I’ve got rancher (stable version

2.12.1

) installed via Helm Chart deployed w/ ArgoCD. This lives in a lower EKS environment. • This is working well and I intend for this to be my management cluster for the time being • We’ll call this environment

source

I’m trying to import another EKS cluster (diff AWS account + region) • We’ll call this environment

target

• I’ve allowed NAT Gateway IPs at the eks level + SG level where relevant (on both

source

and

target

eks clusters • However, I’m still getting the error:

failed to communicate with cluster: Get "<https://MY_TARGET_CLUSTER.gr7.us-west-2.eks.amazonaws.com/api/v1/namespaces/cattle-system>": dial tcp TARGET_EKS_PUBLIC_IP:443: i/o timeout

When I check the pod logs of the

target

cluster I see the following

INFO: <https://rancher>.<MY_DOMAIN>.com/ping is accessible
...
time="2025-09-04T20:17:18Z" level=info msg="Listening on /tmp/log.sock"                                                                                                           │
│ time="2025-09-04T20:17:18Z" level=info msg="starting cattle-credential-cleanup goroutine in the background"                                                                       │
│ time="2025-09-04T20:17:18Z" level=info msg="Rancher agent version v2.12.1 is starting"                                                                                            │
│ time="2025-09-04T20:17:18Z" level=error msg="unable to read CA file from /etc/kubernetes/ssl/certs/serverca: open /etc/kubernetes/ssl/certs/serverca: no such file or directory"  │
│ time="2025-09-04T20:17:18Z" level=info msg="Connecting to <wss://rancher>.<MY_DOMAIN>.com/v3/connect/register with token starting with TOKEN_STRING"
time="2025-09-06T01:49:06Z" level=info msg="Connecting to proxy" url="<wss://rancher>.<MY_DOMAIN>.com/v3/connect"

I think we can ignore those cert errors as I’ve already set

agentTLSMode: "system-store"

• When i fixed this, it proceeded beyond the cert errors -> to the connecting to proxy msg Further, I’ve added the following to NO_PROXY on

source

cluster

,.<http://eks.amazonaws.com|eks.amazonaws.com>,<http://eks.amazonaws.com|eks.amazonaws.com>,<http://TARGET_CLUSTER.gr7.us-west-2.eks.amazonaws.com|TARGET_CLUSTER.gr7.us-west-2.eks.amazonaws.com>

and the following on the

target

cluster

rancher.<MY_DOMAIN>.com,.svc,.cluster.local,10.0.0.0/8,172.16.0.0/12,192.168.0.0/16

I am at a loss now for why this isn’t connecting. A timeout implies an SG / network issue I would guess My understanding is these 2 AWS accounts do not need network connectivity i.e via VPC peering. They should only need api access to the cluster URL, but I could be wrong there • the Public IP for the

target

eks cluster it times out on is AWS owned and not anything I have access to tl;dr why is my import of existing EKS cluster failing with a timeout error?