You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/openshift/howto-bring-nsg.md
+17-77Lines changed: 17 additions & 77 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -5,7 +5,7 @@ author: johnmarco
5
5
ms.service: azure-redhat-openshift
6
6
ms.topic: how-to
7
7
ms.author: johnmarc
8
-
ms.date: 12/11/2023
8
+
ms.date: 02/12/2024
9
9
topic: how-to
10
10
recommendations: true
11
11
keywords: azure, openshift, aro, NSG
@@ -31,108 +31,47 @@ During the cluster creation process, the ARO Resource Provider (RP) creates a cl
31
31
32
32
## Capabilities and limitations
33
33
34
-
<!--
35
-
36
-
This private preview introduces the first implementation of the BYO-NSG feature so you can provide feedback for enhancements. Some enhancements are already in-progress or are on the [ARO roadmap](https://github.com/Azure/OpenShift/projects/1).
37
-
38
-
1. You need to attach your BYO-NSG(s) to both master and worker subnets **before** you start cluster creation.
39
-
40
-
-->
34
+
1. You need to attach your pre-configured NSGs to both master and worker subnets before you create the cluster. Failure to attached your pre-configured NSGs to both subnets will result in an error.
41
35
42
-
1. You can choose to use the same or different BYO-NSGs for master and worker subnets.
36
+
1. You can choose to use the same or different pre-configured NSGs for master and worker subnets.
43
37
44
38
1. When using your own NSG, the ARO RP still creates an NSG in the Managed RG (default NSG), but that NSG won't be attached to the worker or master subnets.
45
39
46
-
1.BYO-NSGs aren't automatically updated with rules when you create Kubernetes LoadBalancer type services or OpenShift routes within the ARO cluster. You'll have to do such rule updates. This behavior is different from the original ARO behavior wherein the default NSG is programmatically updated in such situations.
40
+
1.Pre-configured NSGs aren't automatically updated with rules when you create Kubernetes LoadBalancer type services or OpenShift routes within the ARO cluster. You'll have to do such rule updates. This behavior is different from the original ARO behavior wherein the default NSG is programmatically updated in such situations.
47
41
48
42
1. The default ARO cluster NSG (not attached to any subnet while using this feature) will still be updated with rules when you create Kubernetes LoadBalancer type services or OpenShift routes within the ARO cluster.
49
43
50
-
1. You can detach BYO-NSGs from the subnets of the cluster created using this feature. It will result in a cluster with subnets that have no NSGs. You can then attach a different set of BYO-NSGs to the cluster. Alternatively, you can attach the ARO default NSG to the cluster subnets (at which point your cluster becomes like any other cluster that's not using this feature).
44
+
1. You can detach pre-configured NSGs from the subnets of the cluster created using this feature. It will result in a cluster with subnets that have no NSGs. You can then attach a different set of pre-configured NSGs to the cluster. Alternatively, you can attach the ARO default NSG to the cluster subnets (at which point your cluster becomes like any other cluster that's not using this feature).
51
45
52
-
1. Your BYO-NSGs should not have INBOUND/OUTBOUND DENY rules of the following types, as these can interfere with the operation of the cluster and/or hinder the ARO support/SRE teams from providing support/management. (Here, subnet indicates any or all IP addresses in the subnet):
46
+
1. Your pre-configured NSGs should not have INBOUND/OUTBOUND DENY rules of the following types, as these can interfere with the operation of the cluster and/or hinder the ARO support/SRE teams from providing support/management. (Here, subnet indicates any or all IP addresses in the subnet and all ports corresponding to that subnet):
53
47
54
48
1. Master Subnet ←→ Master Subnet
55
49
1. Worker Subnet ←→ Worker Subnet
56
50
1. Master Subnet ←→ Worker Subnet
51
+
52
+
Misconfigured rules will result in a signal used by Azure Monitor to help troubleshoot pre-configured NSGs.
57
53
58
54
1. To allow incoming traffic to your ARO public cluster, you'll need the following INBOUND ALLOW rules (or equivalent) in your NSG. Refer to the default NSG of the cluster for specific details and to the example NSG shown in [Deployment](#deployment). You can create a cluster even without such rules in the NSG.
59
55
60
56
1. For API server access → From Internet (or your preferred source IPs) to port 6443 on the master subnet.
61
57
1. For access to OpenShift router (and hence to OpenShift console and OpenShift routes) → From Internet (or your preferred source IPs) to ports 80 and 443 on the default-v4 public IP on the public Load-balancer of the cluster.
62
58
1. For access to any Load-balancer type Kubernetes service → From Internet (or your preferred source IPs) to service ports on public IP corresponding to the service on the public Load-balancer of the cluster.
