Skip to content

Commit da4a0da

Browse files
nedoshicursoragent
andcommitted
Add guide for accessing private ROSA HCP cluster via public NLB
Document using an internet-facing NLB to reach a private ROSA HCP cluster API. Validated on ROSA HCP 4.20. Homepage link omitted per maintainer review. Signed-off-by: Nerav Doshi <103272684+nedoshi@users.noreply.github.com> Co-authored-by: Cursor <cursoragent@cursor.com>
1 parent a56985b commit da4a0da

4 files changed

Lines changed: 224 additions & 0 deletions

File tree

Lines changed: 224 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,224 @@
1+
---
2+
date: '2025-02-05'
3+
title: Accessing a Private ROSA Hosted Control Plane (HCP) Cluster with an AWS Network Load Balancer
4+
tags: ["ROSA", "ROSA HCP"]
5+
authors:
6+
- Nerav Doshi
7+
- Michael McNeill
8+
validated_version: "4.20"
9+
---
10+
## Overview
11+
12+
This document provides guidance on using a public AWS Network Load Balancer (NLB) to connect to a private Red Hat OpenShift on AWS (ROSA) Hosted Control Plane (HCP) cluster. When the cluster is private and lacks direct public IP access, the NLB facilitates secure and reliable routing of traffic from public sources to the private cluster by exposing a stable endpoint while maintaining network isolation. This setup ensures that the private cluster can effectively handle external traffic, such as requests from APIs or services, without directly exposing sensitive internal infrastructure to the Internet.
13+
14+
The end-to-end traffic flow is:
15+
16+
``` bash
17+
Client (Internet)
18+
→ DNS (api.example.com)
19+
→ Internet-facing NLB (TLS:443, ACM certificate for api.example.com)
20+
→ Target group (IP addresses, TLS:443)
21+
→ Private IPs of ROSA HCP VPC endpoint ENIs
22+
→ Cluster Kubernetes API
23+
```
24+
25+
## Pre-requisites
26+
27+
1. A private ROSA HCP cluster already running (4.20+) (see the [Deploying ROSA HCP documentation](https://docs.aws.amazon.com/rosa/latest/userguide/getting-started-hcp.html)).
28+
29+
2. In this example, we will use Entra ID as the external authentication for ROSA HCP cluster (see [Configuring Microsoft Entra ID as an external authentication provider](/experts/rosa/entra-external-auth/))
30+
31+
32+
3. (Optional) Launch a Jump Host EC2 instance in Public NLB VPC
33+
34+
This guide requires connectivity to the cluster. Since we are using a private cluster you must ensure that your workstation is connected to the AWS VPC hosting the ROSA cluster. If you already have this connectivity through a VPN, Direct Connect or other method you can skip this section. If you do need to establish connectivity to the cluster [these instructions](/experts/rosa/hcp-private-nlb/rosa-private-nlb-jumphost/) will guide you through creating a jump host and connect to the ROSA HCP cluster.
35+
36+
4. A public domain you control (for example example.com) with a Route 53 public hosted zone in the same AWS account
37+
38+
## Create a security group, a target group and network load balancer in your AWS account
39+
40+
Once the ROSA HCP cluster is installed with external authentication using Entra ID we need to set up an additional security group to grant access outside the VPC, as well as create target group and a NLB.
41+
42+
### Create a Security Group for NLB:
43+
44+
Navigate to the **Security Groups** section in the AWS console click on **Create security group**.
45+
46+
- **Name tag**: Give your security group a name. Select the VPC in which your Network Load Balancer is in.**Click Create**.
47+
- **Modify Inbound rules** Select the newly created security group from the list. Navigate to the **Inbound rules** tab and click **Edit Inbound rules**. Add a new inbound rule with the following settings:
48+
- **Type**: Choose the appropriate protocol for your NLB (e.g., HTTP, HTTPS, or TCP, depending on the service you're exposing).
49+
- **Protocol**: Choose the protocol for your NLB (TCP is commonly used for NLBs).
50+
- **Port Range**: Specify the port on which your NLB is listening on (e.g., 80 for HTTP, 443 for HTTPS).
51+
- **Source**:
52+
- Choose **My IP** to allow access from your current IP address.
53+
- Alternatively, specify a custom IP range in CIDR format (e.g., `192.x.x.x/24` for a specific subnet).
54+
55+
example output from the AWS console :
56+
57+
![AWS Console Additional Security group](./images/aws-portal-sg-allow-access.png)
58+
59+
### Create a target group with VPC Endpoints as targets
60+
61+
Define the target group with a list of VPC endpoints IPs that an NLB can access based on configured rules and health checks; allowing for load balancing across multiple instances within the group.
62+
63+
Here is a step-by-step guide for creating a target group in AWS for your network load balancer:
64+
65+
1. Create a Target Group:
66+
