openshift/openshift-docs
1
0
Fork 0
mirror of https://github.com/openshift/openshift-docs.git synced 2026-02-05 12:46:18 +01:00
Code Issues Releases Activity
Files
1ff87978a6c40ee820ccf36edb67060c25f78d59
openshift-docs/modules/rosa-hcp-firewall-prerequisites.adoc
Frances_McDonald e66d062605 life cycle added id 
added spaces for life cycle dates

changes after peer review
2025-12-05 15:38:15 +00:00

205 lines
7.3 KiB
Plaintext
Raw Blame History

// Module included in the following assemblies:
//
// * rosa_planning/rosa-sts-aws-prereqs.adoc
// * rosa_planning/rosa-hcp-prereqs.adoc <-- this is a symlink
:_mod-docs-content-type: REFERENCE
[id="rosa-hcp-firewall-prerequisites_{context}"]
= Firewall prerequisites for {product-title}
[role="_abstract"]
If you are using a firewall to control egress traffic from {product-title}, your Virtual Private Cloud (VPC) must be able to complete requests from the cluster to the Amazon S3 service, for example, via an Amazon S3 gateway. You must also configure your firewall to grant access to the following domain and port combinations.
//TODO OSDOCS-11789: From your deploy machine? From your cluster?
== Domains for installation packages and tools
[cols="6,1,6",options="header"]
|===
|Domain | Port | Function
|`quay.io`
|443
|Provides core container images.
|`cdn01.quay.io`
|443
|Provides core container images.
|`cdn02.quay.io`
|443
|Provides core container images.
|`cdn03.quay.io`
|443
|Provides core container images.
|`cdn04.quay.io`
|443
|Provides core container images.
|`cdn05.quay.io`
|443
|Provides core container images.
|`cdn06.quay.io`
|443
|Provides core container images.
|`quayio-production-s3.s3.amazonaws.com`
|443
|Provides core container images.
|`registry.redhat.io`
|443
|Provides core container images.
|`registry.access.redhat.com`
|443
|Required. Hosts all the container images that are stored on the Red{nbsp}Hat Ecosytem Catalog. Additionally, the registry provides access to the `odo` CLI tool that helps developers build on OpenShift and Kubernetes.
|`access.redhat.com`
|443
|Required. Hosts a signature store that a container client requires for verifying images when pulling them from `registry.access.redhat.com`.
|`api.openshift.com`
|443
|Required. Used to check for available updates to the cluster.
|`mirror.openshift.com`
|443
|Required. Used to access mirrored installation content and images. This site is also a source of release image signatures, although the Cluster Version Operator (CVO) needs only a single functioning source.
|`api.openshiftusgov.com`
|443
|This is for GovCloud only.
|===
== Domains for telemetry
[cols="6,1,6",options="header"]
|===
|Domain | Port | Function
|`infogw.api.openshift.com`
|443
|Required for telemetry.
|`console.redhat.com`
|443
|Required. Allows interactions between the cluster and OpenShift Console Manager to enable functionality, such as scheduling upgrades.
|`sso.redhat.com`
|443
|Required. The `https://console.redhat.com/openshift` site uses authentication from `sso.redhat.com` to download the pull secret and use Red{nbsp}Hat SaaS solutions to facilitate monitoring of your subscriptions, cluster inventory, chargeback reporting, etc.
|`console.openshiftusgov.com`
|443
|This is for GovCloud only.
|`time-a-g.nist.gov`
|443
|This is for GovCloud only.
|`time-a-wwv.nist.gov`
|443
|This is for GovCloud only.
|`time-a-b.nist.gov`
|443
|This is for GovCloud only.
|===
Managed clusters require enabling telemetry to allow Red{nbsp}Hat to react more quickly to problems, better support the customers, and better understand how product upgrades impact clusters.
For more information about how remote health monitoring data is used by Red{nbsp}Hat, see _About remote health monitoring_ in the _Additional resources_ section.
== Domains for Amazon Web Services (AWS) APIs
[cols="6,1,6",options="header"]
|===
|Domain | Port | Function
|`sts.<aws_region>.amazonaws.com`
|443
