Merge pull request #200487 from joharder/egress-firewall-rewrite

PRMerger13 · web-flow · commit c7762dfbf17b · 2022-07-01T14:48:11.000-07:00
rewrite egress doc page
diff --git a/articles/openshift/howto-restrict-egress.md b/articles/openshift/howto-restrict-egress.md
@@ -1,15 +1,15 @@
 ---
 title: Restrict egress traffic in an Azure Red Hat OpenShift (ARO) cluster
 description: Learn what ports and addresses are required to control egress traffic in Azure Red Hat OpenShift (ARO)
-author: sakthi-vetrivel
-ms.author: suvetriv
+author: joharder
+ms.author: joharder
 ms.service: azure-redhat-openshift
 ms.topic: article
-ms.date: 04/09/2021
+ms.date: 06/02/2022
 ---
 # Control egress traffic for your Azure Red Hat OpenShift (ARO) cluster (preview)
 
-This article provides the necessary details that allow you to secure outbound traffic from your Azure Red Hat OpenShift cluster (ARO). It contains the cluster requirements for a basic ARO deployment, and more requirements for optional Red Hat and third-party components. An [example](#private-aro-cluster-setup) will be provided at the end on how to configure these requirements with Azure Firewall. Keep in mind, you can apply this information to Azure Firewall or to any outbound restriction method or appliance.
+This article provides the necessary details that allow you to secure outbound traffic from your Azure Red Hat OpenShift cluster (ARO). With the release of the [Egress Lockdown Feature](./concepts-egress-lockdown.md), all of the required connections for a private cluster will be proxied through the service. There are additional destinations that you may want to allow to use features such as Operator Hub, or Red Hat telemetry.  An [example](#private-aro-cluster-setup) will be provided at the end on how to configure these requirements with Azure Firewall. Keep in mind, you can apply this information to Azure Firewall or to any outbound restriction method or appliance.
 
 ## Before you begin
 
@@ -18,23 +18,20 @@ This article assumes that you're creating a new cluster. If you need a basic ARO
 > [!IMPORTANT]
 > ARO preview features are available on a self-service, opt-in basis. Previews are provided "as is" and "as available," and they're excluded from the service-level agreements and limited warranty. ARO previews are partially covered by customer support on a best-effort basis.
 
-## Minimum Required FQDN / application rules
+## Minimum Required FQDN - Proxied through ARO service
 
 This list is based on the list of FQDNs found in the OpenShift docs here: https://docs.openshift.com/container-platform/4.6/installing/install_config/configuring-firewall.html
 
-The following FQDN / application rules are required:
+The following FQDNs are proxied through the service, and will not need additional firewall rules. They are here for informational purposes.
 
 | Destination FQDN | Port | Use |
 | ----------- | ----------- | ------------- |
-| **`*.quay.io`** | **HTTPS:443** | Mandatory for the installation, used by the cluster. This is used by the cluster to download the platform container images. |
-| **`registry.redhat.io`** | **HTTPS:443** | Mandatory for core add-ons. This is used by the cluster to download core components such as dev tools, operator-based add-ons, and Red Hat provided container images.
-| **`mirror.openshift.com`** | **HTTPS:443** | This is required in the VDI environment or your laptop to access mirrored installation content and images. It's required in the cluster to download platform release signatures to know what images to pull from quay.io. |
-| **`api.openshift.com`** | **HTTPS:443** | Required  by the cluster to check if there are available updates before downloading the image signatures. |
 | **`arosvc.azurecr.io`** | **HTTPS:443** | Global Internal Private registry for ARO Operators.  Required if you do not allow the service-endpoints Microsoft.ContainerRegistry on your subnets. |
 | **`arosvc.$REGION.data.azurecr.io`** | **HTTPS:443** | Regional Internal Private registry for ARO Operators.  Required if you do not allow the service-endpoints Microsoft.ContainerRegistry on your subnets. |
 | **`management.azure.com`** | **HTTPS:443** | This is used by the cluster to access Azure APIs. |
 | **`login.microsoftonline.com`** | **HTTPS:443** | This is used by the cluster for authentication to Azure. |
-| **`gcs.prod.monitoring.core.windows.net`** | **HTTPS:443** | This is used for Microsoft Geneva Monitoring so that the ARO team can monitor the customer's cluster(s). |
+| **`*.monitor.core.windows.net`** | **HTTPS:443** | This is used for Microsoft Geneva Monitoring so that the ARO team can monitor the customer's cluster(s). |
+| **`*.monitoring.core.windows.net`** | **HTTPS:443** | This is used for Microsoft Geneva Monitoring so that the ARO team can monitor the customer's cluster(s). |
 | **`*.blob.core.windows.net`** | **HTTPS:443** | This is used for Microsoft Geneva Monitoring so that the ARO team can monitor the customer's cluster(s). |
 | **`*.servicebus.windows.net`** | **HTTPS:443** | This is used for Microsoft Geneva Monitoring so that the ARO team can monitor the customer's cluster(s). |
 | **`*.table.core.windows.net`** | **HTTPS:443** | This is used for Microsoft Geneva Monitoring so that the ARO team can monitor the customer's cluster(s). |
@@ -44,52 +41,33 @@ The following FQDN / application rules are required:
 
 ---
 
-## Complete list of required and optional FQDNs
+## List of optional FQDNs
 
-### FIRST GROUP: INSTALLING AND DOWNLOADING PACKAGES AND TOOLS
+### INSTALLING AND DOWNLOADING PACKAGES AND TOOLS
 
-- **`quay.io`**: Mandatory for the installation, used by the cluster. This is used by the cluster to download the platform container images.
-- **`registry.redhat.io`**: Mandatory for core add-ons. This is used by the cluster to download core components such as dev tools, operator-based add-ons, or Red Hat provided container images such as our middleware, the Universal Base Image...
-- **`sso.redhat.com`**: This one is required in the VDI environment or your laptop to connect to cloud.redhat.com. This is the site where we can download the pull secret, and use some of the SaaS solutions we offer in Red Hat to facilitate monitoring of your subscriptions, cluster inventory, chargeback reporting, among other things.
-- **`openshift.org`**: This one is required in the VDI environment or your laptop to connect to download RH CoreOS images, but in Azure they are picked from the marketplace, there is no need to download OS images.
+- **`registry.redhat.io`**: Used to provide images for things such as Operator Hub. 
 
 ---
 
-### SECOND GROUP: TELEMETRY
+### TELEMETRY
 
 All this section can be opted out, but before we know how, please check what it is: https://docs.openshift.com/container-platform/4.6/support/remote_health_monitoring/about-remote-health-monitoring.html
-- **`cert-api.access.redhat.com`**: Use in your VDI or laptop environment.
-- **`api.access.redhat.com`**: Use in your VDI or laptop environment.
-- **`infogw.api.openshift.com`**: Use in your VDI or laptop environment.
-- **`https://cloud.redhat.com/api/ingress`**: Use in the cluster for the insights operator who integrates with the aaS Red Hat Insights.
+- **`cert-api.access.redhat.com`**: Used for Red Hat telemetry.
+- **`api.access.redhat.com`**: Used for Red Hat telemetry.
+- **`infogw.api.openshift.com`**: Used for Red Hat telemetry.
+- **`https://cloud.redhat.com/api/ingress`**: Use in the cluster for the insights operator who integrates with Red Hat Insights.
 In OpenShift Container Platform, customers can opt out of reporting health and usage information. However, connected clusters allow Red Hat to react more quickly to problems and better support our customers, and better understand how product upgrades clusters. Check details here: https://docs.openshift.com/container-platform/4.6/support/remote_health_monitoring/opting-out-of-remote-health-reporting.html.
 
 ---
 
-### THIRD GROUP: CLOUD APIs
-
-- **`management.azure.com`**: This is used by the cluster to access Azure APIs.
-
----
-
-### FOURTH GROUP: OTHER OPENSHIFT REQUIREMENTS
+### OTHER POSSIBLE OPENSHIFT REQUIREMENTS
 
