You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Add portal SSH tagged LB rule and rename portal-probe-tagged
- Rename portal-probe-tagged to portal-probe-https-tagged for naming
consistency (portal has both https and ssh probe types)
- Add portal-lbrule-ssh-tagged: maps portal-frontend-tagged:22 to
backend:2223 for SSH over the tagged IP path
- Add portal-probe-ssh-tagged: TCP health probe on port 2223
- Open firewall port 2223/tcp on VMSS
- Add -p 2223:2223 port mapping to the portal container
- Update docs with motivation, container routing, cross-repo dependency,
and port convention sections
Released to INT on **2026-02-16**. Deployment completed successfully.
15
+
16
+
---
17
+
18
+
## Motivation
19
+
20
+
Azure public IP addresses can carry **IP tags** — metadata key-value pairs such as `RoutingPreference` and `FirstPartyUsage`. These tags tell Azure's networking fabric how to handle traffic on those IPs (e.g., preferred routing paths, first-party billing attribution). The ARO RP and Portal services were originally deployed with untagged public IPs. To comply with Azure networking requirements for first-party services, we need to migrate to tagged IPs.
21
+
22
+
Replacing the IPs in-place would be risky: a misconfigured tag or a platform issue could take down the RP or Portal. Instead, we use a **dual-frontend approach** — add new tagged IPs alongside the existing untagged ones, point DNS to the tagged IPs, and keep the untagged IPs as an instant rollback path.
23
+
3
24
## Overview
4
25
5
26
This change introduces **tagged public IP addresses** to the ARO RP load balancer using a **dual-frontend approach**. Tagged IPs carry metadata (IP tags) that allow Azure to route traffic with specific properties (e.g., `RoutingPreference` or `FirstPartyUsage`). The existing untagged IPs remain in place, ensuring a safe, rollback-friendly migration.
@@ -22,9 +43,11 @@ Two new tagged public IPs and corresponding frontends are added to the **same**
22
43
```
23
44
rp-pip (untagged) ──► rp-frontend ──► port 443 ──► backend (8443)
24
45
portal-pip (untagged) ──► portal-frontend ──► port 443 ──► backend (444)
46
+
portal-pip (untagged) ──► portal-frontend ──► port 22 ──► backend (2222)
25
47
26
48
rp-pip-tagged (tagged) ──► rp-frontend-tagged ──► port 443 ──► backend (8443)
27
49
portal-pip-tagged (tagged) ──► portal-frontend-tagged──► port 443 ──► backend (8444)
50
+
portal-pip-tagged (tagged) ──► portal-frontend-tagged──► port 22 ──► backend (2223)
28
51
```
29
52
30
53
DNS records are updated to point at the **tagged** IPs, making them the primary entry point. The untagged IPs serve as a fallback for rollback.
@@ -65,28 +88,46 @@ These are passed as ARM template parameters with empty-array defaults.
65
88
66
89
#### New Load Balancing Rules
67
90
68
-
| Rule Name | Frontend | Frontend Port | Backend Port | Purpose |
Separate probes allow independent health monitoring of tagged vs. untagged paths.
83
109
84
110
### 4. VMSS and Firewall Changes
85
111
86
-
-**Firewall ports opened:**`8443/tcp` and `8444/tcp` added to the RP VMSS firewall allow list.
87
-
-**Container port mapping:** RP container gets `-p 8443:8443` and `-p 8444:8444` in addition to the existing `-p 443:8443`.
112
+
-**Firewall ports opened:**`8443/tcp`, `8444/tcp`, and `2223/tcp` added to the RP VMSS firewall allow list.
113
+
-**Container port mapping:** RP container gets `-p 8443:8443` and `-p 8444:8444` in addition to the existing `-p 443:8443`. Portal container gets `-p 2223:2223` in addition to the existing `-p 2222:2222`.
