Skip to content


By default eksctl create cluster will create a dedicated VPC for the cluster. This is done in order to avoid interference with existing resources for a variety of reasons, including security, but also because it is challenging to detect all settings in an existing VPC.

The default VPC CIDR used by eksctl is It is divided into 8 (/19) subnets (3 private, 3 public & 2 reserved). The initial nodegroup is created in public subnets, with SSH access disabled unless --allow-ssh is specified. The nodegroup by default allows inbound traffic from the control plane security group on ports 1025 - 65535.


In us-east-1 eksctl only creates 2 public and 2 private subnets by default.


From eksctl version 0.17.0 and onwards public subnets will have the property MapPublicIpOnLaunch enabled, and the property AssociatePublicIpAddress disabled in the Auto Scaling Group for the nodegroups. This means that when creating a new nodegroup on a cluster made with an earlier version of eksctl, the nodegroup must either be private or have MapPublicIpOnLaunch enabled in its public subnets. Without one of these, the new nodes won't have access to the internet and won't be able to download the basic add-ons (CNI plugin, kube-proxy, etc.). To help set up subnets correctly for old clusters you can use the new command eksctl utils update-legacy-subnet-settings.

If the default functionality doesn't suit you, the following sections explain how to customize VPC configuration further: