# Create a Public Cluster with Private Node Group
## Prerequisites
To be able to initialize a **Cluster** and **Deploy** a **Workload** , you need:
* There is at least 1 **VPC** and 1 **Subnet in ACTIVE** state . If you do not have a VPC or Subnet yet, please create a VPC or Subnet according to the instructions here [.](https://docs-vngcloud-vn.translate.goog/vng-cloud-document/v/vn/vserver/compute-hcm03-1a/network/virtual-private-cloud-vpc)
* There is at least 1 **SSH key in ACTIVE** state . If you do not have any SSH key, please create an SSH key according to the instructions here [.](https://docs-vngcloud-vn.translate.goog/vng-cloud-document/v/vn/vserver/compute-hcm03-1a/security/ssh-key-bo-khoa)
* Installed and configured **kubectl** on your device. Please refer here [if](https://kubernetes.io/vi/docs/tasks/tools/install-kubectl/) you are not sure how to install and use kuberctl. In addition, you should not use a kubectl version that is too old, we recommend that you use a kubectl version that is no more than one version different from the cluster version.
{% hint style="info" %}
**Attention:**
* **To ensure that VMs in NodeGroups on the subnet can go outbound to the internet and connect to the Control Plane, you must set up a NAT Gateway. For more details, please refer to the section below.**
{% endhint %}
***
## Create Palo Alto or Pfsense as an alternative to NAT Gateway
{% hint style="info" %}
**Attention:**
* For the best support when using Palo Alto or Pfsense, please contact our team of experts via Hotline **1900 1549** or email ****
{% endhint %}
Or you can choose to use Palo Alto or Pfsense to work with Private Node Group according to instructions at:
* [Palo Alto as a NAT Gateway](https://docs-vngcloud-vn.translate.goog/vng-cloud-document/v/vn/vks/getting-started/create-a-public-cluster-with-private-node-group/palo-alto-as-a-nat-gateway)
* [Pfsense as a NAT Gateway](https://docs-vngcloud-vn.translate.goog/vng-cloud-document/v/vn/vks/getting-started/create-a-public-cluster-with-private-node-group/pfsense-as-a-nat-gateway)
***
## Initialize Route Table
After Palo Alto, Pfsense is successfully initialized, you need to create a Route table to connect to different networks. Specifically, follow these steps to create a Route table:
**Step 1:** Visit
**Step 2:** In the navigation menu bar, select **Network Tab/ Route table.**
**Step 3:** Select **Create Route table.**
**Step 4:** Enter a descriptive name for the Route table. Route table names can include letters (az, AZ, 0-9, '\_', '-'). The input data length is between 5 and 50. It must not include leading or trailing spaces.
**Step 5:** Select **VPC** for your Route table. If you do not have a VPC, you need to create a new VPC according to the instructions on [the VPC Page](https://docs.vngcloud.vn/pages/viewpage.action?pageId=49648039) . **The VPC used to set up the Route table must be the VPC selected for Palo Alto or Pfsense and your Cluster.**
**Step 6** : Select **Create** to create a new Route table.
**Step 7:** Select the newly created Route table then select **Edit Routes.**
**Step 8:** In the add new **Route** section , enter the following information:
* For Destination, enter **Destination CIDR as 0.0.0.0/0**
* For Target, enter **Target CIDR as the corresponding Palo Alto or Pfsense Network Interface IP address.**
***
## Initialize Cluster
**A cluster in Kubernetes** is a collection of one or more virtual machines (VMs) connected together to run containerized applications. Cluster provides a unified environment to deploy, manage, and operate containers at scale.
To initialize a Cluster, follow the steps below:
**Step 1:** Visit [https://vks.console.vngcloud.vn/overview](https://vks.console-dev.vngcloud.tech/overview)
**Step 2: At the Overview** screen , select **Activate.**
**Step 3:** Wait until we successfully create your VKS account. After Activate successfully, select **Create a Cluster**
**Step 4:** At the Cluster initialization screen, we have set up information for the Cluster and a **Default Node Group** for you. You can keep these default values or adjust the desired parameters for the Cluster and Node Group at Cluster Configuration, Default Node Group Configuration, Plugin. **By default we will create a Public Cluster for you with Public Node Group. You need to change your selection to Private Node Group .**
**Step 5:** Select **Create Kubernetes cluster.** Please wait a few minutes for us to initialize your Cluster, the Cluster's status is now **Creating** .
**Step 6: When the Cluster** status is **Active** , you can view Cluster information and Node Group information by selecting Cluster Name in the **Name** column .
***
## Connect and check the newly created Cluster information
After the Cluster is successfully initialized, you can connect and check the newly created Cluster information by following these steps:
**Step 1:** Visit [https://vks.console.vngcloud.vn/k8s-cluster](https://vks.console-dev.vngcloud.tech/overview)
**Step 2:** The Cluster list is displayed, select the iconand select **Download config file** to download the kubeconfig file. This file will give you full access to your Cluster.
**Step 3** : Rename this file to config and save it to the **\~/.kube/config directory**
**Step 4:** Perform Cluster check via command:
* Run the following command to test **node**
```
kubectl get nodes
```
* If the results are returned as below, it means your Cluster was successfully initialized with 3 nodes as below.
```
NAME STATUS ROLES AGE VERSION
ng-0e10592c-e70e-404d-a4e8-5e3b80f805e4-834b7 Ready 50m v1.28.8
ng-0e10592c-e70e-404d-a4e8-5e3b80f805e4-cf652 Ready 23m v1.28.8
ng-0f4ed631-1252-49f7-8dfc-386fa0b2d29b-a8ef0 Ready 28m v1.28.8
```
***
## Deploy a Workload
The following is a guide for you to deploy the nginx service on Kubernetes.
### **Step 1** : **Create Deployment for Nginx app.**
* Create **nginx-service-lb4.yaml** file with the following content:
```
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx-app
spec:
selector:
matchLabels:
app: nginx
replicas: 1
template:
metadata:
labels:
app: nginx
spec:
containers:
- name: nginx
image: nginx:1.19.1
ports:
- containerPort: 80
---
apiVersion: v1
kind: Service
metadata:
name: nginx-service
spec:
selector:
app: nginx
type: LoadBalancer
ports:
- protocol: TCP
port: 80
targetPort: 80
```
* Deploy This deployment equals:
```
kubectl apply -f nginx-service-lb4.yaml
```
### **Step 2: Check Deployment and Service information before exposing it to the Internet.**
* Run the following command to test **Deployment**
```
kubectl get svc,deploy,pod -owide
```
* If the results are returned as below, it means you have successfully deployed the nginx service.
```
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE SELECTOR
service/kubernetes ClusterIP 10.96.0.1 443/TCP 2d4h
service/nginx-app NodePort 10.96.215.192 30080:31289/TCP 8m12s app=nginx
service/nginx-service LoadBalancer 10.96.179.221 80:32624/TCP 2m16s app=nginx
NAME READY UP-TO-DATE AVAILABLE AGE CONTAINERS IMAGES SELECTOR
deployment.apps/nginx-app 1/1 1 1 2m16s nginx nginx:1.19.1 app=nginx
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
pod/nginx-app-7f45b65946-t7d7k 1/1 Running 0 2m16s 172.16.24.202 ng-3f06013a-f6a5-47ba-a51f-bc5e9c2b10a7-ecea1
