Red Hat Summit Red Hat SummitSupportConsoleDevelopersStart a trialContact

Chapter 2. Configuring private connections

2.1. Configuring private connections
Copy link

Private cluster access can be implemented to suit the needs of your Red Hat OpenShift Service on AWS environment.

Procedure

  1. Access your Red Hat OpenShift Service on AWS AWS account and use one or more of the following methods to establish a private connection to your cluster:

    • Configuring AWS VPC peering: Enable VPC peering to route network traffic between two private IP addresses.
    • Configuring AWS VPN: Establish a Virtual Private Network to securely connect your private network to your Amazon Virtual Private Cloud.
    • Configuring AWS Direct Connect: Configure AWS Direct Connect to establish a dedicated network connection between your private network and an AWS Direct Connect location.

2.2. Configuring AWS VPC peering
Copy link

This sample process configures an Amazon Web Services (AWS) VPC containing an Red Hat OpenShift Service on AWS cluster to peer with another AWS VPC network. For more information about creating an AWS VPC Peering connection or for other possible configurations, see the AWS VPC Peering guide.

2.2.1. VPC peering terms
Copy link

When setting up a VPC peering connection between two VPCs on two separate AWS accounts, the following terms are used:

Red Hat OpenShift Service on AWS AWS Account

The AWS account that contains the Red Hat OpenShift Service on AWS cluster.

Red Hat OpenShift Service on AWS Cluster VPC

The VPC that contains the Red Hat OpenShift Service on AWS cluster.

Customer AWS Account

Your non-Red Hat OpenShift Service on AWS AWS Account that you would like to peer with.

Customer VPC

The VPC in your AWS Account that you would like to peer with.

Customer VPC Region

The region where the customer’s VPC resides.

Note

As of July 2018, AWS supports inter-region VPC peering between all commercial regions excluding China.

2.2.2. Initiating the VPC peer request
Copy link

You can send a VPC peering connection request from the Red Hat OpenShift Service on AWS AWS Account to the Customer AWS Account.

Prerequisites

  • Gather the following information about the Customer VPC required to initiate the peering request:

    • Customer AWS account number
    • Customer VPC ID
    • Customer VPC Region
    • Customer VPC CIDR
  • Check the CIDR block used by the Red Hat OpenShift Service on AWS Cluster VPC. If it overlaps or matches the CIDR block for the Customer VPC, then peering between these two VPCs is not possible; see the Amazon VPC Unsupported VPC Peering Configurations documentation for details. If the CIDR blocks do not overlap, you can continue with the procedure.

Procedure

  1. Log in to the Web Console for the Red Hat OpenShift Service on AWS AWS Account and navigate to the VPC Dashboard in the region where the cluster is being hosted.
  2. Go to the Peering Connections page and click the Create Peering Connection button.

  3. Verify the details of the account you are logged in to and the details of the account and VPC you are connecting to:

    1. Peering connection name tag: Set a descriptive name for the VPC Peering Connection.
    2. VPC (Requester): Select the Red Hat OpenShift Service on AWS Cluster VPC ID from the list.
    3. Account: Select Another account and provide the Customer AWS Account number *(without dashes).
    4. Region: If the Customer VPC Region differs from the current region, select Another Region and select the customer VPC Region from the list.
    5. VPC (Accepter): Set the Customer VPC ID.
  4. Click Create Peering Connection.
  5. Confirm that the request enters a Pending state. If it enters a Failed state, confirm the details and repeat the process.

2.2.3. Accepting the VPC peer request
Copy link

After you create the VPC peering connection, you must accept the request in the Customer AWS Account.

Prerequisites

  • Initiate the VPC peer request.

Procedure

  1. Log in to the AWS Web Console.
  2. Navigate to VPC Service.
  3. Go to Peering Connections.
  4. Click on Pending peering connection.
  5. Confirm the AWS Account and VPC ID that the request originated from. This should be from the Red Hat OpenShift Service on AWS AWS Account and Red Hat OpenShift Service on AWS Cluster VPC.
  6. Click Accept Request.

2.2.4. Configuring the routing tables
Copy link

After you accept the VPC peering request, both VPCs must configure their routes to communicate across the peering connection.

Prerequisites

  • Initiate and accept the VPC peer request.

