Internet connectivity Requirements for Azure Redhat Openshift - Private Cluster

N-Open 160 Reputation points
2023-11-23T12:37:47.59+00:00

Dear Microsoft Team,

Hope you are doing well. We need your support on couple of points.

We have azure redhat openshift on a spoke vNet and Azure Firewall on Hub vNet.

Can you help us identify what ports and web sites that should be opened on Azure Firewall both for ingress/egress towards internet to have a work openshift cluster in private mode? (like redhat sites to be opened)

How do I route traffic to internet from Azure redhat openshift through Azure firewall

The links on website are bit confusing.

Azure Firewall
Azure Firewall
An Azure network security service that is used to protect Azure Virtual Network resources.
570 questions
Azure Red Hat OpenShift
Azure Red Hat OpenShift
An Azure service that provides a flexible, self-service deployment of fully managed OpenShift clusters.
71 questions
Accepted answer
  1. KapilAnanth-MSFT 35,086 Reputation points Microsoft Employee
    2023-11-24T05:26:35.5566667+00:00

    @N-Open

    Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.

    I understand that you would like to restrict the egress traffic from your ARO using an Azure Firewall.

    You must make use of Azure Red Hat OpenShift Egress lockdown feature.

    Egress lockdown takes a collection of domains required for an Azure Red Hat OpenShift cluster to function and proxies calls to these domains through the Azure Red Hat OpenShift service. The domains, which are region-specific, can't be configured by customers. Egress lockdown doesn't rely on customer internet access for Azure Red Hat OpenShift services to work. In order for clusters to reach any Azure Red Hat OpenShift service, cluster traffic exits through an Azure private endpoint created within the cluster resource group where all of the Azure Red Hat OpenShift resources are available.

    With the above, most of the Endpoints proxied through the ARO service and does not need any manual/user configuration.

    In addition to the above, there is a List of optional endpoints to use features such as Operator Hub or Red Hat telemetry.

    The following Points may come in handy

    #1

    To route traffic to Azure Firewall, you must add a user-defined route (UDR) that has a 0.0.0.0/0 route to Azure Firewall.

    How to ? - Refer : Create a 0.0.0.0/0 route.

    #2

    To create Application Rules in Azure Firewall : https://learn.microsoft.com/en-us/azure/firewall/rule-processing#network-rules-and-applications-rules

    #3

    Make sure you do not have asymmetric routing.

    i.e., Traffic comes in via a Public IP of Load Balancer and goes out via Azure Firewall.

    For private traffic, this should be an issue.

    However, in case you are receiving inbound traffic via Public LB, see : How to fix the routing issue

    Kindly let us know if this helps or you need further assistance on this issue.

    Thanks,

    Kapil

    Please don’t forget to close the thread by clicking "Accept the answer" wherever the information provided helps you, as this can be beneficial to other community members.

    0 comments

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest