Chapter 2. Detailed requirements for deploying Red Hat OpenShift Service on AWS

2.1. Customer requirements for all Red Hat OpenShift Service on AWS clusters
Copia collegamento

The following prerequisites must be complete before you deploy a Red Hat OpenShift Service on AWS cluster.

2.2. AWS account
Copia collegamento

Your AWS account must allow sufficient quota to deploy your cluster.
If your organization applies and enforces SCP policies, these policies must not be more restrictive than the roles and policies required by the cluster.
You can deploy native AWS services within the same AWS account.
Your account must have a service-linked role to allow the installation program to configure Elastic Load Balancing (ELB). See "Creating the Elastic Load Balancing (ELB) service-linked role" for more information.

2.2.1. Support requirements
Copia collegamento

Red Hat recommends that the customer have at least Business Support from AWS.
Red Hat may have permission from the customer to request AWS support on their behalf.
Red Hat may have permission from the customer to request AWS resource limit increases on the customer’s account.
Red Hat manages the restrictions, limitations, expectations, and defaults for all Red Hat OpenShift Service on AWS clusters in the same manner, unless otherwise specified in this requirements section.

2.2.2. Security requirements
Copia collegamento

Red Hat must have ingress access to EC2 hosts and the API server from allow-listed IP addresses.
Red Hat must have egress allowed to the domains documented in the "Firewall prerequisites" section. Clusters with egress zero are exempt from this requirement.

2.3. Requirements for using OpenShift Cluster Manager
Copia collegamento

The following configuration details are required only if you use OpenShift Cluster Manager to manage your clusters. If you use the CLI tools exclusively, then you can disregard these requirements.

2.3.1. AWS account association
Copia collegamento

When you provision Red Hat OpenShift Service on AWS using OpenShift Cluster Manager (console.redhat.com), you must associate the ocm-role and user-role IAM roles with your AWS account using your Amazon Resource Name (ARN). This association process is also known as account linking.

The ocm-role ARN is stored as a label in your Red Hat organization while the user-role ARN is stored as a label inside your Red Hat user account. Red Hat uses these ARN labels to confirm that the user is a valid account holder and that the correct permissions are available to perform provisioning tasks in the AWS account.

2.3.2. Associating your AWS account with IAM roles
Copia collegamento

You can associate or link your AWS account with existing IAM roles by using the ROSA CLI, rosa.

Prerequisites

You have an AWS account.
You have the permissions required to install AWS account-wide roles. See the "Additional resources" of this section for more information.
You have installed and configured the latest AWS (aws) and ROSA (rosa) CLIs on your installation host.
You have created the ocm-role and user-role IAM roles, but have not yet linked them to your AWS account. You can check whether your IAM roles are already linked by running the following commands:
```
rosa list ocm-role
```
```
$ rosa list ocm-role
```
Copy to Clipboard Toggle word wrap
```
rosa list user-role
```
```
$ rosa list user-role
```
Copy to Clipboard Toggle word wrap
If Yes is displayed in the Linked column for both roles, you have already linked the roles to an AWS account.

Procedure

In the ROSA CLI, link your ocm-role resource to your Red Hat organization by using your Amazon Resource Name (ARN):
Note
You must have Red Hat Organization Administrator privileges to run the rosa link command. After you link the ocm-role resource with your AWS account, it takes effect and is visible to all users in the organization.
```
rosa link ocm-role --role-arn <arn>
```
```
$ rosa link ocm-role --role-arn <arn>
```
Copy to Clipboard Toggle word wrap
Example output
```
I: Linking OCM role
? Link the '<AWS ACCOUNT ID>` role with organization '<ORG ID>'? Yes
I: Successfully linked role-arn '<AWS ACCOUNT ID>' with organization account '<ORG ID>'
```
```
I: Linking OCM role
? Link the '<AWS ACCOUNT ID>` role with organization '<ORG ID>'? Yes
I: Successfully linked role-arn '<AWS ACCOUNT ID>' with organization account '<ORG ID>'
```
Copy to Clipboard Toggle word wrap

