installing/installing_azure/ipi/installing-restricted-networks-azure-installer-provisioned.adoc

:_mod-docs-content-type: ASSEMBLY
[id="installing-restricted-networks-azure-installer-provisioned"]
= Installing a cluster on Azure in a disconnected environment
include::_attributes/common-attributes.adoc[]
:context: installing-restricted-networks-azure-installer-provisioned

toc::[]

In {product-title} version {product-version}, you can install a cluster on Microsoft Azure in a restricted network by creating an internal mirror of the installation release content on an existing Azure Virtual Network (VNet).

[IMPORTANT]
====
You can install an {product-title} cluster by using mirrored installation release content, but your cluster requires internet access to use the Azure APIs.
====

[id="prerequisites_installing-restricted-networks-azure-installer-provisioned"]
== Prerequisites

* You xref:../../../disconnected/installing-mirroring-installation-images.adoc#installation-about-mirror-registry_installing-mirroring-installation-images[mirrored the images for a disconnected installation] to your registry and obtained the `imageContentSources` data for your version of {product-title}.
+
[IMPORTANT]
====
Because the installation media is on the mirror host, you can use that computer to complete all installation steps.
====
* You have an existing VNet in Azure. While installing a cluster in a restricted network that uses installer-provisioned infrastructure, you cannot use the installer-provisioned VNet. You must use a user-provisioned VNet that satisfies one of the following requirements:
** The VNet contains the mirror registry.
** The VNet has firewall rules or a peering connection to access the mirror registry hosted elsewhere.

include::modules/installation-about-restricted-network.adoc[leveloffset=+1]

include::modules/installation-azure-user-defined-routing.adoc[leveloffset=+2]

include::modules/installation-about-custom-azure-vnet.adoc[leveloffset=+1]

[role="_additional-resources"]
.Additional resources

* xref:../../../networking/ovn_kubernetes_network_provider/about-ovn-kubernetes.adoc#about-ovn-kubernetes[About the OVN-Kubernetes network plugin]

* xref:../../../installing/install_config/configuring-firewall.adoc#configuring-firewall[Configuring your firewall]

include::modules/installation-initializing.adoc[leveloffset=+1]

[role="_additional-resources"]
.Additional resources
* xref:../../../installing/installing_azure/installation-config-parameters-azure.adoc#installation-config-parameters-azure[Installation configuration parameters for Azure]

include::modules/installation-minimum-resource-requirements.adoc[leveloffset=+2]

include::modules/installation-azure-tested-machine-types.adoc[leveloffset=+2]

include::modules/installation-azure-arm-tested-machine-types.adoc[leveloffset=+2]

include::modules/installation-azure-trusted-launch.adoc[leveloffset=+2]

include::modules/installation-azure-confidential-vms.adoc[leveloffset=+2]

include::modules/installation-azure-dedicated-disks.adoc[leveloffset=+2]

include::modules/installing-azure-managing-dns-solution.adoc[leveloffset=+2]

include::modules/installation-azure-config-yaml.adoc[leveloffset=+2]

include::modules/installation-configure-proxy.adoc[leveloffset=+2]

[id="installing-azure-manual-modes_{context}"]
== Alternatives to storing administrator-level secrets in the kube-system project

By default, administrator secrets are stored in the `kube-system` project. If you configured the `credentialsMode` parameter in the `install-config.yaml` file to `Manual`, you must use one of the following alternatives:

* To manage long-term cloud credentials manually, follow the procedure in xref:../../../installing/installing_azure/ipi/installing-restricted-networks-azure-installer-provisioned.adoc#manually-create-iam_installing-restricted-networks-azure-installer-provisioned[Manually creating long-term credentials].

* To implement short-term credentials that are managed outside the cluster for individual components, follow the procedures in xref:../../../installing/installing_azure/ipi/installing-restricted-networks-azure-installer-provisioned.adoc#installing-azure-with-short-term-creds_installing-restricted-networks-azure-installer-provisioned[Configuring an Azure cluster to use short-term credentials].

//Manually creating long-term credentials
include::modules/manually-create-identity-access-management.adoc[leveloffset=+2]

//Supertask: Configuring an Azure cluster to use short-term credentials
[id="installing-azure-with-short-term-creds_{context}"]
=== Configuring an Azure cluster to use short-term credentials

To install a cluster that uses {entra-first}, you must configure the Cloud Credential Operator utility and create the required Azure resources for your cluster.

