openshift-docs/modules/private-clusters-default.adoc

// Module included in the following assemblies:
//
// * installing/installing_aws/installing-aws-government-region.adoc
// * installing/installing_aws/installing-aws-private.adoc
// * installing/installing_gcp/installing-gcp-private.adoc
// * installing/installing_azure/installing-azure-government-region.adoc
// * installing/installing_azure/installing-azure-private.adoc

[id="private-clusters-default_{context}"]
= Private clusters

ifeval::["{context}" == "installing-aws-government-region"]
:aws-gov:
endif::[]

You can deploy a private {product-title} cluster that does not expose external endpoints. Private clusters are accessible from only an internal network and are not visible to the Internet.

ifdef::aws-gov[]
[NOTE]
====
Public zones are not supported in Route53 in AWS GovCloud. Therefore, clusters
must be private if they are deployed to an AWS government region.
====
endif::aws-gov[]

By default, {product-title} is provisioned to use publicly-accessible DNS and endpoints. A private cluster sets the DNS, Ingress Controller, and API server to private when you deploy your cluster. This means that the cluster resources are only accessible from your internal network and are not visible to the internet.

To deploy a private cluster, you must use existing networking that meets your requirements. Your cluster resources might be shared between other clusters on the network.

Additionally, you must deploy a private cluster from a machine that has access the API services for the cloud you provision to, the hosts on the network that you provision, and to the internet to obtain installation media. You can use any machine that meets these access requirements and follows your company's guidelines. For example, this machine can be a bastion host on your cloud network or a machine that has access to the network through a VPN.

ifeval::["{context}" == "installing-aws-government-region"]
:!aws-gov:
endif::[]