Procedure

  1. Log in to the AWS Web Console for the Red Hat OpenShift Service on AWS AWS Account.
  2. Navigate to the VPC Service, then Route tables.

  3. Select the Route Table for the Red Hat OpenShift Service on AWS Cluster VPC.

    Note

    On some clusters, there may be more than one route table for a particular VPC. Select the private one that has a number of explicitly associated subnets.

  4. Select the Routes tab, then Edit.
  5. Enter the Customer VPC CIDR block in the Destination text box.
  6. Enter the Peering Connection ID in the Target text box.
  7. Click Save.

  8. You must complete the same process with the other VPC’s CIDR block:

    1. Log into the Customer AWS Web Console VPC Service Route Tables.
    2. Select the Route Table for your VPC.
    3. Select the Routes tab, then Edit.
    4. Enter the Red Hat OpenShift Service on AWS Cluster VPC CIDR block in the Destination text box.
    5. Enter the Peering Connection ID in the Target text box.
    6. Click Save changes.

The VPC peering connection is now complete. Follow the verification procedure to ensure connectivity across the peering connection is working.

2.2.5. Verifying and troubleshooting VPC peering
Copy link

After you set up a VPC peering connection, it is best to confirm it has been configured and is working correctly.

Prerequisites

  • Initiate and accept the VPC peer request.
  • Configure the routing tables.

Procedure

  • In the AWS console, look at the route table for the cluster VPC that is peered. Ensure that the steps for configuring the routing tables were followed and that there is a route table entry pointing the VPC CIDR range destination to the peering connection target.

    If the routes look correct on both the Red Hat OpenShift Service on AWS Cluster VPC route table and Customer VPC route table, then the connection should be tested using the netcat method below. If the test calls are successful, then VPC peering is working correctly.

  • To test network connectivity to an endpoint device, nc (or netcat) is a helpful troubleshooting tool. It is included in the default image and provides quick and clear output if a connection can be established:

    1. Create a temporary pod using the busybox image, which cleans up after itself: 

      $ oc run netcat-test \
    --image=busybox -i -t \
    --restart=Never --rm \
    -- /bin/sh
      Copy to Clipboard Toggle word wrap

    2. Check the connection using nc.

      • Example successful connection results: 

        / nc -zvv 192.168.1.1 8080
10.181.3.180 (10.181.3.180:8080) open
sent 0, rcvd 0
        Copy to Clipboard Toggle word wrap

      • Example failed connection results: 

        / nc -zvv 192.168.1.2 8080
nc: 10.181.3.180 (10.181.3.180:8081): Connection refused
sent 0, rcvd 0
        Copy to Clipboard Toggle word wrap

    3. Exit the container, which automatically deletes the Pod: 

      / exit
      Copy to Clipboard Toggle word wrap

2.3. Configuring AWS VPN
Copy link

This sample process configures an Amazon Web Services (AWS) Red Hat OpenShift Service on AWS cluster to use a customer’s on-site hardware VPN device.

Note

AWS VPN does not currently provide a managed option to apply NAT to VPN traffic. See the AWS Knowledge Center for more details.

Note

Routing all traffic, for example 0.0.0.0/0, through a private connection is not supported. This requires deleting the internet gateway, which disables SRE management traffic.

For more information about connecting an AWS VPC to remote networks using a hardware VPN device, see the Amazon VPC VPN Connections documentation.

2.3.1. Creating a VPN connection
Copy link

You can configure an Amazon Web Services (AWS) Red Hat OpenShift Service on AWS cluster to use a customer’s on-site hardware VPN device using the following procedures.

Prerequisites

  • Hardware VPN gateway device model and software version, for example Cisco ASA running version 8.3. See the Amazon VPC Network Administrator Guide to confirm whether your gateway device is supported by AWS.
  • Public, static IP address for the VPN gateway device.
  • BGP or static routing: if BGP, the ASN is required. If static routing, you must configure at least one static route.
  • Optional: IP and Port/Protocol of a reachable service to test the VPN connection.

2.3.1.1. Configuring the VPN connection
Copy link

Procedure

  1. Log in to the Red Hat OpenShift Service on AWS AWS Account Dashboard, and navigate to the VPC Dashboard.
  2. Under Virtual private cloud click on Your VPCs and identify the name and VPC ID for the VPC containing the Red Hat OpenShift Service on AWS cluster.
  3. Under Virtual private network (VPN) click Customer gateways.
  4. Click Create customer gateway and give it a meaningful name.
  5. Enter the ASN of your customer gateway device in the BGP ASN field.
  6. Enter the IP address for your customer gateway devices’s external interface in the IP address field.
  7. Click Create customer gateway.

  8. If you do not already have a Virtual Private Gateway attached to the intended VPC:

    1. From the VPC Dashboard, click on Virtual Private Gateways.
    2. Click Create virtual private gateway, give it a meaningful name.
    3. Click Create virtual private gateway, leaving the Amazon default ASN.
    4. Select the newly created gateway.
    5. Select Actions from the list and click Attach to VPC.
    6. Select the newly created gateway under Available VPC’s and click Attach to VPC to attach it to the cluster VPC you identified earlier.

2.3.1.2. Establishing the VPN Connection
Copy link

Procedure

  1. From the VPC dashboard, under Virtual private network (VPN) click on Site-to-Site VPN connections.

  2. Click Create VPN connection.

    1. Give it a meaningful name tag.
    2. Select the Virtual private gateway created previously.
    3. For Customer gateway, select Existing.
    4. Select the Customer gateway id by name.
    5. If the VPN will use BGP, select Dynamic, otherwise select Static and enter the Static IP CIDRs. If there are multiple CIDRs, add each CIDR as Another Rule.
    6. Click Create VPN connection.
    7. Under State wait for the VPN status to change from Pending to Available, approximately 5 to 10 minutes.

  3. Select the VPN you just created and click Download configuration.

    1. From the list, select the vendor, platform, and version of the customer gateway device, then click Download.
    2. The Generic vendor configuration is also available for retrieving information in a plain text format.
Note

After the VPN connection has been established, be sure to set up Route Propagation or the VPN may not function as expected.

Note

Note the VPC subnet information, which you must add to your configuration as the remote network.

2.3.1.3. Enabling VPN route propagation
Copy link

After you have set up the VPN connection, you must ensure that route propagation is enabled so that the necessary routes are added to the VPC’s route table.

Procedure

  1. From the VPC Dashboard, under Virtual private cloud, click on Route tables.

  2. Select the private Route table associated with the VPC that contains your Red Hat OpenShift Service on AWS cluster.

    Note

    On some clusters, there may be more than one route table for a particular VPC. Select the private one that has a number of explicitly associated subnets.

  3. Click on the Route Propagation tab.

  4. In the table that appears, you should see the Virtual Private Gateway you created previously. Check the value in the Propagate column.

    1. If Propagation is set to No, click Edit route propagation, check the Enable checkbox in Propagation and click Save.

After you configure your VPN tunnel and AWS detects it as Up, your static or BGP routes are automatically added to the route table.

2.3.2. Verifying the VPN connection
Copy link

After you have set up your side of the VPN tunnel, you can verify that the tunnel is up in the AWS console and that connectivity across the tunnel is working.

Prerequisites

  • Created a VPN connection.

Procedure

  1. Verify the tunnel is up in AWS.

    1. From the VPC Dashboard, under Virtual private network (VPN), click on Site-to-Site VPN connections.
    2. Select the VPN connection you created previously and click the Tunnel details tab.
    3. You should see that at least one of the VPN tunnels is in an Up status.

  2. Verify the connection.

    To test network connectivity to an endpoint device, nc (or netcat) is a helpful troubleshooting tool. It is included in the default image and provides quick and clear output if a connection can be established:

    1. Create a temporary pod using the busybox image, which cleans up after itself: 

      $ oc run netcat-test \
    --image=busybox -i -t \
    --restart=Never --rm \
    -- /bin/sh
      Copy to Clipboard Toggle word wrap

    2. Check the connection using nc.

      • Example successful connection results: 

        / nc -zvv 192.168.1.1 8080
10.181.3.180 (10.181.3.180:8080) open
sent 0, rcvd 0
        Copy to Clipboard Toggle word wrap

      • Example failed connection results: 

        / nc -zvv 192.168.1.2 8080
nc: 10.181.3.180 (10.181.3.180:8081): Connection refused
sent 0, rcvd 0
        Copy to Clipboard Toggle word wrap

    3. Exit the container, which automatically deletes the Pod: 

      / exit
      Copy to Clipboard Toggle word wrap

2.3.3. Troubleshooting the VPN connection
Copy link

Tunnel does not connect

If the tunnel connection is still Down, there are several things you can verify:

  • The AWS tunnel will not initiate a VPN connection. The connection attempt must be initiated from the Customer Gateway.
  • Ensure that your source traffic is coming from the same IP as the configured customer gateway. AWS will silently drop all traffic to the gateway whose source IP address does not match.
  • Ensure that your configuration matches values supported by AWS. This includes IKE versions, DH groups, IKE lifetime, and more.
  • Recheck the route table for the VPC. Ensure that propagation is enabled and that there are entries in the route table that have the virtual private gateway you created earlier as a target.
  • Confirm that you do not have any firewall rules that could be causing an interruption.
  • Check if you are using a policy-based VPN as this can cause complications depending on how it is configured.
  • Further troubleshooting steps can be found at the AWS Knowledge Center.
Tunnel does not stay connected

If the tunnel connection has trouble staying Up consistently, know that all AWS tunnel connections must be initiated from your gateway. AWS tunnels do not initiate tunneling.

Red Hat recommends setting up an SLA Monitor (Cisco ASA) or some device on your side of the tunnel that constantly sends "interesting" traffic, for example ping, nc, or telnet, at any IP address configured within the VPC CIDR range. It does not matter whether the connection is successful, just that the traffic is being directed at the tunnel.

Secondary tunnel in Down state

When a VPN tunnel is created, AWS creates an additional failover tunnel. Depending upon the gateway device, sometimes the secondary tunnel will be seen as in the Down state.

The AWS Notification is as follows: 

You have new non-redundant VPN connections

One or more of your vpn connections are not using both tunnels. This mode of
operation is not highly available and we strongly recommend you configure your
second tunnel. View your non-redundant VPN connections.
Copy to Clipboard Toggle word wrap

2.4. Configuring AWS Direct Connect
Copy link

This process describes accepting an AWS Direct Connect virtual interface with Red Hat OpenShift Service on AWS. For more information about AWS Direct Connect types and configuration, see the AWS Direct Connect components documentation.

2.4.1. AWS Direct Connect methods
Copy link

A Direct Connect connection requires a hosted Virtual Interface (VIF) connected to a Direct Connect Gateway (DXGateway), which is in turn associated to a Virtual Gateway (VGW) or a Transit Gateway in order to access a remote VPC in the same or another account.

If you do not have an existing DXGateway, the typical process involves creating the hosted VIF, with the DXGateway and VGW being created in the Red Hat OpenShift Service on AWS AWS Account.

If you have an existing DXGateway connected to one or more existing VGWs, the process involves the Red Hat OpenShift Service on AWS AWS Account sending an Association Proposal to the DXGateway owner. The DXGateway owner must ensure that the proposed CIDR will not conflict with any other VGWs they have associated.

See the following AWS documentation for more details:

Important

When connecting to an existing DXGateway, you are responsible for the costs.

There are two configuration options available:

Method 1

Create the hosted VIF and then the DXGateway and VGW.

Method 2

Request a connection via an existing Direct Connect Gateway that you own.

2.4.2. Creating the hosted Virtual Interface
Copy link

Prerequisites

  • Gather Red Hat OpenShift Service on AWS AWS Account ID.

View the Direct Connect Virtual Interface details to determine the type of connection.

Procedure

  1. Log in to the Red Hat OpenShift Service on AWS AWS Account Dashboard and select the correct region.
  2. Select Direct Connect from the Services menu.
  3. There will be one or more Virtual Interfaces waiting to be accepted, select one of them to view the Summary.
  4. View the Virtual Interface type: private or public.
  5. Record the Amazon side ASN value.

If the Direct Connect Virtual Interface type is Private, a Virtual Private Gateway is created. If the Direct Connect Virtual Interface is Public, a Direct Connect Gateway is created.

2.4.2.2. Creating a Private Direct Connect
Copy link

A Private Direct Connect is created if the Direct Connect Virtual Interface type is Private.