//Task part 1: Configuring the Cloud Credential Operator utility
include::modules/cco-ccoctl-configuring.adoc[leveloffset=+3]

//Task part 2: Creating the required Azure resources
include::modules/cco-ccoctl-creating-at-once.adoc[leveloffset=+3]

// Additional steps for the Cloud Credential Operator utility (`ccoctl`)
include::modules/cco-ccoctl-install-creating-manifests.adoc[leveloffset=+3]

include::modules/installation-launching-installer.adoc[leveloffset=+1]

include::modules/installing-azure-provisioning-dns-records.adoc[leveloffset=+1]

include::modules/cli-logging-in-kubeadmin.adoc[leveloffset=+1]

== Next steps

* xref:../../../post_installation_configuration/cluster-tasks.adoc#available_cluster_customizations[Customize your cluster].
* If necessary, you can
xref:../../../support/remote_health_monitoring/remote-health-reporting.adoc#remote-health-reporting[Remote health reporting].
[enterprise-4.14] changing content type attribute 2023-10-30 10:13:25 -04:00			`:_mod-docs-content-type: ASSEMBLY`
OSDOCS#5174: Azure: Document installing OpenShift in a restricted network [Installer-provisioned] 2023-06-12 18:22:25 +05:30			`[id="installing-restricted-networks-azure-installer-provisioned"]`
Changing restricted to disconnected terminology in titles 2024-12-18 16:22:12 -05:00			`= Installing a cluster on Azure in a disconnected environment`
OSDOCS#5174: Azure: Document installing OpenShift in a restricted network [Installer-provisioned] 2023-06-12 18:22:25 +05:30			`include::_attributes/common-attributes.adoc[]`
			`:context: installing-restricted-networks-azure-installer-provisioned`

			`toc::[]`

			`In {product-title} version {product-version}, you can install a cluster on Microsoft Azure in a restricted network by creating an internal mirror of the installation release content on an existing Azure Virtual Network (VNet).`

			`[IMPORTANT]`
			`====`
			`You can install an {product-title} cluster by using mirrored installation release content, but your cluster requires internet access to use the Azure APIs.`
			`====`

			`[id="prerequisites_installing-restricted-networks-azure-installer-provisioned"]`
			`== Prerequisites`

[enterprise-4.20] OSDOCS#16276: Flattened oc-mirror levels 2025-10-07 12:24:45 +05:30			* You xref:../../../disconnected/installing-mirroring-installation-images.adoc#installation-about-mirror-registry_installing-mirroring-installation-images[mirrored the images for a disconnected installation] to your registry and obtained the `imageContentSources` data for your version of {product-title}.
OSDOCS#5174: Azure: Document installing OpenShift in a restricted network [Installer-provisioned] 2023-06-12 18:22:25 +05:30			`+`
			`[IMPORTANT]`
			`====`
			`Because the installation media is on the mirror host, you can use that computer to complete all installation steps.`
			`====`
			`* You have an existing VNet in Azure. While installing a cluster in a restricted network that uses installer-provisioned infrastructure, you cannot use the installer-provisioned VNet. You must use a user-provisioned VNet that satisfies one of the following requirements:`
IPI improvements 2024-07-26 17:11:21 +05:30			`** The VNet contains the mirror registry.`
			`** The VNet has firewall rules or a peering connection to access the mirror registry hosted elsewhere.`
OSDOCS#5174: Azure: Document installing OpenShift in a restricted network [Installer-provisioned] 2023-06-12 18:22:25 +05:30
			`include::modules/installation-about-restricted-network.adoc[leveloffset=+1]`

			`include::modules/installation-azure-user-defined-routing.adoc[leveloffset=+2]`

			`include::modules/installation-about-custom-azure-vnet.adoc[leveloffset=+1]`

Azure refactor 2024-06-03 12:16:08 +05:30			`[role="_additional-resources"]`
			`.Additional resources`

SDN-removal:removes SDN from 4.17 2024-07-30 14:15:18 -04:00			`* xref:../../../networking/ovn_kubernetes_network_provider/about-ovn-kubernetes.adoc#about-ovn-kubernetes[About the OVN-Kubernetes network plugin]`
Azure refactor 2024-06-03 12:16:08 +05:30
			`* xref:../../../installing/install_config/configuring-firewall.adoc#configuring-firewall[Configuring your firewall]`

OSDOCS#5174: Azure: Document installing OpenShift in a restricted network [Installer-provisioned] 2023-06-12 18:22:25 +05:30			`include::modules/installation-initializing.adoc[leveloffset=+1]`

			`[role="_additional-resources"]`
			`.Additional resources`
Azure refactor 2024-06-03 12:16:08 +05:30			`* xref:../../../installing/installing_azure/installation-config-parameters-azure.adoc#installation-config-parameters-azure[Installation configuration parameters for Azure]`
OSDOCS#5174: Azure: Document installing OpenShift in a restricted network [Installer-provisioned] 2023-06-12 18:22:25 +05:30
			`include::modules/installation-minimum-resource-requirements.adoc[leveloffset=+2]`

			`include::modules/installation-azure-tested-machine-types.adoc[leveloffset=+2]`

			`include::modules/installation-azure-arm-tested-machine-types.adoc[leveloffset=+2]`

