Este contenido no está disponible en el idioma seleccionado.
Chapter 2. Configuring private connections
2.1. Configuring private connections for AWS
2.1.1. Understanding AWS cloud infrastructure access
AWS cloud infrastructure access does not apply to the Customer Cloud Subscription (CCS) infrastructure type that is chosen when you create a cluster because CCS clusters are deployed onto your account.
Amazon Web Services (AWS) infrastructure access permits Customer Portal Organization Administrators and cluster owners to enable AWS Identity and Access Management (IAM) users to have federated access to the AWS Management Console for their OpenShift Dedicated cluster. AWS access can be granted for customer AWS users, and private cluster access can be implemented to suit the needs of your OpenShift Dedicated environment.
- Get started with configuring AWS infrastructure access for your OpenShift Dedicated cluster. By creating an AWS user and account and providing that user with access to the OpenShift Dedicated AWS account.
After you have access to the OpenShift Dedicated AWS account, use one or more of the following methods to establish a private connection to your cluster:
- Configuring AWS VPC peering: Enable VPC peering to route network traffic between two private IP addresses.
- Configuring AWS VPN: Establish a Virtual Private Network to securely connect your private network to your Amazon Virtual Private Cloud.
- Configuring AWS Direct Connect: Configure AWS Direct Connect to establish a dedicated network connection between your private network and an AWS Direct Connect location.
After configuring your cloud infrastructure access, learn more about Configuring a private cluster.
2.1.2. Configuring AWS infrastructure access
Amazon Web Services (AWS) infrastructure access allows Customer Portal Organization Administrators and cluster owners to enable AWS Identity and Access Management (IAM) users to have federated access to the AWS Management Console for their OpenShift Dedicated cluster. Administrators can select between Network Management
or Read-only
access options.
Prerequisites
- An AWS account with IAM permissions.
Procedure
- Log in to your AWS account. If necessary, you can create a new AWS account by following the AWS documentation.
Create an IAM user with
STS:AllowAssumeRole
permissions within the AWS account.- Open the IAM dashboard of the AWS Management Console.
- In the Policies section, click Create Policy.
Select the JSON tab and replace the existing text with the following:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "sts:AssumeRole", "Resource": "*" } ] }
- Click Next:Tags.
- Optional: Add tags. Click Next:Review
- Provide an appropriate name and description, then click Create Policy.
- In the Users section, click Add user.
- Provide an appropriate user name.
- Select AWS Management Console access as the AWS access type.
- Adjust the password requirements as necessary for your organization, then click Next:Permissions.
Click the Attach existing policies directly option. Search for and check the policy created in previous steps.
NoteIt is not recommended to set a permissions boundary.
- Click Next: Tags, then click Next: Review. Confirm the configuration is correct.
- Click Create user, a success page appears.
-
Gather the IAM user’s Amazon Resource Name (ARN). The ARN will have the following format:
arn:aws:iam::000111222333:user/username
. Click Close.
- Open OpenShift Cluster Manager in your browser and select the cluster you want to allow AWS infrastructure access.
- Select the Access control tab, and scroll to the AWS Infrastructure Access section.
- Paste the AWS IAM ARN and select Network Management or Read-only permissions, then click Grant role.
- Copy the AWS OSD console URL to your clipboard.
- Sign in to your AWS account with your Account ID or alias, IAM user name, and password.
- In a new browser tab, paste the AWS OSD Console URL that will be used to route to the AWS Switch Role page.
- Your account number and role will be filled in already. Choose a display name if necessary, then click Switch Role.
Verification
- You now see VPC under Recently visited services.
2.1.3. Configuring AWS VPC peering
A Virtual Private Cloud (VPC) peering connection is a networking connection between two VPCs that enables you to route traffic between them using private IPv4 addresses or IPv6 addresses. You can configure an Amazon Web Services (AWS) VPC containing an OpenShift Dedicated cluster to peer with another AWS VPC network.
Before you attempt to uninstall a cluster, you must remove any VPC peering connections from the cluster’s VPC. Failure to do so might result in a cluster not completing the uninstall process.
AWS supports inter-region VPC peering between all commercial regions excluding China.
Prerequisites
Gather the following information about the Customer VPC that is required to initiate the peering request:
- Customer AWS account number
- Customer VPC ID
- Customer VPC Region
- Customer VPC CIDR
- Check the CIDR block used by the OpenShift Dedicated Cluster VPC. If it overlaps or matches the CIDR block for the Customer VPC, then peering between these two VPCs is not possible; see the Amazon VPC Unsupported VPC peering configurations documentation for details. If the CIDR blocks do not overlap, you can proceed with the procedure.
Procedure
Additional resources
- For more information and troubleshooting help, see the AWS VPC guide.
2.1.4. Configuring an AWS VPN
You can configure an Amazon Web Services (AWS) OpenShift Dedicated cluster to use a customer’s on-site hardware Virtual Private Network (VPN) device. By default, instances that you launch into an AWS Virtual Private Cloud (VPC) cannot communicate with your own (remote) network. You can enable access to your remote network from your VPC by creating an AWS Site-to-Site VPN connection, and configuring routing to pass traffic through the connection.
