Red Hat SummitEste conteúdo não está disponível no idioma selecionado.
Chapter 3. Architecture models
Red Hat OpenShift Service on AWS classic architecture has a classic architecture cluster topology meaning the control plane and the worker nodes are deployed in the customer’s AWS account.
3.1. Comparing Red Hat OpenShift Service on AWS and Red Hat OpenShift Service on AWS (classic architecture)
| | Hosted Control Plane (HCP) | Classic |
|---|---|---|
| Control plane hosting | Control plane components, such as the API server etcd database, are hosted in a Red Hat-owned AWS account. | Control plane components, such as the API server etcd database, are hosted in a customer-owned AWS account. |
| Virtual Private Cloud (VPC) | Worker nodes communicate with the control plane over AWS PrivateLink. | Worker nodes and control plane nodes are deployed in the customer’s VPC. |
| Multi-zone deployment | The control plane is always deployed across multiple availability zones (AZs). | The control plane can be deployed within a single AZ or across multiple AZs. |
| Machine pools | Each machine pool is deployed in a single AZ (private subnet). | Machine pools can be deployed in single AZ or across multiple AZs. |
| Infrastructure nodes | Does not use any dedicated infrastructure nodes to host platform components, such as ingress and image registry. | Uses 2 (single-AZ) or 3 (multi-AZ) dedicated infrastructure nodes to host platform components. |
| OpenShift capabilities | Platform monitoring, image registry, and the ingress controller are deployed in the worker nodes. | Platform monitoring, image registry, and the ingress controller are deployed in the dedicated infrastructure nodes. |
| Cluster upgrades | The control plane and each machine pool can be upgraded separately. | The entire cluster must be upgraded at the same time. |
| Minimum EC2 footprint | 2 EC2 instances are needed to create a cluster. | 7 (single-AZ) or 9 (multi-AZ) EC2 instances are needed to create a cluster. |
Additional resources
3.2. Red Hat OpenShift Service on AWS classic architecture
In Red Hat OpenShift Service on AWS classic architecture, both the control plane and the worker nodes are deployed in your VPC subnets.
3.2.1. Red Hat OpenShift Service on AWS classic architecture on public and private networks
With Red Hat OpenShift Service on AWS classic architecture, you can create clusters that are accessible over public or private networks.
You can customize access patterns for your API server endpoint and Red Hat SRE management in the following ways:
- Public - API server endpoint and application routes are internet-facing.
- Private - API server endpoint and application routes are private. Private Red Hat OpenShift Service on AWS classic architecture clusters use some public subnets, but no control plane or worker nodes are deployed in public subnets.
- Private with AWS PrivateLink - API server endpoint and application routes are private. Public subnets or NAT gateways are not required in your VPC for egress. Red Hat OpenShift Service on AWS classic architecture SRE management uses AWS PrivateLink.
The following image depicts the architecture of a Red Hat OpenShift Service on AWS classic architecture cluster deployed on both public and private networks.
Figure 3.1. Red Hat OpenShift Service on AWS classic architecture deployed on public and private networks
Red Hat OpenShift Service on AWS classic architecture clusters include infrastructure nodes where OpenShift components such as the ingress controller, image registry, and monitoring are deployed. The infrastructure nodes and the OpenShift components deployed on them are managed by Red Hat OpenShift Service on AWS classic architecture SREs.
The following types of clusters are available with Red Hat OpenShift Service on AWS classic architecture:
- Single zone cluster - The control plane and worker nodes are hosted on a single availability zone.
- Multi-zone cluster - The control plane is hosted on three availability zones with an option to run worker nodes on one or three availability zones.
3.2.2. AWS PrivateLink architecture
The Red Hat managed infrastructure that creates AWS PrivateLink clusters is hosted on private subnets. The connection between Red Hat and the customer-provided infrastructure is created through AWS PrivateLink VPC endpoints.
AWS PrivateLink is supported on existing VPCs only.
The following diagram shows network connectivity of a PrivateLink cluster.
Figure 3.2. Multi-AZ AWS PrivateLink cluster deployed on private subnets
3.2.2.1. AWS reference architectures
AWS provides multiple reference architectures that can be useful to customers when planning how to set up a configuration that uses AWS PrivateLink. Here are three examples:
A public subnet connects directly to the internet through an internet gateway. A private subnet connects to the internet through a network address translation (NAT) gateway.
VPC with a private subnet and AWS Site-to-Site VPN access.
This configuration enables you to extend your network into the cloud without exposing your network to the internet.
To enable communication with your network over an Internet Protocol Security (IPsec) VPN tunnel, this configuration contains a virtual private cloud (VPC) with a single private subnet and a virtual private gateway. Communication over the internet does not use an internet gateway.
For more information, see VPC with a private subnet only and AWS Site-to-Site VPN access in the AWS documentation.
VPC with public and private subnets (NAT)
This configuration enables you to isolate your network so that the public subnet is reachable from the internet but the private subnet is not.
Only the public subnet can send outbound traffic directly to the internet. The private subnet can access the internet by using a network address translation (NAT) gateway that resides in the public subnet. This allows database servers to connect to the internet for software updates using the NAT gateway, but does not allow connections to be made directly from the internet to the database servers.
For more information, see VPC with public and private subnets (NAT) in the AWS documentation.
VPC with public and private subnets and AWS Site-to-Site VPN access
This configuration enables you to extend your network into the cloud and to directly access the internet from your VPC.
You can run a multi-tiered application with a scalable web front end in a public subnet, and house your data in a private subnet that is connected to your network by an IPsec AWS Site-to-Site VPN connection.
For more information, see VPC with public and private subnets and AWS Site-to-Site VPN access in the AWS documentation.
3.2.3. Red Hat OpenShift Service on AWS classic architecture with Local Zones
Red Hat OpenShift Service on AWS classic architecture supports the use of AWS Local Zones, which are metropolis-centralized availability zones where customers can place latency-sensitive application workloads within a VPC. Local Zones are extensions of AWS Regions and are not enabled by default. When Local Zones are enabled and configured, the traffic is extended into the Local Zones for greater flexibility and lower latency. For more information, see "Configuring machine pools in Local Zones".
The following diagram displays a Red Hat OpenShift Service on AWS classic architecture cluster without traffic routed into a Local Zone.
Figure 3.3. Red Hat OpenShift Service on AWS classic architecture cluster without traffic routed into Local Zones
The following diagram displays a Red Hat OpenShift Service on AWS classic architecture cluster with traffic routed into a Local Zone.
Figure 3.4. Red Hat OpenShift Service on AWS classic architecture cluster with traffic routed into Local Zones
Additional resources
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}