modules/cluster-wide-proxy-preqs.adoc

// Module included in the following assemblies:
//
// * networking/configuring-cluster-wide-proxy.adoc

:_mod-docs-content-type: CONCEPT
[id="cluster-wide-proxy-prereqs_{context}"]
= Prerequisites for configuring a cluster-wide proxy

To configure a cluster-wide proxy, you must meet the following requirements. These requirements are valid when you configure a proxy during installation or postinstallation.


[id="cluster-wide-proxy-general-prereqs_{context}"]
== General requirements

* You are the cluster owner.
* Your account has sufficient privileges.
ifdef::openshift-rosa,openshift-rosa-hcp[]
* You have an existing Virtual Private Cloud (VPC) for your cluster.
endif::openshift-rosa,openshift-rosa-hcp[]
ifdef::openshift-dedicated[]
* You have an existing Virtual Private Cloud (VPC) for your cluster.
* You are using the Customer Cloud Subscription (CCS) model for your cluster.
endif::openshift-dedicated[]
* The proxy can access the VPC for the cluster and the private subnets of the VPC. The proxy must also be accessible from the VPC for the cluster and from the private subnets of the VPC.
* You have added the following endpoints to your VPC endpoint:
** `ec2.<aws_region>.amazonaws.com`
** `elasticloadbalancing.<aws_region>.amazonaws.com`
** `s3.<aws_region>.amazonaws.com`
+
These endpoints are required to complete requests from the nodes to the AWS EC2 API. Because the proxy works at the container level and not at the node level, you must route these requests to the AWS EC2 API through the AWS private network. Adding the public IP address of the EC2 API to your allowlist in your proxy server is not enough.
+
[IMPORTANT]
====
When using a cluster-wide proxy, you must configure the `s3.<aws_region>.amazonaws.com` endpoint as type `Gateway`.
====


[id="cluster-wide-proxy-network-prereqs_{context}"]
== Network requirements

If your proxy re-encrypts egress traffic, you must create exclusions to several domain and port combinations required by OpenShift.

Your proxy must exclude re-encrypting the following OpenShift URLs:

.URLs to exclude from egress traffic re-encryption
[cols="6,1,6",options="header"]
|===
|Address | Protocol/Port | Function
|`observatorium-mst.api.openshift.com`
|https/443
|Required. Used for Managed OpenShift-specific telemetry.

|`sso.redhat.com`
|https/443
|The https://console.redhat.com/openshift site uses authentication from `sso.redhat.com` to download the cluster pull secret and use Red Hat SaaS solutions to facilitate monitoring of your subscriptions, cluster inventory, and chargeback reporting.
|===
OSDOCS-3342: Network Requirements 2022-03-09 11:59:04 -05:00			`// Module included in the following assemblies:`
			`//`
			`// * networking/configuring-cluster-wide-proxy.adoc`

[enterprise-4.14] changing content type attribute 2023-10-30 10:13:25 -04:00			`:_mod-docs-content-type: CONCEPT`
OSDOCS-3342: Network Requirements 2022-03-09 11:59:04 -05:00			`[id="cluster-wide-proxy-prereqs_{context}"]`
			`= Prerequisites for configuring a cluster-wide proxy`

fix incorrect hyphenation per ISG 2023-10-31 11:25:53 +00:00			`To configure a cluster-wide proxy, you must meet the following requirements. These requirements are valid when you configure a proxy during installation or postinstallation.`
OSDOCS-3342: Network Requirements 2022-03-09 11:59:04 -05:00
OSDOCS#15507: Removing discrete headings in core OCP docs 2025-09-09 15:42:10 -04:00
OSDOCS-3342: Network Requirements 2022-03-09 11:59:04 -05:00			`[id="cluster-wide-proxy-general-prereqs_{context}"]`
			`== General requirements`

