AWS K8S Cluster for IoT (Part 1)


In the previous articles, we created:

  • A temperature and humidity sensor which transmits its values into an influx database.
  • An ansible script which installs influxdb and grafana docker containers on a host to store and visualize sensor data.

The resulting infrastructure serves its purpose but has few drawbacks:

  • The host is a single point of failure and there are no self-healing capabilities.
  • We use unencrypted HTTP.
  • It is not possible to scale out in case of higher workloads.

To resolve these issues, this article explains how to run InfluxDB and Grafana in an AWS kubernetes cluster. We will cover the following features:

  • Spawn a k8s cluster in AWS using its EKS feature. Use CloudFormation to describe the cluster via YAML as an “Infrastructure as Code” approach.
  • Run Grafana and InfluxDB as StatefulSets inside the cluster.
  • Both should use Amazon Elastic Block Storage (EBS) to store application data.
  • Install an Application Load Balancer (ALB) which listens to HTTPS and uses a proper certificate.


Our solution will have the following structure:

The temperature/humidity sensors transmit their data via HTTPS to a load balancer. The load balancer is part of a public subnet in an AWS Virtual Private Cloud (VPC). The kubernetes cluster is hidden in a private subnet and only accessible by the load balancer.

To implement these requirements, we need the following components in AWS:

  • A Kubernetes Cluster based on Elastic Kubernetes Service (EKS)
  • Elastic Block Storage for persistence
  • Application Load Balancer to provide HTTPS and to forward requests to the correct container instance based on their URL

Source Code

The projects source code is available here on Github. It contains scripts and documentation to spin up a cluster in AWS. Furthermore, the repository provides kubernetes yaml files to deploy the applications, load balancer and persistent storage in the cluster.


Before we can implement our kubernetes cluster, we have to discuss how it is deployed in AWS. An EKS cluster can be created manually with the AWS web management console. As an alternative, cloudformation is available. It allows us to describe AWS infrastructure with a YAML file. The advantages are:

  • It also serves as documentation and can be put under version control
  • You can easily spawn (and delete) several copies of your infrastructure without manual labour.

Below is an example to demonstrate the approach:

AWSTemplateFormatVersion: '2010-09-09'
Description: 'Create a VPC'  

    Type: String
    Description: The CIDR range for the VPC. This should be a valid private (RFC 1918) CIDR range.

    Type: AWS::EC2::VPC
      CidrBlock:  !Ref VpcBlock     
      EnableDnsSupport: true
      EnableDnsHostnames: true
      - Key: Name
        Value: !Sub '${AWS::StackName}-VPC'

The snippet creates an empty VPC. The VPC CIDR block to describe its IP range can be passed via parameters to increase the templates flexibility. The VPC name is generated dynamically based on the stack name. The following shell script creates an instance of the template:

aws cloudformation create-stack \
  --region eu-central-1 \
  --stack-name example-stack \
  --template-body file://"my-template.yaml"

The command specifies a region, the stacks name (referenced in the template to generate the VPC name) and the cloudformation input file. Afterwards, it takes up to several minutes until the stack is generated (depending on its size). In the next chapter, we will use cloudformation to specify an AWS kubernetes cluster.

Cluster COmponents

This sections presents the components we have to describe in our cloud formation template. The full template and its details can be found here.


Many resources in AWS including kubernetes cluster are placed in a “Virtual Private Cloud” (VPC). It can be seen as a virtual network and consists of subnets. A subnet is either public or private and hosted in a single AWS accessibility zone. Public subnets are internet facing and contain an internet gateway. Private subnets are not accessible from the internet but can communicate with internet resources via a NAT gateway. Each subnet can contain its own route table. In our case, we define public and private route tables to make sure the traffic is forwarded correctly to the NAT and the internet gateway. To run our EKS cluster, we need the following subnets:

  • Two public subnets for the application load balancer. One would be sufficient but the ALB has to run in two accessibility zones.
  • A single private subnet for the EKS cluster including its EC2 worker nodes.

With this topology we make sure that the cluster is protected against malicious connection attempts and can only be reached through the application load balancer.


Typically, a cluster in AWS consists of:

  • Control planes which manage the cluster
  • Worker nodes which run your application pods, deployments, etc

AWS manages the control plane. All we have to do is to configure a few parameters (e.g. select the right VPC subnets).

The worker nodes can be handled in two different ways: You can either run EC2 instances or use AWS Fargate. When using EC2, we spawn virtual machines, configure and manage them by our own. Fargate on the other hand is a serverless compute engine service fully managed by AWS which can be used to execute containers. In this article, we will use EC2 approach since it gives us a little bit more control.

Below is the cloudformation snippet:

    Type: "AWS::EKS::Cluster"
          - !Ref ControlPlaneSecurityGroup
          - !Ref PublicSubnet01
          - !Ref PublicSubnet02
          - !Ref PrivateSubnet01
      RoleArn: !GetAtt EksClusterRole.Arn
      Version: !Ref KubernetesVersion
      Name: !Sub '${AWS::StackName}-eks-cluster'

    DependsOn: EKSControlPlane
    Type: AWS::EKS::Nodegroup
      ClusterName: !Sub '${AWS::StackName}-eks-cluster'
        - !Ref EksInstanceType
      NodegroupName: !Sub '${AWS::StackName}-eks-node-group'
      NodeRole: !GetAtt EksNodeRole.Arn
        MinSize: 1
        MaxSize: 4
        DesiredSize: 1
        - !Ref PrivateSubnet01

Access Management

We define the roles “EksClusterRole” and “EksNodeRole” which are attached to the control planes and the worker nodes. Each role links a set of managed policies created by AWS for us to the corresponding components. This way, we set permission to access the subnets, the container registry, etc. Without these permissions, the cluster would not work properly.

The cloudformation code looks like this:

    Type: AWS::IAM::Role
        Version: "2012-10-17"
          - Effect: Allow
              - 'sts:AssumeRole'
      Description: Role to provide access to EKS
        - arn:aws:iam::aws:policy/AmazonEKSClusterPolicy
      RoleName: !Sub '${AWS::StackName}-AmazonEKSClusterRole'

    Type: AWS::IAM::Role
        Version: "2012-10-17"
          - Effect: Allow
              - 'sts:AssumeRole'
      Description: Role to provide access to EKS
        - arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy
        - arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly
        - arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy
      RoleName: !Sub '${AWS::StackName}-AmazonEKSNodeRole'

Further Work

The blog article describes how to create a kubernetes cluster with AWS cloudformation. It contains a VPC, subnets, worker nodes and control planes. However, the following topics are not covered yet:

  • Spawn an application load balancer.
  • Deploy InfluxDB and Grafana in the cluster.
  • Attach persistent storage to both services.
  • Attach a SSL certificate to allow HTTPS traffic.

These topics will be presented in further blog articles.

You might be interested in …