Red Hat SummitEste conteúdo não está disponível no idioma selecionado.
Chapter 7. Red Hat Ansible Automation Platform Service on AWS Private Link Connectivity
Private link connectivity is a networking feature commonly used in cloud environments. Private link connectivity allows services to communicate privately over a secure, internal network without exposing traffic to the public internet. On AWS, private link connectivity is known as AWS PrivateLink.
7.1. Key benefits of private link connectivity
To ensure maximum network isolation and security, AWS PrivateLink connectivity establishes a private connection for the Ansible Automation Platform Service on AWS, which is essential because:
- It enables the Ansible Automation Platform Service on AWS control plane to connect to project and execution environment repositories hosted on private networks that are inaccessible from the public internet.
- It keeps automation mesh data within a private network rather than traversing the public internet.
Automation mesh uses industry standard TLS encryption regardless of how automation mesh nodes are connected. Consider this traffic secured in the same manner as all TLS traffic.
7.2. How AWS PrivateLink works
AWS PrivateLink connectivity is supported both into (ingress) and out of (egress) the Ansible Automation Platform control plane.
For more AWS specific information about how AWS PrivateLink works, see the Amazon Virtual Private Cloud documentation.
7.2.1. AWS PrivateLink connectivity from customer VPC into the Ansible Automation Platform control plane
For AWS PrivateLink connectivity into the control plane, an AWS Endpoint Service has automatically provisioned AWS PrivateLink connectivity into the control plane in your AWS environment. You must create an AWS Endpoint to connect to this service in your Virtual Private Cloud (VPC), and enable private DNS resolution of the endpoint service hostname. With this in place, any traffic originating from your VPC to the control plane API or mesh ingress connects to a private IP address and does not traverse the public internet. Traffic is stateful, so there is no need to open a private link in the reverse direction for responses to Transmission Control Protocol (TCP) requests that originate from the customer VPC
7.2.2. AWS PrivateLink connectivity from Ansible Automation Platform control plane to customer VPCs
You can configure Ansible Automation Platform to use external resources such as source code repositories, container registries, and execution nodes. By default, the control plane connects to these resources over the public internet. However, if your resources are not publicly available, you can leverage AWS PrivateLink to securely access your private resources without traversing the public internet.
AWS PrivateLink connectivity allows the Ansible Automation Platform control plane to connect privately to your resources including, registries, repositories, and execution nodes. Traffic is stateful, eliminating the need to open a private link in the reverse direction for responses to Transmission Control Protocol (TCP) requests that originate from the control plane VPC.
To enable AWS PrivateLink connectivity from the control plane to your private resources, create one or more Endpoint Services in your VPC. Then reach out to Red Hat support to create the consuming Endpoints.
When creating the Endpoint Service in your VPC, you must enable the Private DNS option. This ensures that the Ansible Automation Platform control plane can resolve and connect to your service using the specified domain over AWS PrivateLink. Private DNS enables DNS queries from Ansible Automation Platform resolve to the private IP addresses of the interface endpoint, facilitating secure and direct communication over PrivateLink.
7.3. Inbound traffic control (IP restrictions)
Two distinct layers of traffic control are available depending on your connectivity method.
| Method | Scope | Managed by | Action required |
|---|---|---|---|
| Public internet access | Restricts access to the Ansible Automation Platform UI and API over the public internet. | Red Hat SRE | Open a Support Ticket requesting "Traffic Control CIDR Allowlisting."
You must provide the specific IP CIDR blocks (for example, |
| PrivateLink access | Restricts access coming through your PrivateLink VPC Endpoint. | Customer | Configure the AWS Security Group attached to your VPC Endpoint to allow inbound HTTPS (443) traffic only from specific internal subnets or VPN CIDRs. |
7.4. Enabling AWS PrivateLink connectivity
To enable private link connectivity, submit a customer support ticket and the Red Hat team will work with you on the next steps.
You must create two separate support tickets for bi-directional connectivity:
- One enabling AWS PrivateLink connectivity from Customer VPC into the control plane
- One enabling AWS PrivateLink connectivity out of the control plane to Customer VPC.
7.4.1. Configuring AWS PrivateLink connectivity from customer VPC to Red Hat managed control plane
This configuration allows your internal users and automation to access the Ansible Automation Platform UI and API over PrivateLink.
Procedure
- To request Ingress PrivateLink submit a Customer support case to Red Hat using the Ingress AWS PrivateLink request template step 2.
You must include your:
- AWS Account ID.
- Region.
- Deployment URL.
- After Red Hat provides you with a VPC Endpoint Service Name, you must create a VPC Endpoint in your AWS account that points to the provided service name.
For your Ingress AWS PrivateLink request template:
Select "Endpoint services that use NLBs and GWLBs".
- In the Service name field, paste the VPC Endpoint Service Name provided by Red Hat and click .
Complete the network and security group configuration as required by your organization.
Subject: Request for Ingress PrivateLink Connection: <Your Company Name> - <Deployment ID> Body: Hello Red Hat Support, We would like to enable Ingress PrivateLink connectivity for our AAP on AWS instance. This will allow our internal users and automation tools to access the AAP Control Plane (UI/API) securely from our VPC without traversing the public internet. Deployment details: AAP Deployment Name/ID: <for example., ans-123456> AAP Deployment URL: <for example, https://ans-123456.ansible.redhat.com> Our Network Information: Our AWS Account ID: <Your 12-digit AWS Account ID> Target Region: <for example, us-east-1> Action required: Please create the Endpoint Service configuration on the Control Plane side and provide us with the VPC Endpoint Service Name so we can create the interface endpoint in our VPC. Thank you.
7.4.2. Configuring AWS PrivateLink connectivity from Red Hat managed control plane to customer VPCs
This configuration allows the Ansible Automation Platform control plane to connect to your private resources, such as internal Git or private automation hub.
Procedure
Create an Endpoint Service in your VPC:
- Confirm your private resource is behind an AWS Network Load Balancer (NLB).
Create an Endpoint Service in your AWS VPC that points to that NLB.
ImportantYou must select the service type that supports Interface endpoints and enable the Private DNS option.
- To initiate control plane egress, you must submit a separate Customer support case using the Egress PrivateLink request template.
- Red Hat uses the information provided to create an Interface Endpoint on their side. When Red Hat creates this endpoint, they select the category "Endpoint services that use NLBs and GWLBs" to connect to your service.
- Your Internal Network or IT Team must configure the Internal DNS.
- To ensure users route through the secure PrivateLink connection, you must request a Split-Horizon DNS configuration.
- Copy the Egress PrivateLink request template, fill in your specific VPC Endpoint Service Name, and submit it to Red Hat.
Egress PrivateLink request template
Subject:
Egress PrivateLink Configuration for <Instance ID>
Body:
We need to enable Egress PrivateLink connectivity to allow the AAP control plane to access our internal private resources (for example, private automation hub, Git and so on).
Configuration details:
Our AWS Account ID: <Your 12-digit AWS Account ID>
Our Endpoint Service Name: <for example, com.amazonaws.vpce.us-east-1.vpce-svc-xxxxxxxx>
Service Regions/AZs: <for example., us-east-1 / us-east-1a, us-east-1b>
Action required:
Please confirm when Red Hat has initiated the connection request so we can approve it in our AWS Console.
Thank you.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}