Sign in Subscribe
Concepts

Deploying a kubectl Proxy in a VPC Private Subnet

Andrios Robert

1 min read

The cluster was dark, unreachable from the public internet. You needed to deploy a proxy inside a VPC private subnet, and you needed it now.

Using kubectl to handle deployments inside a private network requires precise configuration. Public endpoints are off-limits. Traffic must pass through a proxy that lives inside the VPC. This approach protects sensitive workloads and keeps all backend services isolated.

Plan the Deployment
First, create a Kubernetes Deployment manifest for the proxy service. Use an image with secure network tools and minimal footprint. Assign the pod to nodes in the private subnet using nodeSelector or topologySpreadConstraints. Ensure the VPC routing table allows internal communication between the proxy pods and your other services.

Connect Through the Proxy
When you run kubectl from outside the VPC, use a bastion or VPN to forward traffic. Alternatively, configure a kubectl proxy inside the network and expose it via a secure SSH tunnel. This keeps command traffic encrypted while flowing only within the private subnet and VPC boundaries.

Service and Networking Configuration
In the Deployment manifest, define a ClusterIP Service for the proxy. Avoid LoadBalancer or NodePort types, as they require public or edge-level exposure. Use the Service DNS name in your application and deployment configurations, keeping all requests inside the VPC network space.

For multi-account or cross-VPC access, set up VPC peering or AWS PrivateLink endpoints. Update security groups to allow only necessary ports from trusted sources. In AWS, make sure subnets hosting your proxy pods are marked as private and have no route to an internet gateway.

Deploy With kubectl
Apply your manifest:

kubectl apply -f proxy-deployment.yaml

Verify the pods:

kubectl get pods -n your-namespace -o wide

Check that each pod’s IP belongs to the VPC private subnet CIDR. Test connectivity from internal workloads only.

Why This Matters
A kubectl VPC private subnet proxy deployment preserves security while maintaining operational control. It enables controlled admin access to clusters, reduces the attack surface, and meets compliance requirements by preventing public exposure.

See a fast, automated way to set this up. Visit hoop.dev and watch a secure VPC private proxy deployment go live in minutes.