ROSA architecture supports the following network configuration types:

  • Public network

  • Private network

  • AWS PrivateLink

ROSA architecture on public and private networks

You can install ROSA using either a public or private network. Configure a private cluster and private network connection during or after the cluster creation process. Red Hat manages the cluster with limited access through a public network. For more information, see the Service Definition.

ROSA deployed on public and private networks
Figure 1. ROSA deployed on public and private networks

Alternatively, install a cluster using AWS PrivateLink, which is hosted on private subnets only.

The Red Hat managed infrastructure that creates AWS PrivateLink clusters is hosted on private subnets. The connection between Red Hat and the customer-provided infrastructure is created through AWS PrivateLink VPC endpoints.

AWS PrivateLink is supported on existing VPCs only.

The following diagram shows a multiple availability zone (Multi-AZ) PrivateLink cluster deployed on private subnets.

Multi-AZ AWS PrivateLink cluster deployed on private subnets
Figure 2. Multi-AZ AWS PrivateLink cluster deployed on private subnets

AWS reference architectures

AWS provides multiple reference architectures that can be useful to customers when planning how to set up a configuration that uses AWS PrivateLink. Here are three examples:

  • VPC with a private subnet and AWS Site-to-Site VPN access.

    This configuration enables you to extend your network into the cloud without exposing your network to the internet.

    To enable communication with your network over an Internet Protocol Security (IPsec) VPN tunnel, this configuration contains a virtual private cloud (VPC) with a single private subnet and a virtual private gateway. Communication over the internet does not use an internet gateway.

    For more information, see VPC with a private subnet only and AWS Site-to-Site VPN access in the AWS documentation.

  • VPC with public and private subnets (NAT)

    This configuration enables you to isolate your network so that the public subnet is reachable from the internet but the private subnet is not.

    Only the public subnet can send outbound traffic directly to the internet. The private subnet can access the internet by using a network address translation (NAT) gateway that resides in the public subnet. This allows database servers to connect to the internet for software updates using the NAT gateway, but does not allow connections to be made directly from the internet to the database servers.

    For more information, see VPC with public and private subnets (NAT) in the AWS documentation.

  • VPC with public and private subnets and AWS Site-to-Site VPN access

    This configuration enables you to extend your network into the cloud and to directly access the internet from your VPC.

    You can run a multi-tiered application with a scalable web front end in a public subnet, and house your data in a private subnet that is connected to your network by an IPsec AWS Site-to-Site VPN connection.

    For more information, see VPC with public and private subnets and AWS Site-to-Site VPN access in the AWS documentation.