1. Documentation
    2. history bug_report picture_as_pdf
×

Network verification for ROSA clusters

Network verification checks run automatically when you deploy a Red Hat OpenShift Service on AWS (ROSA) cluster into an existing Virtual Private Cloud (VPC) or create an additional machine pool with a subnet that is new to your cluster. The checks validate your network configuration and highlight errors, enabling you to resolve configuration issues prior to deployment.

You can also run the network verification checks manually to validate the configuration for an existing cluster.

Understanding network verification for ROSA clusters

When you deploy a Red Hat OpenShift Service on AWS (ROSA) cluster into an existing Virtual Private Cloud (VPC) or create an additional machine pool with a subnet that is new to your cluster, network verification runs automatically. This helps you identify and resolve configuration issues prior to deployment.

When you prepare to install your cluster by using Red Hat OpenShift Cluster Manager, the automatic checks run after you input a subnet into a subnet ID field on the Virtual Private Cloud (VPC) subnet settings page. If you create your cluster by using the ROSA CLI (rosa) with the interactive mode, the checks run after you provide the required VPC network information. If you use the CLI without the interactive mode, the checks begin immediately prior to the cluster creation.

When you add a machine pool with a subnet that is new to your cluster, the automatic network verification checks the subnet to ensure that network connectivity is available before the machine pool is provisioned.

After automatic network verification completes, a record is sent to the service log. The record provides the results of the verification check, including any network configuration errors. You can resolve the identified issues before a deployment and the deployment has a greater chance of success.

You can also run the network verification manually for an existing cluster. This enables you to verify the network configuration for your cluster after making configuration changes. For steps to run the network verification checks manually, see Running the network verification manually.

Scope of the network verification checks

The network verification includes checks for each of the following requirements:

  • The parent Virtual Private Cloud (VPC) exists.

  • All specified subnets belong to the VPC.

  • The VPC has enableDnsSupport enabled.

  • The VPC has enableDnsHostnames enabled.

  • Egress is available to the required domain and port combinations that are specified in the AWS firewall prerequisites section.

Automatic network verification bypassing

You can bypass the automatic network verification if you want to deploy a Red Hat OpenShift Service on AWS (ROSA) cluster with known network configuration issues into an existing Virtual Private Cloud (VPC).

If you bypass the network verification when you create a cluster, the cluster has a limited support status. After installation, you can resolve the issues and then manually run the network verification. The limited support status is removed after the verification succeeds.

Bypassing automatic network verification by using OpenShift Cluster Manager

When you install a cluster into an existing VPC by using Red Hat OpenShift Cluster Manager, you can bypass the automatic verification by selecting Bypass network verification on the Virtual Private Cloud (VPC) subnet settings page.

Bypassing automatic network verification by using the ROSA CLI

When you install a cluster into an existing VPC by using the rosa create cluster command, you can bypass the automatic verification by including the --bypass-network-verify --force arguments. The following example bypasses the network verification before creating a cluster:

$ rosa create cluster --cluster-name mycluster \
                      --subnet-ids subnet-03146b9b52b6024cb,subnet-03146b9b52b2034cc \
                      --bypass-network-verify --force

Alternatively, you can specify the --interactive argument and select the option in the interactive prompts to bypass the network verification checks.

Running the network verification manually

After installing a Red Hat OpenShift Service on AWS (ROSA) cluster, you can run the network verification checks manually by using Red Hat OpenShift Cluster Manager or the ROSA CLI (rosa).

Running the network verification manually using OpenShift Cluster Manager

You can manually run the network verification checks for an existing Red Hat OpenShift Service on AWS (ROSA) cluster by using Red Hat OpenShift Cluster Manager.

Prerequisites

  • You have an existing ROSA cluster.

  • You are the cluster owner or you have the cluster editor role.

Procedure

  1. Navigate to OpenShift Cluster Manager Hybrid Cloud Console and select your cluster.

  2. Select Verify networking from the Actions drop-down menu.

Running the network verification manually using the CLI

You can manually run the network verification checks for an existing Red Hat OpenShift Service on AWS (ROSA) cluster by using the ROSA CLI (rosa).

When you run the network verification, you can specify a set of VPC subnet IDs or a cluster name. If you are using a proxy service, you can specify a proxy URL.

Prerequisites

  • You have installed and configured the latest ROSA CLI (rosa) on your installation host.

  • You have an existing ROSA cluster.

  • You are the cluster owner or you have the cluster editor role.

Procedure

  • Verify the network configuration by using one of the following methods:

    • Verify the network configuration by specifying the cluster name. The subnet IDs are automatically detected:

      $ rosa verify network -c <cluster_name> (1)
      1 Replace <cluster_name> with the name of your cluster.
      Example output
      I: ✓ Network verification successful

      To output the full list of verification tests, you can include the --debug argument when you run rosa verify network.

    • Verify the network configuration by specifying the VPC subnets IDs:

      $ rosa verify network --subnet-ids subnet-03146b9b52b6024cb,subnet-03146b9b52b2034cc
      Example output
      E: Validating Subnet subnet-03146b9b52b6024cb egress
E: X Egress failed to https://events.pagerduty.com

    • Verify the network configuration by specifying the VPC subnets IDs and a proxy URL:

      $ rosa verify network --subnet-ids subnet-03146b9b52b6024cb,subnet-03146b9b52b2034cc \
                      --additional-trust-bundle-file /path/to/ca.cert \
                      --https-proxy <proxy_url> (1)
      1 Replace <proxy_url> with the URL of your proxy service, for example https://10.10.0.1.
      Example output
      I: Using proxy configuration
I: Subnet IDs detected:  subnet-03146b9b52b6024cb,subnet-03146b9b52b2034cc

E: Validating Subnet subnet-03146b9b52b6024cb egress
E: X Egress failed to https://events.pagerduty.com