Google Anthos clusters on AWS allows you to take the GKE experience and operate Kubernetes clusters in your AWS environment.
When combined with Connect, Anthos clusters on AWS enables you to manage GKE clusters on both Google Cloud and AWS through the Google Cloud console.

Anthos capabilities are built around the idea of the fleet: a logical grouping of Kubernetes clusters that can be managed together. A fleet can be entirely made up of GKE clusters on Google Cloud, or include clusters outside Google Cloud running on-premises and on other public clouds such as AWS and Azure.

Anthos consists of several components that work together to provide a consistent and seamless application management experience across different environments.

Figure 1
Figure 1: Anthos Technical Overview [1]

Anthos clusters on AWS uses AWS APIs to provision the resources needed by your cluster, including virtual machines, managed disks, Auto Scaling group, security groups, and load balancers.
When you set up Anthos clusters on AWS, you create an AWS IAM role in your AWS account with the required permissions.


Figure 2: Anthos Cluster on AWS [2]


Let's look at the implementation steps in more details. First we install the AWS CLI from Cloud Shell. 

    curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o
    "awscliv2.zip" unzip awscliv2.zip 
    sudo ./aws/install
Next, configure AWS CLI to allow connectivity to AWS.


Before the AWS cluster creation, I'm creating some environment variables to make the deployment easier.
  export PROJECT_ID=$(gcloud config get-value project)
  AWS_CLUSTER=aws-cluster AWS_REGION=us-east-1
  VPC=aws-cluster-anthos-vpc
  PRIVATE_SUBNET_1=anthos-us-east-1a
  PRIVATE_SUBNET_2=anthos-us-east-1b
  PRIVATE_SUBNET_3=anthos-us-east-1c
  POD_BLOCK=10.2.0.0/16 
  SERVICE_BLOCK=10.1.0.0/16
  CONTROL_PLANE_PROFILE=aws-cluster-anthos-cp
  NODE_POOL_PROFILE=aws-cluster-anthos-np
  ENCRYPTION_KEY=$(aws kms describe-key \ 
  --key-id alias/aws-cluster-database-encryption-key \
  --query 'KeyMetadata.Arn' --output text)

We can now start with the deployment of the control plane cluster.
 gcloud container aws clusters create $AWS_CLUSTER \
  --cluster-version 1.24.3-gke.2100 \
  --aws-region us-east-1 \
  --location=us-east4 \
  --fleet-project $PROJECT_ID \
  --vpc-id $VPC_ID \
  --subnet-ids $PRIVATE_SUBNET_ID_1,$PRIVATE_SUBNET_ID_2,$PRIVATE_SUBNET_ID_3 \
  --pod-address-cidr-blocks $POD_BLOCK \
  --service-address-cidr-blocks $SERVICE_BLOCK \
  --role-arn $API_ROLE_ARN \
  --iam-instance-profile $CONTROL_PLANE_PROFILE \
  --database-encryption-kms-key-arn $ENCRYPTION_KEY \
  --config-encryption-kms-key-arn $ENCRYPTION_KEY \
  --tags google:gkemulticloud:cluster=$AWS_CLUSTER

Next, generate an asymmetric private key and import its public key into AWS.
  ssh-keygen -t rsa -m PEM -b 4096 -C "$USER" \
  -f SSH_PRIVATE_KEY -N "" 1>/dev/null
  aws ec2 import-key-pair --key-name SSH_KEY_PAIR_NAME \  
  --public-key-material fileb://SSH_PRIVATE_KEY.pub

We can now proceed to create the AWS node pool.
  gcloud container aws node-pools create pool-0 \
  --cluster $AWS_CLUSTER \
  --location=us-east4 \
  --node-version 1.24.3-gke.2100 \
  --min-nodes 1 \
  --max-nodes 5 \
  --max-pods-per-node 110 \
  --root-volume-size 50 \
  --subnet-id $PRIVATE_SUBNET_ID_1 \
  --iam-instance-profile $NODE_POOL_PROFILE \
  --config-encryption-kms-key-arn $ENCRYPTION_KEY \
  --ssh-ec2-key-pair SSH_KEY_PAIR_NAME \
  --tags google:gkemulticloud:cluster=$AWS_CLUSTER

After the node pool is created successfully, you can review the EC2 instances in the AWS console.




In the next step, we obtain credentials for the Kubernetes cluster.
  gcloud container aws clusters get-credentials $AWS_CLUSTER --location=us-east4;
  kubectx aws=.

To authorize the Kubernetes workload identity gke-system/gke-telemetry-agent to write logs to Cloud Logging and write metrics to Cloud Monitoring, run this command:
   gcloud projects add-iam-policy-binding ${PROJECT_ID} \  
  --member="serviceAccount:${PROJECT_ID}.svc.id.goog[gke-system/gke-telemetry-agent]" \ 
  --role=roles/gkemulticloud.telemetryWriter

Now we can connect the Anthos cluster on AWS with the Google Cloud Console.
  1. On the Navigation menu, click Kubernetes Engine > Clusters.
  2. In the row for aws-cluster in the cluster list, click the 3-dots menu.
  3. Select Log in, select Use your Google Identity to log-in, and then click Login.
  4. Click on the aws-cluster entry to display information about your Anthos cluster on AWS.
  5. On the Navigation menu, click Anthos > Overview. One cluster is displayed.



We can now as well register my existing GKE cluster on the Anthos Hub



Both Anthos cluster are now ready for application deployment. In the example below, I'm deploying NGINX on the AWS cluster via the Google Cloud Console.






For further information refer to the Anthos on AWS documentation:
https://cloud.google.com/anthos/clusters/docs/multi-cloud/aws


References:
  • Figure 1: Anthos Technical Overview - Google. Available at: https://cloud.google.com/anthos/docs/concepts/overview (Accessed: April 18, 2023). 
  • Figure 2: Anthos clusters on AWS architecture - Google. Available at: https://cloud.google.com/anthos/clusters/docs/multi-cloud/aws/concepts/architecture (Accessed: April 18, 2023).