You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
# Bring your own Network Security Group (NSG) to an ARO cluster
16
16
17
+
Typically, when setting up an ARO cluster, you must designate a resource group for deploying the ARO cluster object (referred to as the Base Resource Group in the diagram below). In such scenarios, you have the option to use either the same resource group for both the VNET and the cluster, or you can opt for a separate resource group solely for the VNET. Neither of these resource groups directly corresponds to a single ARO cluster, granting you complete control over them. This means you can freely create, modify, or delete resources within these resource groups.
18
+
19
+
During the cluster creation process, the ARO Resource Provider (RP) establishes a dedicated resource group specific to the cluster's needs. This group houses various cluster-specific resources like node VMs, load balancers, and Network Security Groups (NSGs), as depicted by the Managed Resource Group in the diagram below. The Managed Resource Group is tightly secured, prohibiting any modifications to its contents, including the NSG linked to the VNET subnets specified during cluster creation. Note that the NSG generated by the ARO RP might not adhere to the security policies of certain organizations.
20
+
21
+
:::image type="content" source="media/howto-bring-nsg/network-security-group-old.png" alt-text="Diagram showing an overview of how network security groups work in a typical ARO cluster.":::
22
+
17
23
In this article you'll learn how to use the "bring your own" Network Security Group (NSG) feature to attach your own NSG residing in the Base/VNET RG (as shown in the diagram below) to the ARO cluster subnets. Since you own this NSG, you'll be able to add/remove rules during the lifetime of the ARO cluster.
18
24
19
25
:::image type="content" source="media/howto-bring-nsg/network-security-group-new.png" alt-text="Diagram showing an overview of how the bring your own network security group works in Azure Red Hat OpenShift.":::
20
26
21
27
<!--
22
28
23
-
To create an ARO cluster, you need to specify a resource group (RG) where the ARO cluster object will be deployed (Base Resource Group in diagram below). You can use the same RG for the VNET that will be used by the cluster, or you can use a dedicated VNET RG for the VNET. Neither of those RGs has a 1:1 mapping to an ARO cluster, and you have full control over these RGs (i.e., you can create/modify/delete resources inside those RGs).
29
+
Normally, to create an ARO cluster, you need to specify a resource group where the ARO cluster object will be deployed (Base Resource Group in diagram below). In these cases, you can use the same resource group for both the VNET and the cluster, or you can use a dedicated resource group for the VNET. Neither of those resource groups has a 1:1 mapping to an ARO cluster, and you'll have full control over these resource groups (i.e., you can create/modify/delete resources inside those resource groups).
30
+
31
+
During the cluster creation process, the ARO Resource Provider (RP) creates a cluster-specific resource group used to hold various cluster-specific resources such as node VMs, load balancers, and Network Security Groups (NSGs) (see Managed Resource Group in the diagram below). The Managed Resource Group is locked down; you can't modify any resource inside it, including the NSG that the ARO resource group attaches to the VNET subnets specified during cluster creation. The ARO RP created NSG may not comply with the security policies in some organizations.
32
+
24
33
25
-
During the cluster creation process, the ARO Resource Provider (RP) creates a cluster-specific RG used to hold various cluster-specific resources such as node VMs, load balancers, and NSG (see Managed Resource Group in the diagram below). The Managed Resource Group is locked down; you cannot modify any resource inside it, including the NSG that the ARO RP attaches to the VNET subnets specified during cluster creation. The ARO RP created NSG may not comply with the security policies in some organizations, and up until now there was no way to modify it to achieve compliance.
34
+
and up until now there was no way to modify it to achieve compliance.
26
35
27
36
:::image type="content" source="media/howto-bring-nsg/network-security-group-overview.png" alt-text="Diagram showing an overview of how network security groups are normally used in Azure Red Hat OpenShift.":::
0 commit comments