114
+
115
+
### 5. Container Routing
116
+
117
+
The VMSS runs multiple containers. Each container handles different traffic types. Understanding which container listens on which port is critical for debugging:
118
+
119
+
| Container | Service File | Ports | Traffic Type |
|**aro-rp**|`aro-rp.service`|`443:8443`, `8443:8443`, `8444:8444`| RP API (ARM, Geneva) |
122
+
|**aro-portal**|`aro-portal.service`|`444:8444`, `2222:2222`, `2223:2223`| Portal HTTPS and SSH |
88
123
89
-
### 5. NSG (Network Security Group) Rules
124
+
The format is `host_port:container_port`. Key points:
125
+
126
+
-**RP traffic** (both untagged on 443 and tagged on 8443) routes to the **aro-rp** container, which internally listens on 8443.
127
+
-**Portal HTTPS** (untagged on 444, tagged on 8444) routes to the **aro-portal** container, which internally listens on 8444.
128
+
-**Portal SSH** (untagged on 2222, tagged on 2223) routes to the **aro-portal** container. The portal process handles SSH tunnelling to cluster nodes.
129
+
130
+
### 6. NSG (Network Security Group) Rules
90
131
91
132
Two new inbound rules are added to the RP NSG in both development and production predeploy templates:
92
133
@@ -97,7 +138,7 @@ Two new inbound rules are added to the RP NSG in both development and production
97
138
98
139
Additionally, NSG deployment is now **forced on every predeploy** (not only on initial creation) to ensure new rules are always applied.
99
140
100
-
### 6. DNS Update
141
+
### 7. DNS Update
101
142
102
143
`deploy_rp.go` → `configureDNS()` now resolves the tagged IPs instead of the untagged ones:
103
144
@@ -111,9 +152,32 @@ This makes the tagged IPs the primary DNS entry point.
111
152
Because both tagged and untagged frontends exist on the same load balancer:
112
153
113
154
1.**DNS rollback** — Point DNS back to the untagged IPs (`rp-pip`, `portal-pip`). Traffic immediately flows through the original, untagged path on port 443.
114
-
2.**Health probes** — Separate probes (`rp-probe-tagged`, `portal-probe-tagged`) allow monitoring tagged paths independently. If tagged probes fail, the untagged paths remain unaffected.
155
+
2.**Health probes** — Separate probes (`rp-probe-tagged`, `portal-probe-https-tagged`, `portal-probe-ssh-tagged`) allow monitoring tagged paths independently. If tagged probes fail, the untagged paths remain unaffected.
115
156
3.**Region disable list** — Add a region to `lbIpTagsDisabledRegions` to create the tagged IPs without tags in that region, effectively making them behave like untagged IPs.
116
157
158
+
## Cross-Repository Dependency
159
+
160
+
This feature spans two repositories that must be deployed together:
161
+
162
+
| Repository | What it provides |
163
+
|------------|-----------------|
164
+
|**Azure/ARO-RP**| ARM templates with the dual-frontend LB, tagged IP resources, probes, rules, NSG rules, firewall/container config, and DNS logic. |
165
+
|**Azure/RP-Config**| Per-environment configuration values: the actual IP tag objects (`rpLbIpTags`, `portalLbIpTags`) and the disabled regions list (`lbIpTagsDisabledRegions`). Without these values, the tagged IPs are created but have no tags applied. |
166
+
167
+
**Deployment order:** RP-Config should be deployed first (or simultaneously) so that the IP tag values are available when the ARO-RP ARM template is evaluated. If ARO-RP is deployed before RP-Config provides the tag values, the tagged IPs will be created without tags (safe, but defeats the purpose).
168
+
169
+
## Port Convention
170
+
171
+
Tagged backend ports follow a predictable offset from their untagged counterparts:
172
+
173
+
| Service | Untagged Backend Port | Tagged Backend Port | Offset |
This convention allows the same VMSS to serve both tagged and untagged traffic on distinct ports, with the application process distinguishing traffic origin by the port it arrives on.
180
+
117
181
## Files Changed
118
182
119
183
| File | What |
@@ -123,8 +187,8 @@ Because both tagged and untagged frontends exist on the same load balancer:
123
187
|`pkg/deploy/generator/templates.go`| Regex-based IP tag injection in template fixup |
124
188
|`pkg/deploy/generator/templates_rp.go`| New parameters and resources in RP template |
125
189
|`pkg/deploy/generator/resources_rp.go`| LB frontends, rules, probes, and NSG rules |
0 commit comments