			`* You are the cluster owner.`
			`* Your account has sufficient privileges.`
OSDOCS-11830 Split Networking content for ROSA with HCP 2025-02-10 22:19:45 +10:00			`ifdef::openshift-rosa,openshift-rosa-hcp[]`
OSDOCS-3798 - Removing OCM CLI references and adding proxy content for OSD and ROSA 2022-07-04 11:03:04 +01:00			`* You have an existing Virtual Private Cloud (VPC) for your cluster.`
OSDOCS-11830 Split Networking content for ROSA with HCP 2025-02-10 22:19:45 +10:00			`endif::openshift-rosa,openshift-rosa-hcp[]`
OSDOCS-3342: Network Requirements 2022-03-09 11:59:04 -05:00			`ifdef::openshift-dedicated[]`
OSDOCS-3798 - Removing OCM CLI references and adding proxy content for OSD and ROSA 2022-07-04 11:03:04 +01:00			`* You have an existing Virtual Private Cloud (VPC) for your cluster.`
			`* You are using the Customer Cloud Subscription (CCS) model for your cluster.`
			`endif::openshift-dedicated[]`
OSDOCS-11830 Split Networking content for ROSA with HCP 2025-02-10 22:19:45 +10:00			`* The proxy can access the VPC for the cluster and the private subnets of the VPC. The proxy must also be accessible from the VPC for the cluster and from the private subnets of the VPC.`
OCPBUGS-14687 2023-09-27 16:07:11 +05:30			`* You have added the following endpoints to your VPC endpoint:`
			** `ec2.<aws_region>.amazonaws.com`
			** `elasticloadbalancing.<aws_region>.amazonaws.com`
			** `s3.<aws_region>.amazonaws.com`
			`+`
			`These endpoints are required to complete requests from the nodes to the AWS EC2 API. Because the proxy works at the container level and not at the node level, you must route these requests to the AWS EC2 API through the AWS private network. Adding the public IP address of the EC2 API to your allowlist in your proxy server is not enough.`
			`+`
OSDOCS-10038:Additional trust bundle policy set to Always for add trust bundles 2024-05-15 12:59:51 +01:00			`[IMPORTANT]`
OCPBUGS-14687 2023-09-27 16:07:11 +05:30			`====`
OSDOCS-10038:Additional trust bundle policy set to Always for add trust bundles 2024-05-15 12:59:51 +01:00			When using a cluster-wide proxy, you must configure the `s3.<aws_region>.amazonaws.com` endpoint as type `Gateway`.
OCPBUGS-14687 2023-09-27 16:07:11 +05:30			`====`
OSDOCS-3342: Network Requirements 2022-03-09 11:59:04 -05:00
OSDOCS#15507: Removing discrete headings in core OCP docs 2025-09-09 15:42:10 -04:00
OSDOCS-3342: Network Requirements 2022-03-09 11:59:04 -05:00			`[id="cluster-wide-proxy-network-prereqs_{context}"]`
			`== Network requirements`

OSDOCS-11830 Split Networking content for ROSA with HCP 2025-02-10 22:19:45 +10:00			`If your proxy re-encrypts egress traffic, you must create exclusions to several domain and port combinations required by OpenShift.`

			`Your proxy must exclude re-encrypting the following OpenShift URLs:`

			`.URLs to exclude from egress traffic re-encryption`
OSDOCS-3342: Network Requirements 2022-03-09 11:59:04 -05:00			`[cols="6,1,6",options="header"]`
			`\|===`
			`\|Address \| Protocol/Port \| Function`
			\|`observatorium-mst.api.openshift.com`
			`\|https/443`
			`\|Required. Used for Managed OpenShift-specific telemetry.`

			\|`sso.redhat.com`
			`\|https/443`
OSDOCS-11830 Split Networking content for ROSA with HCP 2025-02-10 22:19:45 +10:00			\|The https://console.redhat.com/openshift site uses authentication from `sso.redhat.com` to download the cluster pull secret and use Red Hat SaaS solutions to facilitate monitoring of your subscriptions, cluster inventory, and chargeback reporting.
OSDOCS-3342: Network Requirements 2022-03-09 11:59:04 -05:00			`\|===`
OSDOCS-3798 - Removing OCM CLI references and adding proxy content for OSD and ROSA 2022-07-04 11:03:04 +01:00