×

This document describes how to create a ROSA cluster using AWS PrivateLink.

A Red Hat OpenShift Service on AWS cluster can be created without any requirements on public subnets, internet gateways, or network address translation (NAT) gateways. In this configuration, Red Hat uses AWS PrivateLink to manage and monitor a cluster to avoid all public ingress network traffic. Without a public subnet, it is not possible to configure an application router as public. Configuring private application routers is the only option.

For more information, see AWS PrivateLink on the AWS website.

You can only make a PrivateLink cluster at installation time. You cannot change a cluster to PrivateLink after installation.

For AWS PrivateLink clusters, internet gateways, NAT gateways, and public subnets are not required, but the private subnets must have internet connectivity provided to install required components. At least one single private subnet is required for Single-AZ clusters and at least 3 private subnets are required for Multi-AZ clusters. The following table shows the AWS resources that are required for a successful installation:

Table 1. Required AWS resources
Component AWS Type Description

VPC

  • AWS::EC2::VPC

  • AWS::EC2::VPCEndpoint

You must provide a VPC for the cluster to use.

Network access control

  • AWS::EC2::NetworkAcl

  • AWS::EC2::NetworkAclEntry

You must allow access to the following ports:

Port Reason

80

Inbound HTTP traffic

443

Inbound HTTPS traffic

22

Inbound SSH traffic

1024-65535

Inbound ephemeral traffic

0-65535

Outbound ephemeral traffic

Private subnets

  • AWS::EC2::Subnet

  • AWS::EC2::RouteTable

  • AWS::EC2::SubnetRouteTableAssociation

Your VPC must have private subnets in 1 availability zone for Single-AZ deployments or 3 availability zones for Multi-AZ deployments. You must provide appropriate routes and route tables.

You can create an AWS PrivateLink cluster using the Red Hat OpenShift Service on AWS (ROSA) CLI, rosa.

AWS PrivateLink is supported on existing VPCs only.

Prerequisites
  • You have available AWS service quotas.

  • You have enabled the ROSA service in the AWS Console.

  • You have installed and configured the latest Red Hat OpenShift Service on AWS (ROSA) CLI, rosa, on your installation host.

Procedure

Creating a cluster can take up to 40 minutes.

  1. With AWS PrivateLink, you can create a cluster with a single availability zone (Single-AZ) or multiple availability zones (Multi-AZ). In either case, your machine’s classless inter-domain routing (CIDR) must match your virtual private cloud’s CIDR. See Requirements for using your own VPC and VPC Validation for more information.

    If you use a firewall, you must configure it so that Red Hat OpenShift Service on AWS can access the sites that it requires to function.

    For more information, see the AWS PrivateLink firewall prerequisites section.

    • To create a Single-AZ cluster:

      $ rosa create cluster --private-link --cluster-name=<cluster-name> [--machine-cidr=<VPC CIDR>/16] --subnet-ids=<private-subnet-id>
    • To create a Multi-AZ cluster:

      $ rosa create cluster --private-link --multi-az --cluster-name=<cluster-name> [--machine-cidr=<VPC CIDR>/16] --subnet-ids=<private-subnet-id1>,<private-subnet-id2>,<private-subnet-id3>
  2. Enter the following command to check the status of your cluster. During cluster creation, the State field from the output will transition from pending to installing, and finally to ready.

    $ rosa describe cluster --cluster=<cluster_name>

    If installation fails or the State field does not change to ready after 40 minutes, check the installation troubleshooting documentation for more details.

  3. Enter the following command to follow the OpenShift installer logs to track the progress of your cluster:

    $ rosa logs install --cluster=<cluster_name> --watch

With AWS PrivateLink clusters, a public hosted zone and a private hosted zone are created in Route 53. With the private hosted zone, records within the zone are resolvable only from within the VPC to which it is assigned.

The Let’s Encrypt DNS-01 validation requires a public zone so that valid, publicly trusted certificates can be issued for the domain. The validation records are deleted after Let’s Encrypt validation is complete; however, the zone is still required for issuing and renewing these certificates, which are typically required every 60 days. While these zones usually appear empty, it is serving a critical role in the validation process.

For more information about private hosted zones, see AWS private hosted zones documentation. For more information about public hosted zones, see AWS public hosted zones documentation.

Prerequisites
  • Your corporate network or other VPC has connectivity

  • UDP port 53 and TCP port 53 ARE enabled across your networks to allow for DNS queries

  • You have created an AWS PrivateLink cluster using Red Hat OpenShift Service on AWS

Procedure
  1. To allow for records such as api.<cluster_domain> and *.apps.<cluster_domain> to resolve outside of the VPC, configure a Route 53 Resolver Inbound Endpoint.

  2. When you configure the inbound endpoint, select the VPC and private subnets that were used when you created the cluster.

  3. After the endpoints are operational and associated, configure your corporate network to forward DNS queries to those IP addresses for the top-level cluster domain, such as drow-pl-01.htno.p1.openshiftapps.com.

  4. If you are forwarding DNS queries from one VPC to another VPC, configure forwarding rules.

  5. If you are configuring your remote network DNS server, see your specific DNS server documentation to configure selective DNS forwarding for the installed cluster domain.