openshift-docs/rosa_hcp/rosa-hcp-egress-lockdown-install.adoc

:_mod-docs-content-type: ASSEMBLY
[id="rosa-hcp-egress-lockdown-install"]
= Creating a {product-title} cluster with egress lockdown
include::_attributes/attributes-openshift-dedicated.adoc[]
:context: rosa-hcp-egress-lockdown-install
toc::[]


Creating a {product-title} cluster with egress lockdown provides a way to enhance your cluster's stability and security by allowing your cluster to use the image registry in the local region if the cluster cannot access the Internet. Your cluster will try to pull the images from Quay, but when they aren't reached, it will instead pull the images from the image registry in the local region. 

[IMPORTANT]
====
You can only use egress lockdown on clusters that use the following AWS regions:

* `us-west-2`
* `us-east-1` 
* `us-east-2`
* `ap-northeast-1`
* `ap-northeast-2`
* `ap-northeast-3`
* `ap-south-1`
* `ap-southeast-1`
* `ap-southeast-2`
* `ca-central-1`
* `eu-central-1`
* `eu-north-1`
* `eu-west-1`
* `eu-west-2`
* `eu-west-3`
* `sa-east-1`
====

All public and private clusters with egress lockdown get their Red Hat container images from a registery that is located in the local region of the cluster instead of gathering these images from various endpoints and registeries on the Internet. You can create a fully operational cluster that does not require a public egress by configuring a virtual private cloud (VPC) and using the `--properties zero_egress:true` flag when creating your cluster.

:FeatureName: Egress lockdown
include::snippets/technology-preview.adoc[]

.Prequisites

* You have an AWS account with sufficient permissions to create VPCs, subnets, and other required infrastructure.
* You have installed the Terraform v1.4.0+ CLI.
* You have installed the ROSA v1.2.45+ CLI.
* You have installed and configured the AWS CLI with the necessary credentials.
* You have installed the git CLI.

[IMPORTANT]
====
You can use egress lockdown on all supported versions of {product-title} that use the hosted control plane architecture; however, Red Hat suggests using the latest available z-stream release for each {ocp} version. 

While you may install and upgrade your clusters as you would a regular cluster, due to an upstream issue with how the internal image registry functions in disconnected environments, your cluster that uses egress lockdown will not be able to fully use all platform components, such as the image registry. You can restore these features by using the latest ROSA version when upgrading or installing your cluster.
====

[id="rosa-hcp-egress-lockdown-install-creating_{context}"]
== Creating a Virtual Private Cloud for your egress lockdown {hcp-title} clusters

You must have a Virtual Private Cloud (VPC) to create {hcp-title} clusters. You can use one of the following methods to create a VPC:

* Create a VPC by using a Terraform template
* Manually create the VPC resources in the AWS console

[NOTE]
====
The Terraform instructions are for testing and demonstration purposes. Your own installation requires modifications to the VPC for your specific needs and constraints. You should also ensure that when you use the following Terraform script it is in the same region that you intend to install your cluster.
====

include::modules/rosa-hcp-vpc-terraform.adoc[leveloffset=+2]

[role="_additional-resources"]
.Additional resources

* See the link:https://github.com/openshift-cs/terraform-vpc-example/tree/main/zero-egress[Zero Egress Terraform VPC Example] repository for a detailed list of all options available when customizing the VPC for your needs.

include::modules/rosa-hcp-vpc-manual.adoc[leveloffset=+2]
[discrete]
include::modules/rosa-hcp-vpc-subnet-tagging.adoc[leveloffset=+3]
[discrete]
include::modules/rosa-hcp-sgs-and-vpce.adoc[leveloffset=+3]

include::modules/rosa-hcp-creating-account-wide-sts-roles-and-policies.adoc[leveloffset=+1]

include::modules/rosa-sts-byo-oidc.adoc[leveloffset=+1]
include::modules/rosa-operator-config.adoc[leveloffset=+1]

include::modules/rosa-hcp-sts-creating-a-cluster-egress-lockdown-cli.adoc[leveloffset=+1]