openshift-docs/installing/installing_azure/ipi/installing-restricted-networks-azure-installer-provisioned.adoc

:_mod-docs-content-type: ASSEMBLY
[id="installing-restricted-networks-azure-installer-provisioned"]
= Installing a cluster on Azure in a disconnected environment
include::_attributes/common-attributes.adoc[]
:context: installing-restricted-networks-azure-installer-provisioned

toc::[]

In {product-title} version {product-version}, you can install a cluster on Microsoft Azure in a restricted network by creating an internal mirror of the installation release content on an existing Azure Virtual Network (VNet).

[IMPORTANT]
====
You can install an {product-title} cluster by using mirrored installation release content, but your cluster requires internet access to use the Azure APIs.
====

[id="prerequisites_installing-restricted-networks-azure-installer-provisioned"]
== Prerequisites

* You xref:../../../disconnected/installing-mirroring-installation-images.adoc#installation-about-mirror-registry_installing-mirroring-installation-images[mirrored the images for a disconnected installation] to your registry and obtained the `imageContentSources` data for your version of {product-title}.
+
[IMPORTANT]
====
Because the installation media is on the mirror host, you can use that computer to complete all installation steps.
====
* You have an existing VNet in Azure. While installing a cluster in a restricted network that uses installer-provisioned infrastructure, you cannot use the installer-provisioned VNet. You must use a user-provisioned VNet that satisfies one of the following requirements:
** The VNet contains the mirror registry.
** The VNet has firewall rules or a peering connection to access the mirror registry hosted elsewhere.

include::modules/installation-about-restricted-network.adoc[leveloffset=+1]

include::modules/installation-azure-user-defined-routing.adoc[leveloffset=+2]

include::modules/installation-about-custom-azure-vnet.adoc[leveloffset=+1]

[role="_additional-resources"]
.Additional resources

* xref:../../../networking/ovn_kubernetes_network_provider/about-ovn-kubernetes.adoc#about-ovn-kubernetes[About the OVN-Kubernetes network plugin]

* xref:../../../installing/install_config/configuring-firewall.adoc#configuring-firewall[Configuring your firewall]

include::modules/installation-initializing.adoc[leveloffset=+1]

[role="_additional-resources"]
.Additional resources
* xref:../../../installing/installing_azure/installation-config-parameters-azure.adoc#installation-config-parameters-azure[Installation configuration parameters for Azure]

include::modules/installation-minimum-resource-requirements.adoc[leveloffset=+2]

include::modules/installation-azure-tested-machine-types.adoc[leveloffset=+2]

include::modules/installation-azure-arm-tested-machine-types.adoc[leveloffset=+2]

include::modules/installation-azure-trusted-launch.adoc[leveloffset=+2]

include::modules/installation-azure-confidential-vms.adoc[leveloffset=+2]

include::modules/installation-azure-dedicated-disks.adoc[leveloffset=+2]

include::modules/installing-azure-managing-dns-solution.adoc[leveloffset=+2]

include::modules/installation-azure-config-yaml.adoc[leveloffset=+2]

include::modules/installation-configure-proxy.adoc[leveloffset=+2]

[id="installing-azure-manual-modes_{context}"]
== Alternatives to storing administrator-level secrets in the kube-system project

By default, administrator secrets are stored in the `kube-system` project. If you configured the `credentialsMode` parameter in the `install-config.yaml` file to `Manual`, you must use one of the following alternatives:

* To manage long-term cloud credentials manually, follow the procedure in xref:../../../installing/installing_azure/ipi/installing-restricted-networks-azure-installer-provisioned.adoc#manually-create-iam_installing-restricted-networks-azure-installer-provisioned[Manually creating long-term credentials].

* To implement short-term credentials that are managed outside the cluster for individual components, follow the procedures in xref:../../../installing/installing_azure/ipi/installing-restricted-networks-azure-installer-provisioned.adoc#installing-azure-with-short-term-creds_installing-restricted-networks-azure-installer-provisioned[Configuring an Azure cluster to use short-term credentials].

//Manually creating long-term credentials
include::modules/manually-create-identity-access-management.adoc[leveloffset=+2]

//Supertask: Configuring an Azure cluster to use short-term credentials
[id="installing-azure-with-short-term-creds_{context}"]
=== Configuring an Azure cluster to use short-term credentials

To install a cluster that uses {entra-first}, you must configure the Cloud Credential Operator utility and create the required Azure resources for your cluster.

//Task part 1: Configuring the Cloud Credential Operator utility
include::modules/cco-ccoctl-configuring.adoc[leveloffset=+3]

//Task part 2: Creating the required Azure resources
include::modules/cco-ccoctl-creating-at-once.adoc[leveloffset=+3]

// Additional steps for the Cloud Credential Operator utility (`ccoctl`)
include::modules/cco-ccoctl-install-creating-manifests.adoc[leveloffset=+3]

include::modules/installation-launching-installer.adoc[leveloffset=+1]

include::modules/installing-azure-provisioning-dns-records.adoc[leveloffset=+1]

include::modules/cli-logging-in-kubeadmin.adoc[leveloffset=+1]

== Next steps

* xref:../../../post_installation_configuration/cluster-tasks.adoc#available_cluster_customizations[Customize your cluster].
* If necessary, you can
xref:../../../support/remote_health_monitoring/remote-health-reporting.adoc#remote-health-reporting[Remote health reporting].