From 867642e2f5ccfde494b3edd3d469d5281a3466b2 Mon Sep 17 00:00:00 2001 From: EricPonvelle Date: Thu, 7 Aug 2025 14:16:05 -0500 Subject: [PATCH] OSDOSC-15511: Added Firewall rules into bastion host --- modules/rosa-hcp-firewall-prerequisites.adoc | 63 +++++++++++++++++++- rosa_hcp/rosa-hcp-egress-zero-install.adoc | 1 + 2 files changed, 62 insertions(+), 2 deletions(-) diff --git a/modules/rosa-hcp-firewall-prerequisites.adoc b/modules/rosa-hcp-firewall-prerequisites.adoc index 3efc7da416..35e325ec0b 100644 --- a/modules/rosa-hcp-firewall-prerequisites.adoc +++ b/modules/rosa-hcp-firewall-prerequisites.adoc @@ -3,8 +3,6 @@ // * rosa_planning/rosa-sts-aws-prereqs.adoc // * rosa_planning/rosa-hcp-prereqs.adoc <-- this is a symlink -//TODO OSDOCS-11789: Why is this a procedure and not a reference? - [id="rosa-hcp-firewall-prerequisites_{context}"] = Firewall prerequisites for {product-title} @@ -128,3 +126,64 @@ Your workload may require access to other sites that provide resources for progr | 443 | Optional. Required for Sonatype Nexus, F5 Big IP operators. |=== + +[id="firewall-cli-bastion_{context}"] +== Outbound firewall rules for the {rosa-cli} for clusters with egress zero + +If you use a bastion host to connect to a private cluster with egress zero, you must add the following rules to your firewall so that it can connect and authenticate to the cluster. + +[cols="6,1,6,6",options="header"] +|=== +|Domain | Port | From/To | Function +|`sso.redhat.com` +|443 +|ROSA CLI running on bastion host +|The link:https://console.redhat.com/openshift[OpenShift console] uses authentication from `sso.redhat.com` to download the pull secret and use Red Hat SaaS solutions to facilitate monitoring of your subscriptions, cluster inventory, chargeback reporting, etc. + +|`api.openshift.com` +|443 +|ROSA CLI running on bastion host +|Required for registering a {product-title} cluster into {hybrid-console}. + +|`iam.amazonaws.com` +|443 +|ROSA CLI running on bastion host +|Used for creating IAM roles and attaching permissions. + +|`servicequotas..amazonaws.com` +|443 +|ROSA CLI running on bastion host +|Checks AWS quotas to ensure they satisfy ROSA installation requirements. Alternatively, you can create a VPC endpoint for servicequota service to avoid whitelisting this URL from your firewall. + +|`sts..amazonaws.com` +|443 +|ROSA CLI running on bastion host +|Used to get short-lived token to access AWS service. Alternatively, you can create a VPC endpoint for STS service to avoid whitelisting this url from your firewall. + +|`ec2..amazonaws.com` +|443 +|ROSA CLI running on bastion host +|Used to retrieve EC2 instance related information such as subnets. Alternatively, you can create a VPC endpoint for EC2 service to avoid whitelisting this URL from your firewall. +|=== + +[id="firewall-hcm-bastion_{context}"] +== Outbound firewall rules from {hybrid-console} for clusters with egress zero +[cols="6,1,6,6",options="header"] +|=== +|Domain | Port | From/To | Function + +|`sts..amazonaws.com` +|443 +|{product-title} cluster +|Used to access the AWS Secure Token Service (STS) regional endpoint to retrieve a short-lived token to access AWS services. Alternatively, you can create a VPC endpoint for STS service to avoid whitelisting this URL from your firewall. + +|`console.redhat.com` +|443 +|Any browser to access {hybrid-console} +|To manage a {product-title} cluster from {hybrid-console-second}. + +|`sso.redhat.com` +|443 +|Any browser to access {hybrid-console} +|The link:https://console.redhat.com/openshift[{hybrid-console}] site uses authentication from `sso.redhat.com` to download the pull secret and use Red Hat SaaS solutions to facilitate monitoring of your subscriptions, cluster inventory, chargeback reporting, etc. +|=== diff --git a/rosa_hcp/rosa-hcp-egress-zero-install.adoc b/rosa_hcp/rosa-hcp-egress-zero-install.adoc index 98be409560..3b395aa5d5 100644 --- a/rosa_hcp/rosa-hcp-egress-zero-install.adoc +++ b/rosa_hcp/rosa-hcp-egress-zero-install.adoc @@ -58,6 +58,7 @@ A physical connection might exist between machines on the internal network and a * You have installed the ROSA v1.2.45+ CLI. * You have installed and configured the AWS CLI with the necessary credentials. * You have installed the git CLI. +* You have enabled the necessary xref:../rosa_planning/rosa-sts-aws-prereqs.adoc#firewall-cli-bastion_rosa-hcp-aws-prereqs[ROSA CLI firewall rules] and xref:../rosa_planning/rosa-sts-aws-prereqs.adoc#firewall-hcm-bastion_rosa-hcp-aws-prereqs[{hybrid-console} firewall rules]. [IMPORTANT] ====