes through one of these three IP ranges: 2a05:d014:63b:d806::/64, 2a05:d014:63b:d807::/64, 2a05:d014:63b:d808::/64

All US egress:

  • IPv4 traffic goes through one of these three IP addresses: 52.2.90.6174.129.232.16998.83.2.233
  • IPv6 traffic goes through one of these three IP ranges: 2600:1f18:7613:7906::/64, 2600:1f18:7613:7907::/64, 2600:1f18:7613:7908::/64


Option 1: Using the AWS Console

There are two options to allow IP ranges to the Kubernetes API. The first option is to use the AWS UI as follows:

  1. Log in to the AWS Management Console.

  2. Navigate to Elastic Kubernetes Service.

  3. Select your EKS cluster.

  4. Go to the Networking tab and click Manage under Endpoint access.




  5. On the Manage endpoint access page, expand Advanced settings

  6. In the Add/edit sources to public access endpoint section, add the IP ranges used by the SaaS gateway.




  7. Click Save changes

    It may take a few minutes for the changes to take effect.



Option 2: Using the AWS CLI

You can also update the allowed IP ranges via the AWS CLI:

Command Syntax:

bash
aws eks update-cluster-config \
  --name <cluster_name> \
  --region <aws_region> \
  --resources-vpc-config publicAccessCidrs="<CIDR_block>"


Example:

bash
aws eks update-cluster-config \
  --name medium-saas-cluster \
  --region eu-central-1 \
  --resources-vpc-config publicAccessCidrs="xxx.xxx.xxx.xxx/32","xxx.xxx.xxx.xxx/32","xxx.xxx.xxx.xxx/32"


Always verify the allowed IP ranges from your SaaS provider and test connectivity after applying the changes.


Related articles