AWS VPN does not currently provide a managed option to apply NAT to VPN traffic. See the AWS Knowledge Center for more details.
Routing all traffic, for example 0.0.0.0/0
, through a private connection is not supported. This requires deleting the internet gateway, which disables SRE management traffic.
Prerequisites
- Hardware VPN gateway device model and software version, for example Cisco ASA running version 8.3. See the AWS documentation to confirm whether your gateway device is supported by AWS.
- Public, static IP address for the VPN gateway device.
- BGP or static routing: if BGP, the ASN is required. If static routing, you must configure at least one static route.
- Optional: IP and port/protocol of a reachable service to test the VPN connection.
Procedure
- Create a customer gateway to configure the VPN connection.
- If you do not already have a Virtual Private Gateway attached to the intended VPC, create and attach a Virtual Private Gateway.
- Configure routing and enable VPN route propagation.
- Update your security group.
Establish the Site-to-Site VPN connection.
NoteNote the VPC subnet information, which you must add to your configuration as the remote network.
Additional resources
- For more information and troubleshooting help, see the AWS VPN guide.
2.1.5. Configuring AWS Direct Connect
Amazon Web Services (AWS) Direct Connect requires a hosted Virtual Interface (VIF) connected to a Direct Connect Gateway (DXGateway), which is in turn associated to a Virtual Gateway (VGW) or a Transit Gateway in order to access a remote Virtual Private Cloud (VPC) in the same or another account.
If you do not have an existing DXGateway, the typical process involves creating the hosted VIF, with the DXGateway and VGW being created in your AWS account.
If you have an existing DXGateway connected to one or more existing VGWs, the process involves your AWS account sending an Association Proposal to the DXGateway owner. The DXGateway owner must ensure that the proposed CIDR will not conflict with any other VGWs they have associated.
Prerequisites
- Confirm the CIDR range of the OpenShift Dedicated VPC will not conflict with any other VGWs you have associated.
Gather the following information:
- The Direct Connect Gateway ID.
- The AWS Account ID associated with the virtual interface.
- The BGP ASN assigned for the DXGateway. Optional: the Amazon default ASN may also be used.
Procedure
- Create a VIF or view your existing VIFs to determine the type of direct connection you need to create.
Create your gateway.
- If the Direct Connect VIF type is Private, create a virtual private gateway.
- If the Direct Connect VIF is Public, create a Direct Connect gateway.
If you have an existing gateway you want to use, create an association proposal and send the proposal to the DXGateway owner for approval.
WarningWhen connecting to an existing DXGateway, you are responsible for the costs.
Additional resources
- For more information and troubleshooting help, see the AWS Direct Connect guide.
2.2. Configuring a private cluster
An OpenShift Dedicated cluster can be made private so that internal applications can be hosted inside a corporate network. In addition, private clusters can be configured to have only internal API endpoints for increased security.
OpenShift Dedicated administrators can choose between public and private cluster configuration from within OpenShift Cluster Manager. Privacy settings can be configured during cluster creation or after a cluster is established.
2.2.1. Enabling a private cluster during cluster creation
You can enable private cluster settings when creating a new cluster.
Prerequisites
The following private connections must be configured to allow private access:
- VPC Peering
- Cloud VPN
- DirectConnect (AWS only)
- TransitGateway (AWS only)
- Cloud Interconnect (GCP only)
Procedure
- Log in to OpenShift Cluster Manager.
-
Click Create cluster
OpenShift Dedicated Create cluster. - Configure your cluster details.
- When selecting your preferred network configuration, select Advanced.
Select Private.
WarningWhen set to Private, you cannot access your cluster unless you have configured the private connections in your cloud provider as outlined in the prerequisites.
- Click Create cluster. The cluster creation process begins and takes about 30-40 minutes to complete.
Verification
- The Installing cluster heading, under the Overview tab, indicates that the cluster is installing and you can view the installation logs from this heading. The Status indicator under the Details heading indicates when your cluster is Ready for use.
2.2.2. Enabling an existing cluster to be private
After a cluster has been created, you can later enable the cluster to be private.
Prerequisites
The following private connections must be configured to allow private access:
- VPC Peering
- Cloud VPN
- DirectConnect (AWS only)
- TransitGateway (AWS only)
- Cloud Interconnect (GCP only)
Procedure
- Log in to OpenShift Cluster Manager.
- Select the public cluster you would like to make private.
On the Networking tab, select Make API private under Control Plane API endpoint.
WarningWhen set to Private, you cannot access your cluster unless you have configured the private connections in your cloud provider as outlined in the prerequisites.
Click Change settings.
NoteTransitioning your cluster between private and public can take several minutes to complete.
2.2.3. Enabling an existing private cluster to be public
After a private cluster has been created, you can later enable the cluster to be public.
Procedure
- Log in to OpenShift Cluster Manager.
- Select the private cluster you would like to make public.
- On the Networking tab, deselect Make API private under Control Plane API endpoint.
Click Change settings.
NoteTransitioning your cluster between private and public can take several minutes to complete.