OSDOCS-8132 Confidential VMs and trusted launch for Azure 2023-10-12 20:42:34 -04:00			`include::modules/installation-azure-trusted-launch.adoc[leveloffset=+2]`
OSDOCS#17381: Adding blank lines after includes 2025-11-18 17:48:49 -05:00
OSDOCS-8132 Confidential VMs and trusted launch for Azure 2023-10-12 20:42:34 -04:00			`include::modules/installation-azure-confidential-vms.adoc[leveloffset=+2]`

OSDOCS-16109: Add docs for tech preview of azure dedicated disk for etcd 2025-09-09 19:17:46 -04:00			`include::modules/installation-azure-dedicated-disks.adoc[leveloffset=+2]`

1 2026-01-27 14:11:03 +00:00			`include::modules/installing-azure-managing-dns-solution.adoc[leveloffset=+2]`

OSDOCS#5174: Azure: Document installing OpenShift in a restricted network [Installer-provisioned] 2023-06-12 18:22:25 +05:30			`include::modules/installation-azure-config-yaml.adoc[leveloffset=+2]`

			`include::modules/installation-configure-proxy.adoc[leveloffset=+2]`

Adds step to set Azure resource group for AADWID install 2023-11-17 15:20:28 -05:00			`[id="installing-azure-manual-modes_{context}"]`
			`== Alternatives to storing administrator-level secrets in the kube-system project`

			By default, administrator secrets are stored in the `kube-system` project. If you configured the `credentialsMode` parameter in the `install-config.yaml` file to `Manual`, you must use one of the following alternatives:

Azure refactor 2024-06-03 12:16:08 +05:30			`* To manage long-term cloud credentials manually, follow the procedure in xref:../../../installing/installing_azure/ipi/installing-restricted-networks-azure-installer-provisioned.adoc#manually-create-iam_installing-restricted-networks-azure-installer-provisioned[Manually creating long-term credentials].`
Adds step to set Azure resource group for AADWID install 2023-11-17 15:20:28 -05:00
Azure refactor 2024-06-03 12:16:08 +05:30			`* To implement short-term credentials that are managed outside the cluster for individual components, follow the procedures in xref:../../../installing/installing_azure/ipi/installing-restricted-networks-azure-installer-provisioned.adoc#installing-azure-with-short-term-creds_installing-restricted-networks-azure-installer-provisioned[Configuring an Azure cluster to use short-term credentials].`
Adds step to set Azure resource group for AADWID install 2023-11-17 15:20:28 -05:00
			`//Manually creating long-term credentials`
			`include::modules/manually-create-identity-access-management.adoc[leveloffset=+2]`

			`//Supertask: Configuring an Azure cluster to use short-term credentials`
			`[id="installing-azure-with-short-term-creds_{context}"]`
			`=== Configuring an Azure cluster to use short-term credentials`

OSDOCS-10415: update Azure AD to Entra branding 2024-05-01 10:29:13 -04:00			`To install a cluster that uses {entra-first}, you must configure the Cloud Credential Operator utility and create the required Azure resources for your cluster.`
Adds step to set Azure resource group for AADWID install 2023-11-17 15:20:28 -05:00
			`//Task part 1: Configuring the Cloud Credential Operator utility`
			`include::modules/cco-ccoctl-configuring.adoc[leveloffset=+3]`

			`//Task part 2: Creating the required Azure resources`
			`include::modules/cco-ccoctl-creating-at-once.adoc[leveloffset=+3]`

			// Additional steps for the Cloud Credential Operator utility (`ccoctl`)
			`include::modules/cco-ccoctl-install-creating-manifests.adoc[leveloffset=+3]`

			`include::modules/installation-launching-installer.adoc[leveloffset=+1]`

1 2026-01-27 14:11:03 +00:00			`include::modules/installing-azure-provisioning-dns-records.adoc[leveloffset=+1]`

OSDOCS#5174: Azure: Document installing OpenShift in a restricted network [Installer-provisioned] 2023-06-12 18:22:25 +05:30			`include::modules/cli-logging-in-kubeadmin.adoc[leveloffset=+1]`

			`== Next steps`

Azure refactor 2024-06-03 12:16:08 +05:30			`* xref:../../../post_installation_configuration/cluster-tasks.adoc#available_cluster_customizations[Customize your cluster].`
OSDOCS#5174: Azure: Document installing OpenShift in a restricted network [Installer-provisioned] 2023-06-12 18:22:25 +05:30			`* If necessary, you can`
OCPBUGS-60988: Added update secret step to insights-operator-new-pull-secret 2025-09-02 15:33:22 +01:00			`xref:../../../support/remote_health_monitoring/remote-health-reporting.adoc#remote-health-reporting[Remote health reporting].`