-- **`mirror.openshift.com`**: This one is required in the VDI environment or your laptop to access mirrored installation content and images and required in the cluster to download platform release signatures, used by the cluster to know what images to pull from quay.io.
-- **`storage.googleapis.com/openshift-release`**: Alternative site to download platform release signatures, used by the cluster to know what images to pull from quay.io.
-- **`*.apps.<cluster_name>.<base_domain>`** (OR EQUIVALENT ARO URL): When allowlisting domains, this is use in your corporate network to reach applications deployed in OpenShift, or to access the OpenShift console.
-- **`api.openshift.com`**: Required  by the cluster to check if there are available updates before downloading the image signatures.
+- **`quay.io`**: May be used to download images from the Red Hat managed Quay registry. Also a possible fall-back target for ARO required system images.
+- **`mirror.openshift.com`**: Required to access mirrored installation content and images. This site is also a source of release image signatures.
+- **`*.apps.<cluster_name>.<base_domain>`** (OR EQUIVALENT ARO URL): When allowlisting domains, this is used in your corporate network to reach applications deployed in OpenShift, or to access the OpenShift console.
+- **`api.openshift.com`**: Used by the cluster for release graph parsing. https://access.redhat.com/labs/ocpupgradegraph/ can be used as an alternative.
 - **`registry.access.redhat.com`**: Registry access is required in your VDI or laptop environment to download dev images when using the ODO CLI tool. (This CLI tool is an alternative CLI tool for developers who aren't familiar with kubernetes). https://docs.openshift.com/container-platform/4.6/cli_reference/developer_cli_odo/understanding-odo.html
 
----
-
-### FIFTH GROUP: MICROSOFT & RED HAT ARO MONITORING SERVICE
-
-- **`login.microsoftonline.com`**: This is used by the cluster for authentication to Azure.
-- **`gcs.prod.monitoring.core.windows.net`**: This is used for Microsoft Geneva Monitoring so that the ARO team can monitor the customer's cluster(s).
-- **`*.blob.core.windows.net`**: This is used for Microsoft Geneva Monitoring so that the ARO team can monitor the customer's cluster(s).
-- **`*.servicebus.windows.net`**: This is used for Microsoft Geneva Monitoring so that the ARO team can monitor the customer's cluster(s).
-- **`*.table.core.windows.net`**: This is used for Microsoft Geneva Monitoring so that the ARO team can monitor the customer's cluster(s).
-
 ## ARO integrations
 
 ### Azure Monitor for containers
@@ -272,7 +250,7 @@ az network route-table route create -g $RESOURCEGROUP --name aro-udr --route-tab
 ```
 
 ### Add Application Rules for Azure Firewall
-Rule for OpenShift to work based on this [list](https://docs.openshift.com/container-platform/4.3/installing/install_config/configuring-firewall.html#configuring-firewall_configuring-firewall):
+Example rule for telemetry to work. Additional possibilities can be found on this [list](https://docs.openshift.com/container-platform/4.3/installing/install_config/configuring-firewall.html#configuring-firewall_configuring-firewall):
 ```azurecli
 az network firewall application-rule create -g $RESOURCEGROUP -f aro-private \
  --collection-name 'ARO' \
@@ -281,7 +259,7 @@ az network firewall application-rule create -g $RESOURCEGROUP -f aro-private \
  -n 'required' \
  --source-addresses '*' \
  --protocols 'http=80' 'https=443' \
- --target-fqdns 'registry.redhat.io' '*.quay.io' 'sso.redhat.com' 'management.azure.com' 'mirror.openshift.com' 'api.openshift.com' 'quay.io' '*.blob.core.windows.net' 'gcs.prod.monitoring.core.windows.net' 'registry.access.redhat.com' 'login.microsoftonline.com' '*.servicebus.windows.net' '*.table.core.windows.net' 'grafana.com'
+ --target-fqdns 'cert-api.access.redhat.com' 'api.openshift.com' 'api.access.redhat.com' 'infogw.api.openshift.com'
 ```
 Optional rules for Docker images:
 ```azurecli
@@ -304,14 +282,14 @@ az network vnet subnet update -g $RESOURCEGROUP --vnet-name $AROVNET --name "$CL
 ## Test the configuration from the Jumpbox
 These steps work only if you added rules for Docker images. 
 ### Configure the jumpbox
-Log into a jumpbox VM and install `azure-cli`, `oc-cli`, and `jq` utils. For the installation of openshift-cli, check the Red Hat customer portal.
+Log in to a jumpbox VM and install `azure-cli`, `oc-cli`, and `jq` utils. For the installation of openshift-cli, check the Red Hat customer portal.
 ```bash
 #Install Azure-cli
 curl -sL https://aka.ms/InstallAzureCLIDeb | sudo bash
 #Install jq
 sudo apt install jq -y
 ```
-### Log into the ARO cluster
+### Log in to the ARO cluster
 List cluster credentials:
 ```bash
 
