Merge pull request #59294 from johnwilkins/TELCODOCS-1036

abhatt-rh · web-flow · commit 54ebf80c4eba · 2023-04-27T22:27:49.000+01:00
TELCODOCS-1036: Incorporated additional SME feedback.
diff --git a/installing/installing_aws/installing-aws-expanding-a-cluster-with-on-premise-bare-metal-nodes.adoc b/installing/installing_aws/installing-aws-expanding-a-cluster-with-on-premise-bare-metal-nodes.adoc
@@ -6,9 +6,9 @@ include::_attributes/common-attributes.adoc[]
 
 toc::[]
 
-You can expand an {product-title} cluster deployed with virtual media on AWS by adding bare metal nodes to the cluster. By default, a cluster deployed with virtual media on AWS with {product-title} 4.11 or earlier has the Baremetal Operator (BMO) disabled. In {product-title} 4.12 and later releases, the BMO is enabled to support a hybrid cloud consisting of AWS control plane nodes and worker nodes with additional on-premise bare metal worker nodes.
+You can expand an {product-title} cluster deployed on AWS by adding bare-metal nodes to the cluster. By default, a cluster deployed on AWS with {product-title} 4.11 or earlier has the Baremetal Operator (BMO) disabled. In {product-title} 4.12 and later releases, the BMO is enabled to support a hybrid cloud consisting of AWS control plane nodes and worker nodes with additional on-premise bare-metal worker nodes.
 
-Expanding a {product-title} cluster deployed on AWS requires using virtual media with bare metal nodes that meet the xref:../installing_bare_metal_ipi/ipi-install-prerequisites.adoc#node-requirements_ipi-install-prerequisites[node requirements] and xref:../installing_bare_metal_ipi/ipi-install-prerequisites.adoc#ipi-install-firmware-requirements-for-installing-with-virtual-media_ipi-install-prerequisites[firmware requirements] for installing with virtual media. A `provisioning` network is not required, and  if present, should be xref:../installing_bare_metal_ipi/ipi-install-installation-workflow.adoc#modifying-install-config-for-no-provisioning-network_ipi-install-installation-workflow[disabled].
+Expanding an {product-title} cluster deployed on AWS requires using virtual media with bare-metal nodes that meet the xref:../installing_bare_metal_ipi/ipi-install-prerequisites.adoc#node-requirements_ipi-install-prerequisites[node requirements] and xref:../installing_bare_metal_ipi/ipi-install-prerequisites.adoc#ipi-install-firmware-requirements-for-installing-with-virtual-media_ipi-install-prerequisites[firmware requirements] for installing with virtual media. A `provisioning` network is not required, and if present, should be xref:../installing_bare_metal_ipi/ipi-install-installation-workflow.adoc#modifying-install-config-for-no-provisioning-network_ipi-install-installation-workflow[disabled].
 
 include::modules/installation-aws_con_connecting-the-vpc-to-the-on-premise-network.adoc[leveloffset=+1]
 
diff --git a/modules/installation-aws_con_connecting-the-vpc-to-the-on-premise-network.adoc b/modules/installation-aws_con_connecting-the-vpc-to-the-on-premise-network.adoc
@@ -14,5 +14,5 @@ To securely access the BMCs, you can create a separate, secure network segment o
 
 [WARNING]
 ====
-Misconfiguration of the network connection between the AWS and on-premise environments can expose the on-premise network and bare metal nodes to the internet.
+Misconfiguration of the network connection between the AWS and on-premise environments can expose the on-premise network and bare-metal nodes to the internet. That is a significant security risk, which might result in an attacker having full access to the exposed machines, and through them to the private network in these environments.
 ====
diff --git a/modules/installation-aws_proc_creating-firewall-rules-for-port-6183.adoc b/modules/installation-aws_proc_creating-firewall-rules-for-port-6183.adoc
@@ -16,7 +16,7 @@ Port `6183` is open by default on the control plane. However, you must create a
 .. In the left navigation pane, click on **Security Groups**.
 .. Find and select the security group associated with the {product-title} cluster.
 .. In the **Inbound rules** tab, click **Edit inbound rules**.
-.. Click **Add rule** and select **Custom UDP Rule** as the rule type.
+.. Click **Add rule** and select **Custom TCP Rule** as the rule type.
 .. In the **Port range** field, enter `6183`.
 .. In the **Source** field, specify the CIDR block for the on-premise network or the security group ID of the peered VPC (if you have VPC peering) to allow traffic only from the desired sources.
 .. Click **Save rules**.
@@ -27,7 +27,7 @@ Port `6183` is open by default on the control plane. However, you must create a
 .. Find and select the network ACL associated with your {product-title} cluster's VPC.
 .. In the **Inbound rules** tab, click **Edit inbound rules**.
 .. Click **Add rule** and enter a rule number in the **Rule #** field. Choose a number that doesn't conflict with existing rules.
-.. Select `UDP` as the protocol.
+.. Select `TCP` as the protocol.
 .. In the **Port range** field, enter `6183`.
 .. In the **Source** field, specify the CIDR block for the on-premise network to allow traffic only from the desired sources.
 .. Click **Save** to save the new rule.
@@ -42,11 +42,11 @@ Port `6183` is open by default on the control plane. However, you must create a
 $ sudo firewall-cmd --list-all-zones
 ----
 
-.. To open port `6183` for UDP traffic in the desired zone execute the following command:
+.. To open port `6183` for TCP traffic in the desired zone execute the following command:
 +
 [source,terminal]
 ----
-$ sudo firewall-cmd --zone=<zone> --add-port=6183/udp --permanent
+$ sudo firewall-cmd --zone=<zone> --add-port=6183/tcp --permanent
 ----
 +
 Replace `<zone>` with the appropriate zone name.
