Merge pull request #69442 from jneczypor/OSDOCS-8807

EricPonvelle · web-flow · commit 6e92818cdb29 · 2024-01-03T14:46:34.000-05:00
OSDOCS-8807: Small update to firewalls
diff --git a/modules/osd-aws-privatelink-firewall-prerequisites.adoc b/modules/osd-aws-privatelink-firewall-prerequisites.adoc
@@ -108,27 +108,33 @@ This section provides the necessary details that enable you to control egress tr
 |443
 |The `registry.access.redhat.com` and `https://registry.redhat.io` sites redirect through `catalog.redhat.com`.
 
+|`dvbwgdztaeq9o.cloudfront.net` ^[2]^
+|443
+|Used by ROSA for STS implementation with managed OIDC configuration.
+
 ifdef::fedramp[]
 |`time-a-g.nist.gov`
-|123 ^[2]^
+|123 ^[3]^
 |Allows NTP traffic for FedRAMP.
 
 |`time-a-wwv.nist.gov`
-|123 ^[2]^
+|123 ^[3]^
 |Allows NTP traffic for FedRAMP.
 
 |`time-a-b.nist.gov`
-|123 ^[2]^
+|123 ^[3]^
 |Allows NTP traffic for FedRAMP.
 endif::fedramp[]
 |===
 +
 [.small]
 --
 1. In a firewall environment, ensure that the `access.redhat.com` resource is on the allowlist. This resource hosts a signature store that a container client requires for verifying images when pulling them from `registry.access.redhat.com`.
+2. The string of alphanumeric characters before `cloudfront.net` could change if there is a major cloudfront outage that requires redirecting the resource.
 ifdef::fedramp[]
-2. Both TCP and UDP ports.
+3. Both TCP and UDP ports.
 endif::fedramp[]
+
 --
 +
 When you add a site such as `quay.io` to your allowlist, do not add a wildcard entry such as `*.quay.io` to your denylist. In most cases, image registries use a content delivery network (CDN) to serve images. If a firewall blocks access, then image downloads are denied when the initial download request is redirected to a host name such as `cdn01.quay.io`.
