Move EKS cluster requirements under "create an Amazon EKS cluster"

Author: fasaxc

calico/getting-started/kubernetes/managed-public-cloud/eks.mdx

@@ -35,17 +35,32 @@ When using the Amazon VPC CNI plugin, $[prodname] does not support enforcement o
 
 :::
 
-***Prerequisites***
-
-* You [disabled network policy for the AWS VPC CNI](https://docs.aws.amazon.com/eks/latest/userguide/network-policy-disable.html). 
-* You [configured AWS VPC CNI to annotate Pods with their IPs](https://github.com/aws/amazon-vpc-cni-k8s?tab=readme-ov-file#annotate_pod_ip-v193).  Note the requirement to grant the "patch" permission to the `aws-node` daemon set.  Without this setting, pod IPs can propagate slowly when Kubernetes is under load resulting in slow policy application after pod creation.
 
 1. First, create an Amazon EKS cluster.
 
    ```bash
    eksctl create cluster --name  <my-calico-cluster>
    ```
 
+   Do **not** enable [network policy for the AWS VPC CNI](https://docs.aws.amazon.com/eks/latest/userguide/network-policy-disable.html); it conflicts with $[prodname].
+
+1. Configure AWS VPC CNI to [annotate Pods with their IPs](https://github.com/aws/amazon-vpc-cni-k8s?tab=readme-ov-file#annotate_pod_ip-v193).
+   Note the requirement to grant the "patch" permission to the `aws-node` daemon set to avoid permission errors.
+   This setting ensures that pod IPs propagate quickly from AWS VPC CNI to $[prodname].
+
+    ```bash
+    cat << EOF > append.yaml
+    - apiGroups:
+      - ""
+      resources:
+      - pods
+      verbs:
+      - patch
+    EOF
+    kubectl apply -f <(cat <(kubectl get clusterrole aws-node -o yaml) append.yaml)
+    kubectl set env  -n kube-system daemonset/aws-node ANNOTATE_POD_IP=true
+    ```
+
 1. Install the Tigera Operator and custom resource definitions.
 
    ```bash