In the ROSA CLI, link your user-role resource to your Red Hat user account by using your Amazon Resource Name (ARN):

rosa link user-role --role-arn <arn>

$ rosa link user-role --role-arn <arn>

Copy to Clipboard

Toggle word wrap

Example output

I: Linking User role
? Link the 'arn:aws:iam::<ARN>:role/ManagedOpenShift-User-Role-125' role with organization '<AWS ID>'? Yes
I: Successfully linked role-arn 'arn:aws:iam::<ARN>:role/ManagedOpenShift-User-Role-125' with organization account '<AWS ID>'

I: Linking User role
? Link the 'arn:aws:iam::<ARN>:role/ManagedOpenShift-User-Role-125' role with organization '<AWS ID>'? Yes
I: Successfully linked role-arn 'arn:aws:iam::<ARN>:role/ManagedOpenShift-User-Role-125' with organization account '<AWS ID>'

Copy to Clipboard

Toggle word wrap

Additional resources

Account-wide IAM role and policy reference

2.3.3. Associating multiple AWS accounts with your Red Hat organization
Copia collegamento

You can associate multiple AWS accounts with your Red Hat organization. Associating multiple accounts lets you create Red Hat OpenShift Service on AWS clusters on any of the associated AWS accounts from your Red Hat organization.

With this capability, you can create clusters on different AWS profiles according to characteristics that make sense for your business, for example, by using one AWS profile for each region to create region-bound environments.

Prerequisites

You have an AWS account.
You are using OpenShift Cluster Manager to create clusters.
You have the permissions required to install AWS account-wide roles.
You have installed and configured the latest AWS (aws) and ROSA (rosa) CLIs on your installation host.
You have created the ocm-role and user-role IAM roles for Red Hat OpenShift Service on AWS.

Procedure

To associate an additional AWS account, first create a profile in your local AWS configuration. Then, associate the account with your Red Hat organization by creating the ocm-role, user, and account roles in the additional AWS account.

To create the roles in an additional region, specify the --profile <aws-profile> parameter when running the rosa create commands and replace <aws_profile> with the additional account profile name:

To specify an AWS account profile when creating an OpenShift Cluster Manager role:
```
rosa create --profile <aws_profile> ocm-role
```
```
$ rosa create --profile <aws_profile> ocm-role
```
Copy to Clipboard Toggle word wrap
To specify an AWS account profile when creating a user role:
```
rosa create --profile <aws_profile> user-role
```
```
$ rosa create --profile <aws_profile> user-role
```
Copy to Clipboard Toggle word wrap
To specify an AWS account profile when creating the account roles:
```
rosa create --profile <aws_profile> account-roles
```
```
$ rosa create --profile <aws_profile> account-roles
```
Copy to Clipboard Toggle word wrap

Note

If you do not specify a profile, the default AWS profile and its associated AWS region are used.

2.4. Requirements for deploying a cluster in an opt-in region
Copia collegamento

An AWS opt-in region is a region that is not enabled in your AWS account by default. If you want to deploy a Red Hat OpenShift Service on AWS cluster that uses the AWS Security Token Service (STS) in an opt-in region, you must meet the following requirements:

The region must be enabled in your AWS account. For more information about enabling opt-in regions, see Managing AWS Regions in the AWS documentation.
The security token version in your AWS account must be set to version 2. You cannot use version 1 security tokens for opt-in regions.
Important
Updating to security token version 2 can impact the systems that store the tokens, due to the increased token length. For more information, see the AWS documentation on setting STS preferences.

2.4.1. Setting the AWS security token version
Copia collegamento

If you want to create a Red Hat OpenShift Service on AWS cluster with the AWS Security Token Service (STS) in an AWS opt-in region, you must set the security token version to version 2 in your AWS account.

Prerequisites

You have installed and configured the latest AWS CLI on your installation host.

