Salek Ali.
System Operational
aws kubernetes devops

Getting Started with Amazon EKS: A Practical Guide

A hands-on guide to deploying your first production-ready Kubernetes cluster on AWS using EKS, including networking, IAM, and best practices.

Dr Salek Ali 1 March 2026
Getting Started with Amazon EKS: A Practical Guide

Amazon Elastic Kubernetes Service (EKS) is the managed Kubernetes offering from AWS. It handles the control plane so you can focus on deploying and scaling your workloads.

This guide walks through setting up a production-ready EKS cluster from scratch.

Why EKS?

Running Kubernetes yourself means managing etcd, API servers, scheduling, and upgrades. EKS handles all of that. You get:

  • A managed, highly available control plane across multiple AZs
  • Automatic Kubernetes version upgrades
  • Native integration with IAM, VPC, ALB, and other AWS services
  • Support for Fargate (serverless) and EC2 (self-managed) node groups

Prerequisites

Before you start, make sure you have:

  • AWS CLI configured with appropriate permissions
  • kubectl installed
  • eksctl installed (the official EKS CLI tool)
  • A VPC with public and private subnets (or let eksctl create one)

Creating Your Cluster

The fastest way to get started is with eksctl:

eksctl create cluster \
  --name my-cluster \
  --region eu-west-1 \
  --version 1.29 \
  --nodegroup-name workers \
  --node-type t3.medium \
  --nodes 3 \
  --nodes-min 2 \
  --nodes-max 5 \
  --managed

This creates a VPC, subnets, the EKS cluster, and a managed node group. It takes about 15 minutes.

Configuring kubectl

Once the cluster is up, configure your kubeconfig:

aws eks update-kubeconfig --name my-cluster --region eu-west-1

Verify connectivity:

kubectl get nodes

You should see your three worker nodes in a Ready state.

IAM Best Practices

EKS integrates tightly with IAM. A few things to get right from the start:

  1. Use IRSA (IAM Roles for Service Accounts) — map Kubernetes service accounts to IAM roles. This gives pods fine-grained permissions without sharing node-level credentials.

  2. Restrict cluster admin access — use aws-auth ConfigMap to control who can access the cluster and at what level.

  3. Enable envelope encryption — encrypt Kubernetes secrets at rest using a KMS key.

eksctl create iamserviceaccount \
  --name my-app-sa \
  --namespace default \
  --cluster my-cluster \
  --attach-policy-arn arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess \
  --approve

Networking Considerations

EKS supports two CNI options:

  • AWS VPC CNI (default) — each pod gets a real VPC IP address. Simple, performant, but watch your IP address space.
  • Alternative CNIs like Calico or Cilium for network policies and more advanced use cases.

For production, use private subnets for your nodes and a NAT gateway for outbound traffic. Place your ALB in public subnets.

Deploying Your First Workload

Create a simple deployment:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: nginx
spec:
  replicas: 3
  selector:
    matchLabels:
      app: nginx
  template:
    metadata:
      labels:
        app: nginx
    spec:
      containers:
        - name: nginx
          image: nginx:1.25
          ports:
            - containerPort: 80
---
apiVersion: v1
kind: Service
metadata:
  name: nginx
  annotations:
    service.beta.kubernetes.io/aws-load-balancer-type: nlb
spec:
  type: LoadBalancer
  selector:
    app: nginx
  ports:
    - port: 80
      targetPort: 80

Apply it:

kubectl apply -f nginx.yaml

What’s Next

Once your cluster is running, consider:

  • AWS Load Balancer Controller for Ingress with ALB
  • Cluster Autoscaler or Karpenter for node scaling
  • Prometheus + Grafana or CloudWatch Container Insights for observability
  • ArgoCD or Flux for GitOps-based deployments

EKS gives you a solid foundation. The key is getting your networking, IAM, and observability right from day one.

Have questions about running Kubernetes on AWS? Get in touch — I help teams design and operate production EKS clusters.