This document describes how to create a ROSA cluster using AWS PrivateLink. Alternatively, you can create a ROSA cluster without AWS PrivateLink.

A Red Hat OpenShift Service on AWS cluster can be created without any requirements on public subnets, internet gateways, or network address translation (NAT) gateways. In this configuration, Red Hat uses AWS PrivateLink to manage and monitor a cluster in order to avoid all public ingress network traffic.

For more information, see AWS PrivateLink on the AWS website.

For AWS PrivateLink clusters, internet gateways, NAT gateways and public subnets are not required, but the private subnets must have internet connectivity provided to install required components. At least one single private subnet is required for Single-AZ clusters and at least 3 private subnets are required for Multi-AZ clusters. The following table shows the AWS resources that are required for a successful installation:

Table 1. Required AWS resources
Component AWS Type Description

VPC

  • AWS::EC2::VPC

  • AWS::EC2::VPCEndpoint

You must provide a VPC for the cluster to use.

Network access control

  • AWS::EC2::NetworkAcl

  • AWS::EC2::NetworkAclEntry

You must allow access to the following ports:

Port Reason

80

Inbound HTTP traffic

443

Inbound HTTPS traffic

22

Inbound SSH traffic

1024-65535

Inbound ephemeral traffic

0-65535

Outbound ephemeral traffic

Private subnets

  • AWS::EC2::Subnet

  • AWS::EC2::RouteTable

  • AWS::EC2::SubnetRouteTableAssociation

Your VPC must have private subnets in 1 availability zone for Single-AZ deployments or 3 availability zones for Multi-AZ deployments. You must provide appropriate routes and route tables.

You can create an AWS PrivateLink cluster using the rosa CLI.

AWS PrivateLink is supported on existing VPCs only.

Prerequisites

You have installed Red Hat OpenShift Service on AWS.

Procedure

Creating a cluster can take up to 40 minutes.

  1. With AWS PrivateLink, you can create a cluster with a single availability zone (Single-AZ) or multiple availability zones (Multi-AZ). In either case, your machine’s classless inter-domain routing (CIDR) must match your virtual private cloud’s CIDR. See Requirements for using your own VPC and VPC Validation for more information.

    If you use a firewall, you must configure it so that Red Hat OpenShift Service on AWS can access the sites that it requires to function.

    For more information, see the AWS PrivateLink firewall prerequisites section.

    • To create a Single-AZ cluster:

      $ rosa create cluster --private-link --cluster-name=<cluster-name> [--machine-cidr=<VPC CIDR>/16] --subnet-ids=<private-subnet-id>
    • To create a Multi-AZ cluster:

      $ rosa create cluster --private-link --multi-az --cluster-name=<cluster-name> [--machine-cidr=<VPC CIDR>/16] --subnet-ids=<private-subnet-id1>,<private-subnet-id2>,<private-subnet-id3>
  2. Enter the following command to check the status of your cluster. During cluster creation, the State field from the output will transition from pending to installing, and finally to ready.

    $ rosa describe cluster --cluster=<cluster_name>

    If installation fails or the State field does not change to ready after 40 minutes, check the installation troubleshooting documentation for more details.

  3. Enter the following command to follow the OpenShift installer logs to track the progress of your cluster:

    $ rosa logs install --cluster=<cluster_name> --watch

With AWS PrivateLink clusters, only a private hosted zone is created in Route 53. With a private hosted zone, records within the zone are resolvable only from within the VPC to which it is assigned. For more information about private hosted zones, see AWS private hosted zones documentation.

Prerequisites
  • Your corporate network or other VPC has connectivity

  • UDP port 53 and TCP port 53 ARE enabled across your networks to allow for DNS queries

  • You have created an AWS PrivateLink cluster using Red Hat OpenShift Service on AWS

Procedure
  1. To allow for records such as api.<cluster_domain> and *.apps.<cluster_domain>` to resolve outside of the VPC, configure a Route 53 Resolver Inbound Endpoint.

  2. When you configure the inbound endpoint, select the VPC and private subnets that were used when you created the cluster.

  3. After the endpoints are operational and associated, configure your corporate network to forward DNS queries to those IP addresses for the top-level cluster domain, such as drow-pl-01.htno.p1.openshiftapps.com.

  4. If you are forwarding DNS queries from one VPC to another VPC, configure forwarding rules.

  5. If you are configuring your remote network DNS server, see your specific DNS server documentation to configure selective DNS forwarding for the installed cluster domain.