Procedure

List the ID of the AWS account that is defined in your AWS CLI configuration:
```
aws sts get-caller-identity --query Account --output json
```
```
$ aws sts get-caller-identity --query Account --output json
```
Copy to Clipboard Toggle word wrap
Ensure that the output matches the ID of the relevant AWS account.
List the security token version that is set in your AWS account:
```
aws iam get-account-summary --query SummaryMap.GlobalEndpointTokenVersion --output json
```
```
$ aws iam get-account-summary --query SummaryMap.GlobalEndpointTokenVersion --output json
```
Copy to Clipboard Toggle word wrap
Example output
```
1
```
```
1
```
Copy to Clipboard Toggle word wrap
To update the security token version to version 2 for all regions in your AWS account, run the following command:
```
aws iam set-security-token-service-preferences --global-endpoint-token-version v2Token
```
```
$ aws iam set-security-token-service-preferences --global-endpoint-token-version v2Token
```
Copy to Clipboard Toggle word wrap
Important
Updating to security token version 2 can impact the systems that store the tokens, due to the increased token length. For more information, see the AWS documentation on setting STS preferences.

2.5. Red Hat managed IAM references for AWS
Copia collegamento

Red Hat is not responsible for creating and managing Amazon Web Services (AWS) IAM policies, IAM users, or IAM roles. For information on creating these roles and policies, see the following sections on IAM roles.

To use the ocm CLI, you must have an ocm-role and user-role resource. See Required IAM roles and resources.
If you have a single cluster, see Account-wide IAM role and policy reference.
For each cluster, you must have the necessary Operator roles. See Cluster-specific Operator IAM role reference.

2.6. Provisioned AWS Infrastructure
Copia collegamento

This is an overview of the provisioned Amazon Web Services (AWS) components on a deployed Red Hat OpenShift Service on AWS cluster.

2.6.1. EC2 instances
Copia collegamento

AWS EC2 instances are required to deploy Red Hat OpenShift Service on AWS.

At a minimum, two m5.xlarge EC2 instances are deployed for use as worker nodes.

The instance type shown for worker nodes is the default value, but you can customize the instance type for worker nodes according to the needs of your workload.

2.6.2. Amazon Elastic Block Store storage
Copia collegamento

Amazon Elastic Block Store (Amazon EBS) block storage is used for both local node storage and persistent volume storage. By default, the following storage is provisioned for each EC2 instance:

Node volumes
- Type: AWS EBS GP3
- Default size: 300 GiB (adjustable at creation time)
- Minimum size: 75 GiB
Workload persistent volumes
- Default storage class: gp3-csi
- Provisioner: ebs.csi.aws.com
- Dynamic persistent volume provisioning

2.6.3. Elastic Load Balancing
Copia collegamento

By default, one Network Load Balancer is created for use by the default ingress controller. You can create additional load balancers of the following types according to the needs of your workload:

Classic Load Balancer
Network Load Balancer
Application Load Balancer

For more information, see the ELB documentation for AWS.

2.6.4. S3 storage
Copia collegamento

The image registry is backed by AWS S3 storage. Resources are pruned regularly to optimize S3 usage and cluster performance.

Note

Two buckets are required with a typical size of 2TB each.

2.6.5. VPC
Copia collegamento

Configure your VPC according to the following requirements:

Subnets: Every cluster requires a minimum of one private subnet for every availability zone. For example, 1 private subnet is required for a single-zone cluster, and 3 private subnets are required for a cluster with 3 availability zones.
If your cluster needs direct access to a network that is external to the cluster, including the public internet, you require at least one public subnet.
Red Hat strongly recommends using unique subnets for each cluster. Sharing subnets between multiple clusters is not recommended.
Note
A public subnet connects directly to the internet through an internet gateway.
A private subnet connects to the internet through a network address translation (NAT) gateway.
Route tables: One route table per private subnet, and one additional table per cluster.
Internet gateways: One Internet Gateway per cluster.
NAT gateways: One NAT Gateway per public subnet.

2.6.6. Security groups
Copia collegamento

AWS security groups provide security at the protocol and port access level; they are associated with EC2 instances and Elastic Load Balancing (ELB) load balancers. Each security group contains a set of rules that filter traffic coming in and out of one or more EC2 instances.

