Merge pull request #53645 from mjpytlak/osdocs-4467

mjpytlak · web-flow · commit 75790af8ccc7 · 2023-03-16T17:37:58.000-04:00
OSDCOS-4467: Added specific AWS URLs that must be allowlisted
diff --git a/modules/configuring-firewall.adoc b/modules/configuring-firewall.adoc
@@ -8,11 +8,11 @@
 
 Before you install {product-title}, you must configure your firewall to grant access to the sites that {product-title} requires.
 
-There are no special configuration considerations for services running on only controller nodes versus worker nodes.
+There are no special configuration considerations for services running on only controller nodes compared to worker nodes.
 
 [NOTE]
 ====
-If your environment has a dedicated load balancer in front of your {product-title} cluster, review the allowlists between your firewall and load balancer to prevent unwanted network restrictions to your cluster. 
+If your environment has a dedicated load balancer in front of your {product-title} cluster, review the allowlists between your firewall and load balancer to prevent unwanted network restrictions to your cluster.
 ====
 
 .Procedure
@@ -91,15 +91,73 @@ You can use the wildcards `\*.quay.io` and `*.openshiftapps.com` instead of `cdn
 |Cloud |URL | Port |Function
 
 |Alibaba
-|*.aliyuncs.com
+|`*.aliyuncs.com`
 |443, 80
 |Required to access Alibaba Cloud services and resources. Review the link:https://github.com/aliyun/alibaba-cloud-sdk-go/blob/master/sdk/endpoints/endpoints_config.go?spm=a2c4g.11186623.0.0.47875873ciGnC8&file=endpoints_config.go[Alibaba endpoints_config.go file] to determine the exact endpoints to allow for the regions that you use.
 
-|AWS
+.15+|AWS
 |`*.amazonaws.com`
+
+Alternatively, if you choose to not use a wildcard for AWS APIs, you must allowlist the following URLs:
 |443, 80
 |Required to access AWS services and resources. Review the link:https://docs.aws.amazon.com/general/latest/gr/rande.html[AWS Service Endpoints] in the AWS documentation to determine the exact endpoints to allow for the regions that you use.
 
+|`ec2.amazonaws.com`
+|443
+|Used to install and manage clusters in an AWS environment.
+
+|`events.amazonaws.com`
+|443
+|Used to install and manage clusters in an AWS environment.
+
+|`iam.amazonaws.com`
+|443
+|Used to install and manage clusters in an AWS environment.
+
+|`route53.amazonaws.com`
+|443
+|Used to install and manage clusters in an AWS environment.
+
+|`s3.amazonaws.com`
+|443
+|Used to install and manage clusters in an AWS environment.
+
+|`s3.<aws_region>.amazonaws.com`
+|443
+|Used to install and manage clusters in an AWS environment.
+
+|`s3.dualstack.<aws_region>.amazonaws.com`
+|443
+|Used to install and manage clusters in an AWS environment.
+
+|`sts.amazonaws.com`
+|443
+|Used to install and manage clusters in an AWS environment.
+
+|`sts.<aws_region>.amazonaws.com`
+|443
+|Used to install and manage clusters in an AWS environment.
+
+|`tagging.us-east-1.amazonaws.com`
+|443
+|Used to install and manage clusters in an AWS environment. This endpoint is always `us-east-1`, regardless of the region the cluster is deployed in.
+
+|`ec2.<aws_region>.amazonaws.com`
+|443
+|Used to install and manage clusters in an AWS environment.
+
+|`elasticloadbalancing.<aws_region>.amazonaws.com`
+|443
+|Used to install and manage clusters in an AWS environment.
+
+|`servicequotas.<aws_region>.amazonaws.com`
+|443, 80
+|Required. Used to confirm quotas for deploying the service.
+
+|`tagging.<aws_region>.amazonaws.com`
+|443, 80
+|Allows the assignment of metadata about AWS resources in the form of tags.
+
 .2+|GCP
 |`*.googleapis.com`
 |443, 80