63
59
64
-
1. You cannot enable the BYO-NSG feature on an existing ARO cluster. Currently, this feature can only be enabled at the time of cluster creation. The possibility of providing a cluster update operation to enable this feature on an existing cluster will be explored in the future.
60
+
1. You cannot enable the pre-configured NSG feature on an existing ARO cluster. Currently, this feature can only be enabled at the time of cluster creation.
65
61
66
-
1.You can enable the feature at a per-cluster level using an API/CLI flag. It results in the following behavior at the time of cluster creation:
62
+
1.The pre-configured NSG option is not configurable from the Azure portal.
|BYO-NSG-1 |BYO-NSG-1 |Success, with BYO-NSG feature |
71
-
|BYO-NSG-1 |BYO-NSG-2 |Success, with BYO-NSG feature |
72
-
|BYO-NSG-1 |None |Failure |
73
-
|None |BYO-NSG-1 |Failure |
74
-
|None |None |Success, without BYO-NSG feature |
75
-
76
-
<!--
77
-
1. During the preview, cluster creation with the BYO-NSG feature won't be supported via the Azure Portal.
78
-
79
-
1. When the BYO-NSG feature is declared generally available, your existing BYO-NSG enabled preview clusters will automatically become fully supported, and you'll be able to use it for production workloads without making any changes.
80
-
-->
64
+
1. If you used this feature during its preview, your existing pre-configured clusters are now fully supported.
81
65
82
66
## Deployment
83
67
84
-
<!--
85
-
### Register the BYO-NSG feature in your subscription
Create a service principal (SP) using the instructions in either of the following articles:
111
-
112
-
-[Create a Microsoft Entra application and service principal that can access resources](/entra/identity-platform/howto-create-service-principal-portal)
113
-
114
-
-[Create an Azure service principal with Azure CLI](/cli/azure/azure-cli-sp-tutorial-1?tabs=bash)
115
-
116
-
The SP will have a 1:1 association with the new cluster that you will create. **Make a note of the service principal's client ID (App ID) and client secret (decrypted secret value); you'll need these later.**
117
-
118
-
### Create VNET and create and configure BYO-NSG
68
+
### Create VNET and create and configure pre-configured NSG
119
69
120
70
1. Create a VNET, and then create master and worker subnets within it.
121
71
122
-
1. Create BYO-NSG(s) with default rules (or no rules at all) and attach them to the master and worker subnets.
123
-
124
-
1. Configure **Network Contributor** role assignment for the cluster service principal created in [Create a cluster service principal](#create-a-cluster-service-principal) by going to the **IAM→Role Assignments** of the NSG. In the example below, the cluster service principal is named *pk-app-reg-aro1* and the ARO RP service principal is named *Azure Red Hat Openshift RP* (as discussed in the next step).
125
-
126
-
:::image type="content" source="media/howto-bring-nsg/network-security-group-access-control.png" alt-text="Screenshot showing sample network security group access control with cluster service principal and ARO RP service principal.":::
127
-
128
-
1. For the NSG, configure **Network Contributor** role assignment for the ARO RP service principal that has Application ID *f1dd0a37-89c6-4e07-bcd1-ffd3d43d8875* in Azure Active Directory/Enterprise applications. You can find the service principal by opening the **Enterprise applications** blade in Azure portal and then applying a search filter with the prefix of the ID (*f1dd0a37*).
129
-
130
-
:::image type="content" source="media/howto-bring-nsg/all-enterprise-applications.png" alt-text="Screenshot showing enterprise applications window with filter to display the application ID that begins with f1dd0a37.":::
131
-
132
-
:::image type="content" source="media/howto-bring-nsg/overview-enterprise-applications.png" alt-text="Screenshot showing the properties of the application ID that begins with f1dd0a37.":::
133
-
72
+
1. Create pre-configured NSG(s) with default rules (or no rules at all) and attach them to the master and worker subnets.
134
73
135
-
### Create an ARO Cluster and Update BYO-NSG(s)
74
+
### Create an ARO Cluster and Update pre-configured NSG(s)
136
75
137
76
1. Create the cluster:
138
77
@@ -144,10 +83,11 @@ The SP will have a 1:1 association with the new cluster that you will create. **
1. Update the BYO-NSG(s) with rules as per your requirements while also considering the points mentioned in [Capabilities and limitations](#capabilities-and-limitations).
90
+
1. Update the pre-configured NSG(s) with rules as per your requirements while also considering the points mentioned in [Capabilities and limitations](#capabilities-and-limitations).
151
91
152
92
The following example has the Cluster Public Load-balancer as shown in screenshot/CLI output below:
0 commit comments