Ensure that the ports required for cluster installation and operation are open on your network and configured to allow access between hosts. The requirements for the default security groups are listed in Required ports for default security groups.

Expand

Table 2.1. Required ports for default security groups
Group	Type	IP Protocol	Port range
WorkerSecurityGroup	`AWS::EC2::SecurityGroup`	`icmp`	`0`
WorkerSecurityGroup	`AWS::EC2::SecurityGroup`	`tcp`	`22`

2.6.6.1. Additional custom security groups
Copia collegamento

You can add additional custom security groups during cluster creation. Custom security groups are subject to the following limitations:

You must create the custom security groups in AWS before you create the cluster. For more information, see Amazon EC2 security groups for Linux instances.
You must associate the custom security groups with the VPC that the cluster will be installed into. Your custom security groups cannot be associated with another VPC.
You might need to request additional quota for your VPC if you are adding additional custom security groups. For information on AWS quota requirements for Red Hat OpenShift Service on AWS see Required AWS service quotas in Prepare your environment. For information on requesting an AWS quota increase, see Requesting a quota increase.

2.7. Networking prerequisites
Copia collegamento

2.7.1. Minimum bandwidth
Copia collegamento

During cluster deployment, Red Hat OpenShift Service on AWS requires a minimum bandwidth of 120 Mbps between cluster infrastructure and the public internet or private network locations that provide deployment artifacts and resources. When network connectivity is slower than 120 Mbps (for example, when connecting through a proxy) the cluster installation process times out and deployment fails.

After cluster deployment, network requirements are determined by your workload. However, a minimum bandwidth of 120 Mbps helps to ensure timely cluster and operator upgrades.

2.7.2. AWS firewall prerequisites
Copia collegamento

If you are using a firewall to control egress traffic from your Red Hat OpenShift Service on AWS cluster, you must configure your firewall to grant access to the certain domain and port combinations below. Red Hat OpenShift Service on AWS requires this access to provide a fully managed OpenShift service.

Prerequisites

You have configured an Amazon S3 gateway endpoint in your AWS Virtual Private Cloud (VPC). This endpoint is required to complete requests from the cluster to the Amazon S3 service.

Procedure

Allowlist the following URLs that are used to install and download packages and tools:

Expand

Domain	Port	Function
`registry.redhat.io`	443	Provides core container images.
`quay.io`	443	Provides core container images.
`cdn01.quay.io`	443	Provides core container images.
`cdn02.quay.io`	443	Provides core container images.
`cdn03.quay.io`	443	Provides core container images.
`cdn04.quay.io`	443	Provides core container images.
`cdn05.quay.io`	443	Provides core container images.
`cdn06.quay.io`	443	Provides core container images.
`sso.redhat.com`	443	Required. The `https://console.redhat.com/openshift` site uses authentication from `sso.redhat.com` to download the pull secret and use Red Hat SaaS solutions to facilitate monitoring of your subscriptions, cluster inventory, chargeback reporting, and so on.
`quay-registry.s3.amazonaws.com`	443	Provides core container images.
`quayio-production-s3.s3.amazonaws.com`	443	Provides core container images.
`registry.access.redhat.com`	443	Hosts all the container images that are stored on the Red Hat Ecosytem Catalog. Additionally, the registry provides access to the `odo` CLI tool that helps developers build on OpenShift and Kubernetes.
`access.redhat.com`	443	Required. Hosts a signature store that a container client requires for verifying images when pulling them from `registry.access.redhat.com`.
`registry.connect.redhat.com`	443	Required for all third-party images and certified Operators.
`console.redhat.com`	443	Required. Allows interactions between the cluster and OpenShift Console Manager to enable functionality, such as scheduling upgrades.
`sso.redhat.com`	443	The `https://console.redhat.com/openshift` site uses authentication from `sso.redhat.com`.
`pull.q1w2.quay.rhcloud.com`	443	Provides core container images as a fallback when quay.io is not available.
`catalog.redhat.com`	443	The `registry.access.redhat.com` and `https://registry.redhat.io` sites redirect through `catalog.redhat.com`.
`oidc.op1.openshiftapps.com`	443	Used by Red Hat OpenShift Service on AWS for STS implementation with managed OIDC configuration.

