// Module included in the following assemblies: // // * hosted_control_planes/hcp-manage/hcp-manage-aws.adoc :_mod-docs-content-type: CONCEPT [id="hcp-managed-aws-infra-separate_{context}"] = Creating the {aws-short} infrastructure separately To create the {aws-first} infrastructure, you need to create a Virtual Private Cloud (VPC) and other resources for your cluster. You can use the {aws-short} console or an infrastructure automation and provisioning tool. For instructions to use the {aws-short} console, see link:https://docs.aws.amazon.com/vpc/latest/userguide/create-vpc.html#create-vpc-and-other-resources[Create a VPC plus other VPC resources] in the {aws-short} Documentation. The VPC must include private and public subnets and resources for external access, such as a network address translation (NAT) gateway and an internet gateway. In addition to the VPC, you need a private hosted zone for the ingress of your cluster. If you are creating clusters that use PrivateLink (`Private` or `PublicAndPrivate` access modes), you need an additional hosted zone for PrivateLink. Create the {aws-short} infrastructure for your hosted cluster by using the following example configuration: [source,yaml] [subs="+quotes"] ---- --- apiVersion: v1 kind: Namespace metadata: creationTimestamp: null name: clusters spec: {} status: {} --- apiVersion: v1 data: .dockerconfigjson: xxxxxxxxxxx kind: Secret metadata: creationTimestamp: null labels: hypershift.openshift.io/safe-to-delete-with-cluster: "true" name: <1> namespace: clusters --- apiVersion: v1 data: key: xxxxxxxxxxxxxxxxx kind: Secret metadata: creationTimestamp: null labels: hypershift.openshift.io/safe-to-delete-with-cluster: "true" name: <2> namespace: clusters type: Opaque --- apiVersion: v1 data: id_rsa: xxxxxxxxx id_rsa.pub: xxxxxxxxx kind: Secret metadata: creationTimestamp: null labels: hypershift.openshift.io/safe-to-delete-with-cluster: "true" name: <3> namespace: clusters --- apiVersion: hypershift.openshift.io/v1beta1 kind: HostedCluster metadata: creationTimestamp: null name: <4> namespace: clusters spec: autoscaling: {} configuration: {} controllerAvailabilityPolicy: SingleReplica dns: baseDomain: <5> privateZoneID: xxxxxxxx publicZoneID: xxxxxxxx etcd: managed: storage: persistentVolume: size: 8Gi storageClassName: gp3-csi type: PersistentVolume managementType: Managed fips: false infraID: <6> issuerURL: <7> networking: clusterNetwork: - cidr: 10.132.0.0/14 machineNetwork: - cidr: 10.0.0.0/16 networkType: OVNKubernetes serviceNetwork: - cidr: 172.31.0.0/16 olmCatalogPlacement: management platform: aws: cloudProviderConfig: subnet: id: <8> vpc: <9> zone: us-west-1b endpointAccess: Public multiArch: false region: us-west-1 rolesRef: controlPlaneOperatorARN: arn:aws:iam::820196288204:role/-control-plane-operator imageRegistryARN: arn:aws:iam::820196288204:role/-openshift-image-registry ingressARN: arn:aws:iam::820196288204:role/-openshift-ingress kubeCloudControllerARN: arn:aws:iam::820196288204:role/-cloud-controller networkARN: arn:aws:iam::820196288204:role/-cloud-network-config-controller nodePoolManagementARN: arn:aws:iam::820196288204:role/-node-pool storageARN: arn:aws:iam::820196288204:role/-aws-ebs-csi-driver-controller type: AWS pullSecret: name: release: image: quay.io/openshift-release-dev/ocp-release:4.16-x86_64 secretEncryption: aescbc: activeKey: name: type: aescbc services: - service: APIServer servicePublishingStrategy: type: LoadBalancer - service: OAuthServer servicePublishingStrategy: type: Route - service: Konnectivity servicePublishingStrategy: type: Route - service: Ignition servicePublishingStrategy: type: Route - service: OVNSbDb servicePublishingStrategy: type: Route sshKey: name: status: controlPlaneEndpoint: host: "" port: 0 --- apiVersion: hypershift.openshift.io/v1beta1 kind: NodePool metadata: creationTimestamp: null name: <10> namespace: clusters spec: arch: amd64 clusterName: management: autoRepair: true upgradeType: Replace nodeDrainTimeout: 0s platform: aws: instanceProfile: <11> instanceType: m6i.xlarge rootVolume: size: 120 type: gp3 subnet: id: type: AWS release: image: quay.io/openshift-release-dev/ocp-release:4.16-x86_64 replicas: 2 status: replicas: 0 ---- <1> Replace `` with the name of your pull secret. <2> Replace `` with the name of your etcd encryption key. <3> Replace `` with the name of your SSH key. <4> Replace `` with the name of your hosted cluster. <5> Replace `` with your base DNS domain, such as `example.com`. <6> Replace `` with the value that identifies the IAM resources that are associated with the hosted cluster. <7> Replace `` with your issuer URL, which ends with your `infra_id` value. For example, `https://example-hosted-us-west-1.s3.us-west-1.amazonaws.com/example-hosted-infra-id`. <8> Replace `` with your subnet ID. Both private and public subnets need to be tagged. For public subnets, use `kubernetes.io/role/elb=1`. For private subnets, use `kubernetes.io/role/internal-elb=1`. <9> Replace `` with your VPC ID. <10> Replace `` with the name of your `NodePool` resource. <11> Replace `` with the name of your {aws-short} instance.