# Deploying OPA on AWS EKS

tip

This page contains details in addition to the [base Kubernetes documentation](/docs/deploy/k8s) for deploying OPA. Please see that page for details on how to deploy OPA on K8s and return here for more EKS specific notes.

## Creating a Load Balancer for and OPA Cluster service

If running OPA as a cluster service, you might be interested in exposing the service to the internet or other, internal, off-cluster PEPs. Generally, OPA is invoked by other PEP applications rather than clients, and so a public IP is generally not required.

Internal Load Balancer Service

```
apiVersion: v1kind: Servicemetadata:  name: opa  annotations:    service.beta.kubernetes.io/aws-load-balancer-nlb-target-type: ipspec:  selector:    app: opa  ports:    - protocol: TCP      port: 8181      targetPort: 8181  type: LoadBalancer
```

warning

If you are exposing and OPA service to the public internet, you are advised to make use of OPA's build in [authentication and authorization](/docs/security#authentication-and-authorization) features if not running OPA behind another service that provides these functions.

External Load Balancer Service

```
apiVersion: v1kind: Servicemetadata:  name: opa  annotations:    service.beta.kubernetes.io/aws-load-balancer-type: external    service.beta.kubernetes.io/aws-load-balancer-nlb-target-type: ip    service.beta.kubernetes.io/aws-load-balancer-scheme: internet-facingspec:  selector:    app: opa  ports:    - protocol: TCP      port: 8181      targetPort: 8181  type: LoadBalancer
```

For more information, please see the EKS [Network Load Balancer](https://docs.aws.amazon.com/eks/latest/userguide/network-load-balancing.html) documentation.