Allowlist the following telemetry URLs:

Expand

Domain	Port	Function
`cert-api.access.redhat.com`	443	Required for telemetry.
`api.access.redhat.com`	443	Required for telemetry.
`infogw.api.openshift.com`	443	Required for telemetry.
`console.redhat.com`	443	Required for telemetry and Red Hat Insights.
`observatorium-mst.api.openshift.com`	443	Required for managed OpenShift-specific telemetry.
`observatorium.api.openshift.com`	443	Required for managed OpenShift-specific telemetry.

Managed clusters require enabling telemetry to allow Red Hat to react more quickly to problems, better support the customers, and better understand how product upgrades impact clusters. For more information about how remote health monitoring data is used by Red Hat, see About remote health monitoring in the Additional resources section.

Allowlist the following Amazon Web Services (AWS) API URls:

Expand

Domain	Port	Function
`.amazonaws.com`	443	Required to access AWS services and resources.

Alternatively, if you choose to not use a wildcard for Amazon Web Services (AWS) APIs, you must allowlist the following URLs:

Expand

Domain	Port	Function
`ec2.amazonaws.com`	443	Used to install and manage clusters in an AWS environment.
`events.<aws_region>.amazonaws.com`	443	Used to install and manage clusters in an AWS environment.
`iam.amazonaws.com`	443	Used to install and manage clusters in an AWS environment.
`route53.amazonaws.com`	443	Used to install and manage clusters in an AWS environment.
`sts.amazonaws.com`	443	Used to install and manage clusters in an AWS environment, for clusters configured to use the global endpoint for AWS STS.
`sts.<aws_region>.amazonaws.com`	443	Used to install and manage clusters in an AWS environment, for clusters configured to use regionalized endpoints for AWS STS. See AWS STS regionalized endpoints for more information.
`tagging.us-east-1.amazonaws.com`	443	Used to install and manage clusters in an AWS environment. This endpoint is always us-east-1, regardless of the region the cluster is deployed in.
`ec2.<aws_region>.amazonaws.com`	443	Used to install and manage clusters in an AWS environment.
`elasticloadbalancing.<aws_region>.amazonaws.com`	443	Used to install and manage clusters in an AWS environment.
`tagging.<aws_region>.amazonaws.com`	443	Allows the assignment of metadata about AWS resources in the form of tags.

Allowlist the following OpenShift URLs:

Expand

Domain	Port	Function
`mirror.openshift.com`	443	Used to access mirrored installation content and images. This site is also a source of release image signatures.
`api.openshift.com`	443	Used to check if updates are available for the cluster.

Allowlist the following site reliability engineering (SRE) and management URLs:

Expand

Domain	Port	Function
`api.pagerduty.com`	443	This alerting service is used by the in-cluster alertmanager to send alerts notifying Red Hat SRE of an event to take action on.
`events.pagerduty.com`	443	This alerting service is used by the in-cluster alertmanager to send alerts notifying Red Hat SRE of an event to take action on.
`api.deadmanssnitch.com`	443	Alerting service used by Red Hat OpenShift Service on AWS to send periodic pings that indicate whether the cluster is available and running.
`nosnch.in`	443	Alerting service used by Red Hat OpenShift Service on AWS to send periodic pings that indicate whether the cluster is available and running.
`http-inputs-osdsecuritylogs.splunkcloud.com`	443	Required. Used by the `splunk-forwarder-operator` as a logging forwarding endpoint to be used by Red Hat SRE for log-based alerting.
`sftp.access.redhat.com` (Recommended)	22	The SFTP server used by `must-gather-operator` to upload diagnostic logs to help troubleshoot issues with the cluster.