Procedure

  1. Log in to the Red Hat OpenShift Service on AWS AWS Account Dashboard and select the correct region.
  2. From the AWS region, select VPC from the Services menu.
  3. From Virtual private network (VPN), select Virtual private gateways.
  4. Click Create virtual private gateway.
  5. Give the Virtual Private Gateway a suitable name.
  6. Select Custom ASN in the Enter custom ASN field enter the Amazon side ASN value gathered previously.
  7. Click Create virtual private gateway.
  8. Click the newly created Virtual Private Gateway and choose Attach to VPC from the Actions tab.
  9. Select the Red Hat OpenShift Service on AWS Cluster VPC from the list, and click Attach VPC.

Note: Editing the kubelet config will cause the nodes for your machine pool to be recreated. This ma???

2.4.2.3. Creating a Public Direct Connect
Copy link

A Public Direct Connect is created if the Direct Connect Virtual Interface type is Public.

Procedure

  1. Log in to the Red Hat OpenShift Service on AWS AWS Account Dashboard and select the correct region.
  2. From the Red Hat OpenShift Service on AWS AWS Account region, select Direct Connect from the Services menu.
  3. Select Direct Connect gateways and Create Direct Connect gateway.
  4. Give the Direct Connect gateway a suitable name.
  5. In the Amazon side ASN, enter the Amazon side ASN value gathered previously.
  6. Click Create the Direct Connect gateway.

2.4.2.4. Verifying the Virtual Interfaces
Copy link

After the Direct Connect Virtual Interfaces have been accepted, wait a short period and view the status of the Interfaces.

Procedure

  1. Log in to the Red Hat OpenShift Service on AWS AWS Account Dashboard and select the correct region.
  2. From the Red Hat OpenShift Service on AWS AWS Account region, select Direct Connect from the Services menu.
  3. Select one of the Direct Connect Virtual Interfaces from the list.
  4. Check the Interface State has become Available
  5. Check the Interface BGP Status has become Up.
  6. Repeat this verification for any remaining Direct Connect Interfaces.

After the Direct Connect Virtual Interfaces are available, you can log in to the Red Hat OpenShift Service on AWS AWS Account Dashboard and download the Direct Connect configuration file for configuration on your side.

Prerequisites

  • Confirm the CIDR range of the Red Hat OpenShift Service on AWS VPC will not conflict with any other VGWs you have associated.

  • Gather the following information:

    • The Direct Connect Gateway ID.
    • The AWS Account ID associated with the virtual interface.
    • The BGP ASN assigned for the DXGateway. Optional: the Amazon default ASN may also be used.

Procedure

  1. Log in to the Red Hat OpenShift Service on AWS AWS Account Dashboard and select the correct region.
  2. From the Red Hat OpenShift Service on AWS AWS Account region, select VPC from the Services menu.
  3. From Virtual private network (VPN), select Virtual private gateways.
  4. Select Create virtual private gateway.
  5. Give the virtual private gateway a suitable name in the Details field.
  6. Click Custom ASN and enter the Amazon side ASN value gathered previously or use the Amazon Provided ASN.
  7. Click Create virtual private gateway.
  8. From the Red Hat OpenShift Service on AWS AWS Account region, select Direct Connect from the Services menu.
  9. Click virtual private gateways and select the virtual private gateway.
  10. Click View details.
  11. Click the Direct Connect gateway associations tab.
  12. Click Associate Direct Connect gateway
  13. Under Association account type, for Account owner, click Another account.
  14. Under Association settings, for Direct Connect gateway ID, enter the ID of the Direct Connect gateway.
  15. For Direct Connect gateway owner, enter the ID of the AWS account that owns the Direct Connect gateway.
  16. Optional: Add prefixes to Allowed prefixes, separating them using commas or put them on separate lines.
  17. Click Associate Direct Connect gateway.
  18. After the Association Proposal has been sent, it will be waiting for your acceptance. The final steps you must perform are available in the AWS Documentation.

2.4.4. Troubleshooting Direct Connect
Copy link

Further troubleshooting can be found in the Troubleshooting AWS Direct Connect documentation.

Back to top
Red Hat logoGithubredditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust. Explore our recent updates.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

Theme

© 2025 Red Hat