openshift/openshift-docs
1
0
Fork 0
mirror of https://github.com/openshift/openshift-docs.git synced 2026-02-05 12:46:18 +01:00
Code Issues Releases Activity
Files
enterprise-4.21
openshift-docs/modules/cloud-experts-osd-limit-egress-ngfw-create-firewall-rules.adoc

42 lines
2.2 KiB
Plaintext
Raw Permalink Blame History

// Module included in the following assemblies:
//
// * cloud_experts_osd_tutorials/cloud-experts-osd-limit-egress-ngfw.adoc
:_mod-docs-content-type: PROCEDURE
[id="cloud-experts-osd-limit-egress-ngfw-create-firewall-rules_{context}"]
= Creating the firewall rules
. Create a blanket allow rule for private IP (RFC 1918) address space by running the following command:
+
[source,terminal]
----
$ gcloud compute network-firewall-policies rules create 500 \
--description "Allow egress to private IP ranges" \
--action=allow \
--firewall-policy=${prefix} \
--global-firewall-policy \
--direction=EGRESS \
--layer4-configs all \
--dest-ip-ranges=10.0.0.0/8,172.16.0.0/12,192.168.0.0/16
----
+
. Create an allow rule for HTTPS (tcp/443) domains required for {product-title} by running the following command:
+
[source,terminal]
----
$ gcloud compute network-firewall-policies rules create 600 \
--description "Allow egress to OpenShift Dedicated required domains (tcp/443)" \
--action=allow \
--firewall-policy=${prefix} \
--global-firewall-policy \
--direction=EGRESS \
--layer4-configs tcp:443 \
--dest-fqdns accounts.google.com,pull.q1w2.quay.rhcloud.com,http-inputs-osdsecuritylogs.splunkcloud.com,nosnch.in,api.deadmanssnitch.com,events.pagerduty.com,api.pagerduty.com,api.openshift.com,mirror.openshift.com,observatorium.api.openshift.com,observatorium-mst.api.openshift.com,console.redhat.com,infogw.api.openshift.com,api.access.redhat.com,cert-api.access.redhat.com,catalog.redhat.com,sso.redhat.com,registry.connect.redhat.com,registry.access.redhat.com,cdn01.quay.io,cdn02.quay.io,cdn03.quay.io,cdn04.quay.io,cdn05.quay.io,cdn06.quay.io,cdn.quay.io,quay.io,registry.redhat.io,quayio-production-s3.s3.amazonaws.com
----
+
[IMPORTANT]
====
If there is not a matching rule that allows the traffic, it will be blocked by the firewall. To allow access to other resources, such as internal networks or other external endpoints, create additional rules with a priority of less than 1000. For more information on how to create firewall rules, see link:https://cloud.google.com/firewall/docs/use-network-firewall-policies[Use global network firewall policies and rules].
====
View Git Blame Copy Permalink