2.7.3. Firewall prerequisites for Red Hat OpenShift Service on AWS
Copia collegamento

If you are using a firewall to control egress traffic from Red Hat OpenShift Service on AWS, your Virtual Private Cloud (VPC) must be able to complete requests from the cluster to the Amazon S3 service, for example, via an Amazon S3 gateway.
You must also configure your firewall to grant access to the following domain and port combinations.

2.7.3.1. Domains for installation packages and tools
Copia collegamento

Expand

Domain	Port	Function
`quay.io`	443	Provides core container images.
`cdn01.quay.io`	443	Provides core container images.
`cdn02.quay.io`	443	Provides core container images.
`cdn03.quay.io`	443	Provides core container images.
`cdn04.quay.io`	443	Provides core container images.
`cdn05.quay.io`	443	Provides core container images.
`cdn06.quay.io`	443	Provides core container images.
`quayio-production-s3.s3.amazonaws.com`	443	Provides core container images.
`registry.redhat.io`	443	Provides core container images.
`registry.access.redhat.com`	443	Required. Hosts all the container images that are stored on the Red Hat Ecosytem Catalog. Additionally, the registry provides access to the `odo` CLI tool that helps developers build on OpenShift and Kubernetes.
`access.redhat.com`	443	Required. Hosts a signature store that a container client requires for verifying images when pulling them from `registry.access.redhat.com`.
`api.openshift.com`	443	Required. Used to check for available updates to the cluster.
`mirror.openshift.com`	443	Required. Used to access mirrored installation content and images. This site is also a source of release image signatures, although the Cluster Version Operator (CVO) needs only a single functioning source.

2.7.3.2. Domains for telemetry
Copia collegamento

Expand

Domain	Port	Function
`infogw.api.openshift.com`	443	Required for telemetry.
`console.redhat.com`	443	Required. Allows interactions between the cluster and OpenShift Console Manager to enable functionality, such as scheduling upgrades.
`sso.redhat.com`	443	Required. The `https://console.redhat.com/openshift` site uses authentication from `sso.redhat.com` to download the pull secret and use Red Hat SaaS solutions to facilitate monitoring of your subscriptions, cluster inventory, chargeback reporting, etc.

Managed clusters require enabling telemetry to allow Red Hat to react more quickly to problems, better support the customers, and better understand how product upgrades impact clusters. For more information about how remote health monitoring data is used by Red Hat, see About remote health monitoring.

2.7.3.3. Domains for Amazon Web Services (AWS) APIs
Copia collegamento

Expand

Domain	Port	Function
`sts.<aws_region>.amazonaws.com` ^[1]	443	Required. Used to access the AWS Secure Token Service (STS) regional endpoint. Ensure that you replace `<aws-region>` with the region that your cluster is deployed in.

This can also be accomplished by configuring a private interface endpoint in your AWS Virtual Private Cloud (VPC) to the regional AWS STS endpoint.

2.7.3.4. Domains for your workload
Copia collegamento

Your workload may require access to other sites that provide resources for programming languages or frameworks.

Allow access to sites that provide resources required by your builds.
Allow access to outbound URLs required for your workload, for example, OpenShift Outbound URLs to Allow.

2.7.3.5. Optional domains to enable third-party content
Copia collegamento

Expand

Domain	Port	Function
`registry.connect.redhat.com`	443	Optional. Required for all third-party-images and certified operators.
`rhc4tp-prod-z8cxf-image-registry-us-east-1-evenkyleffocxqvofrk.s3.dualstack.us-east-1.amazonaws.com`	443	Optional. Provides access to container images hosted on `registry.connect.redhat.com`.
`oso-rhc4tp-docker-registry.s3-us-west-2.amazonaws.com`	443	Optional. Required for Sonatype Nexus, F5 Big IP operators.

2.7.3.6. Outbound firewall rules for the ROSA CLI for clusters with egress zero
Copia collegamento

If you use a bastion host to connect to a private cluster with egress zero, you must add the following rules to your firewall so that it can connect and authenticate to the cluster.