|Required. Used to access the AWS Secure Token Service (STS) regional endpoint. Ensure that you replace `<aws-region>` with the region that your cluster is deployed in. This can also be accomplished by configuring a private interface endpoint in your AWS Virtual Private Cloud (VPC) to the regional AWS STS endpoint.
|===
== Domains for your workload
Your workload may require access to other sites that provide resources for programming languages or frameworks.
* Allow access to sites that provide resources required by your builds.
* Allow access to outbound URLs required for your workload, for example, link:https://access.redhat.com/solutions/2998411[OpenShift Outbound URLs to Allow].
== Optional domains to enable third-party content
[cols="6,1,6",options="header"]
|===
|Domain | Port | Function
|`registry.connect.redhat.com`
| 443
| Optional. Required for all third-party-images and certified operators.
|`rhc4tp-prod-z8cxf-image-registry-us-east-1-evenkyleffocxqvofrk.s3.dualstack.us-east-1.amazonaws.com`
| 443
| Optional. Provides access to container images hosted on `registry.connect.redhat.com`.
|`oso-rhc4tp-docker-registry.s3-us-west-2.amazonaws.com`
| 443
| Optional. Required for Sonatype Nexus, F5 Big IP operators.
|===
[id="firewall-cli-bastion_{context}"]
== Outbound firewall rules for the {rosa-cli} for clusters with egress zero
If you use a bastion host to connect to a private cluster with egress zero, you must add the following rules to your firewall so that it can connect and authenticate to the cluster.
[cols="6,1,6,6",options="header"]
|===
|Domain | Port | From/To | Function
|`sso.redhat.com`
|443
|ROSA CLI running on bastion host
|The link:https://console.redhat.com/openshift[OpenShift console] uses authentication from `sso.redhat.com` to download the pull secret and use Red Hat SaaS solutions to facilitate monitoring of your subscriptions, cluster inventory, chargeback reporting, etc.
|`api.openshift.com`
|443
|ROSA CLI running on bastion host
|Required for registering a {product-title} cluster into {hybrid-console}.
|`iam.amazonaws.com`
|443
|ROSA CLI running on bastion host
|Used for creating IAM roles and attaching permissions.
|`servicequotas.<your region>.amazonaws.com`
|443
|ROSA CLI running on bastion host
|Checks AWS quotas to ensure they satisfy ROSA installation requirements. Alternatively, you can create a VPC endpoint for servicequota service to avoid whitelisting this URL from your firewall.
|`sts.<your region>.amazonaws.com`
|443
|ROSA CLI running on bastion host
|Used to get short-lived token to access AWS service. Alternatively, you can create a VPC endpoint for STS service to avoid whitelisting this url from your firewall.
|`ec2.<your region>.amazonaws.com`
|443
|ROSA CLI running on bastion host
|Used to retrieve EC2 instance related information such as subnets. Alternatively, you can create a VPC endpoint for EC2 service to avoid whitelisting this URL from your firewall.
|===
[id="firewall-hcm-bastion_{context}"]
== Outbound firewall rules from {hybrid-console} for clusters with egress zero
[cols="6,1,6,6",options="header"]
|===
|Domain | Port | From/To | Function
|`sts.<your region>.amazonaws.com`
|443
|{product-title} cluster
|Used to access the AWS Secure Token Service (STS) regional endpoint to retrieve a short-lived token to access AWS services. Alternatively, you can create a VPC endpoint for STS service to avoid whitelisting this URL from your firewall.
|`console.redhat.com`
|443
|Any browser to access {hybrid-console}
|To manage a {product-title} cluster from {hybrid-console-second}.
|`sso.redhat.com`
|443
|Any browser to access {hybrid-console}
|The link:https://console.redhat.com/openshift[{hybrid-console}] site uses authentication from `sso.redhat.com` to download the pull secret and use Red Hat SaaS solutions to facilitate monitoring of your subscriptions, cluster inventory, chargeback reporting, etc.
|===
View Git Blame Copy Permalink