Expand

Domain	Port	From/To	Function
`sso.redhat.com`	443	ROSA CLI running on bastion host	The OpenShift console uses authentication from `sso.redhat.com` to download the pull secret and use Red Hat SaaS solutions to facilitate monitoring of your subscriptions, cluster inventory, chargeback reporting, etc.
`api.openshift.com`	443	ROSA CLI running on bastion host	Required for registering a Red Hat OpenShift Service on AWS cluster into Red Hat Hybrid Cloud Console.
`iam.amazonaws.com`	443	ROSA CLI running on bastion host	Used for creating IAM roles and attaching permissions.
`servicequotas.<your region>.amazonaws.com`	443	ROSA CLI running on bastion host	Checks AWS quotas to ensure they satisfy ROSA installation requirements. Alternatively, you can create a VPC endpoint for servicequota service to avoid whitelisting this URL from your firewall.
`sts.<your region>.amazonaws.com`	443	ROSA CLI running on bastion host	Used to get short-lived token to access AWS service. Alternatively, you can create a VPC endpoint for STS service to avoid whitelisting this url from your firewall.
`ec2.<your region>.amazonaws.com`	443	ROSA CLI running on bastion host	Used to retrieve EC2 instance related information such as subnets. Alternatively, you can create a VPC endpoint for EC2 service to avoid whitelisting this URL from your firewall.

2.7.3.7. Outbound firewall rules from Red Hat Hybrid Cloud Console for clusters with egress zero
Copia collegamento

Expand

Domain	Port	From/To	Function
`sts.<your region>.amazonaws.com`	443	Red Hat OpenShift Service on AWS cluster	Used to access the AWS Secure Token Service (STS) regional endpoint to retrieve a short-lived token to access AWS services. Alternatively, you can create a VPC endpoint for STS service to avoid whitelisting this URL from your firewall.
`console.redhat.com`	443	Any browser to access Red Hat Hybrid Cloud Console	To manage a Red Hat OpenShift Service on AWS cluster from Hybrid Cloud Console.
`sso.redhat.com`	443	Any browser to access Red Hat Hybrid Cloud Console	The Red Hat Hybrid Cloud Console site uses authentication from `sso.redhat.com` to download the pull secret and use Red Hat SaaS solutions to facilitate monitoring of your subscriptions, cluster inventory, chargeback reporting, etc.

Next steps

Review the required AWS service quotas

Questo contenuto non è disponibile nella lingua selezionata.

2.1. Customer requirements for all Red Hat OpenShift Service on AWS clustersCopia collegamentoCollegamento copiato negli appunti!

2.2. AWS accountCopia collegamentoCollegamento copiato negli appunti!

2.2.1. Support requirementsCopia collegamentoCollegamento copiato negli appunti!

2.2.2. Security requirementsCopia collegamentoCollegamento copiato negli appunti!

2.3. Requirements for using OpenShift Cluster ManagerCopia collegamentoCollegamento copiato negli appunti!

2.3.1. AWS account associationCopia collegamentoCollegamento copiato negli appunti!

2.3.2. Associating your AWS account with IAM rolesCopia collegamentoCollegamento copiato negli appunti!

Additional resources

2.3.3. Associating multiple AWS accounts with your Red Hat organizationCopia collegamentoCollegamento copiato negli appunti!

2.4. Requirements for deploying a cluster in an opt-in regionCopia collegamentoCollegamento copiato negli appunti!

2.4.1. Setting the AWS security token versionCopia collegamentoCollegamento copiato negli appunti!

2.5. Red Hat managed IAM references for AWSCopia collegamentoCollegamento copiato negli appunti!

2.6. Provisioned AWS InfrastructureCopia collegamentoCollegamento copiato negli appunti!

2.6.1. EC2 instancesCopia collegamentoCollegamento copiato negli appunti!

2.6.2. Amazon Elastic Block Store storageCopia collegamentoCollegamento copiato negli appunti!

2.6.3. Elastic Load BalancingCopia collegamentoCollegamento copiato negli appunti!

2.6.4. S3 storageCopia collegamentoCollegamento copiato negli appunti!

2.6.5. VPCCopia collegamentoCollegamento copiato negli appunti!

2.6.6. Security groupsCopia collegamentoCollegamento copiato negli appunti!

2.6.6.1. Additional custom security groupsCopia collegamentoCollegamento copiato negli appunti!

2.7. Networking prerequisitesCopia collegamentoCollegamento copiato negli appunti!

2.7.1. Minimum bandwidthCopia collegamentoCollegamento copiato negli appunti!

2.7.2. AWS firewall prerequisitesCopia collegamentoCollegamento copiato negli appunti!

2.7.3. Firewall prerequisites for Red Hat OpenShift Service on AWSCopia collegamentoCollegamento copiato negli appunti!

2.7.3.1. Domains for installation packages and toolsCopia collegamentoCollegamento copiato negli appunti!

2.7.3.2. Domains for telemetryCopia collegamentoCollegamento copiato negli appunti!

2.7.3.3. Domains for Amazon Web Services (AWS) APIsCopia collegamentoCollegamento copiato negli appunti!

2.7.3.4. Domains for your workloadCopia collegamentoCollegamento copiato negli appunti!

2.7.3.5. Optional domains to enable third-party contentCopia collegamentoCollegamento copiato negli appunti!

2.7.3.6. Outbound firewall rules for the ROSA CLI for clusters with egress zeroCopia collegamentoCollegamento copiato negli appunti!

2.7.3.7. Outbound firewall rules from Red Hat Hybrid Cloud Console for clusters with egress zeroCopia collegamentoCollegamento copiato negli appunti!

Next steps

Additional resources

Formazione

Prova, acquista e vendi

Community

Informazioni sulla documentazione di Red Hat

Rendiamo l’open source più inclusivo

Informazioni su Red Hat

Theme

Red Hat legal and privacy links

Red Hat legal and privacy links

2.1. Customer requirements for all Red Hat OpenShift Service on AWS clusters
Copia collegamento

2.2. AWS account
Copia collegamento

2.2.1. Support requirements
Copia collegamento

2.2.2. Security requirements
Copia collegamento

2.3. Requirements for using OpenShift Cluster Manager
Copia collegamento

2.3.1. AWS account association
Copia collegamento

2.3.2. Associating your AWS account with IAM roles
Copia collegamento

2.3.3. Associating multiple AWS accounts with your Red Hat organization
Copia collegamento

2.4. Requirements for deploying a cluster in an opt-in region
Copia collegamento

2.4.1. Setting the AWS security token version
Copia collegamento

2.5. Red Hat managed IAM references for AWS
Copia collegamento

2.6. Provisioned AWS Infrastructure
Copia collegamento

2.6.1. EC2 instances
Copia collegamento

2.6.2. Amazon Elastic Block Store storage
Copia collegamento

2.6.3. Elastic Load Balancing
Copia collegamento

2.6.4. S3 storage
Copia collegamento

2.6.5. VPC
Copia collegamento

2.6.6. Security groups
Copia collegamento

2.6.6.1. Additional custom security groups
Copia collegamento

2.7. Networking prerequisites
Copia collegamento

2.7.1. Minimum bandwidth
Copia collegamento

2.7.2. AWS firewall prerequisites
Copia collegamento

2.7.3. Firewall prerequisites for Red Hat OpenShift Service on AWS
Copia collegamento

2.7.3.1. Domains for installation packages and tools
Copia collegamento

2.7.3.2. Domains for telemetry
Copia collegamento

2.7.3.3. Domains for Amazon Web Services (AWS) APIs
Copia collegamento

2.7.3.4. Domains for your workload
Copia collegamento

2.7.3.5. Optional domains to enable third-party content
Copia collegamento

2.7.3.6. Outbound firewall rules for the ROSA CLI for clusters with egress zero
Copia collegamento

2.7.3.7. Outbound firewall rules from Red Hat Hybrid Cloud Console for clusters with egress zero
Copia collegamento