- Navigate to the **Target Groups** section in the AWS console and click **Create target group**.
67+
- **Target type**: Select **IP addresses** if you're using IP-based routing (common for VPCEs or EC2 instances located in private subnets).
68+
- **Protocol**: Choose **TLS** to secure your communication.
69+
- **Port**: Set the **Port** to **443**, which is the standard port for secure HTTPS/TLS traffic.
70+
- **VPC**: Choose the **VPC** where your targets for ROSA HCP VPCEs are located.
71+
72+
2. Configure Health Checks:
73+
- **Health check protocol**: Set to **TCP** to verify that the backend targets are healthy and accepting connections.
74+
- **Health check port**: Set to **443**, which matches the port your targets will use for traffic.
75+
- **Health check path**: Leave this field empty or specify path (e.g., `/health`) if you want to perform HTTP/HTTPS health checks.
76+
- Optionally adjust other health check settings (e.g., threshold, interval) according to your requirements.
77+
78+
3. Add Targets:
79+
- **IP addresses**: Enter the **IP addresses** of the targets that should be included in this target group. You might enter the IPs of VPCEs that you want the load balancer to route traffic to private HCP cluster.
80+
- Click **Include as pending below** to add these targets to the group.
81+
82+
4. **Create the Target Group**:
83+
- After verifying all your settings, click **Create target group** to complete the setup of your target group.
84+
85+
Once created, you can associate this target group with your NLB listener to route traffic to the ROSA HCP cluster.
86+
87+
example output from the AWS console :
88+
89+
![AWS Console Target Group](./images/aws-portal-targetgroup.png)
90+
91+
### Create and configure the public NLB
92+
93+
Here is a step-by-step guide for creating a Network Load Balancer (NLB) and configuring it with your domain:
94+
95+
1. Create the NLB:
96+
- **Scheme**: Choose **Internet-facing**. This option allows your NLB to be accessible from the internet.
97+
- **VPC**: Select the **VPC** where your ROSA HCP cluster and VPC endpoint targets are located.
98+
- **Security Groups**: Select a **security group** that allows access to your API from your IP address. This should be configured to allow inbound traffic on the port you’ll be using (usually port 443 for secure communication).
99+
100+
2. Configure Listeners and Routing:
101+
- **Protocol**: Set the **Protocol** to **TLS**, to secure communication.
102+
- **Port**: Set the **Port** to **443**, which is the standard port for HTTPS traffic.
103+
- **Target Group**: Choose the **target group** you created earlier. This will route the incoming traffic to the appropriate targets.
104+
105+
3. Secure Listener Settings (Optional but recommended for HTTPS):
106+
- **Certificate (from AWS Certificate Manager (ACM))**:
107+
- Select or **create a new certificate** using AWS ACM.
108+
- This certificate should be for the **domain name** you plan to use for your externally facing API. For example, if your API will be accessible at `api.example.com`, ensure the certificate matches that domain.
109+
110+
- Leave other settings at their **default values** unless specific changes are needed.
111+
112+
4. Create the Load Balancer:
113+
- After configuring all the settings, click **Create load balancer** to finalize the setup of your Network Load Balancer.
114+
115+
5. Update Route 53:
116+
- **Create a Record**: In **Amazon Route 53**, create a new DNS **record** that points to the NLB's **DNS name**.
117+
- The record should match the **domain name** for which the ACM certificate was issued (e.g., `api.example.com`).
118+
- Use the **Alias** record type to point to the NLB. AWS provides the DNS name of your NLB, which you can directly map to the record.
119+
120+
This configuration will ensure that traffic is securely routed from the internet to your API, leveraging the NLB to distribute traffic to your backend resources.
121+
122+
example output from the AWS console :
123+
124+
![AWS Console NLB](./images/aws-portal-public-nlb.png)
125+
126+
### Validate the connection to the NLB
127+
128+
Validate that you can access the NLB from your machine using the API domain name. For example:
129+
130+
```bash
131+
export API_URL=https://api.example.com
132+
curl "${API_URL}/version"
133+
```
134+
135+
example output:
136+
137+
```bash
138+
[ec2-user@ipaddress ~]$ curl -v https://api.example.com/version
139+
{
140+
"major": "1",
141+
"minor": "28",
142+
"gitVersion": "v1.28.15+ff493be",
143+
"gitCommit": "4abcdefgchijklms",
144+
"gitTreeState": "clean",
145+
"buildDate": "2024-11-23T03:11:13Z",
146+
"goVersion": "go1.20.12 X:strictfipsruntime",
147+
"compiler": "gc",
148+
"platform": "linux/amd64"
149+
}
150+
```
151+
152+
### Validate connection to ROSA HCP cluster's API
153+
154+
If you have not already done so, set `API_URL` to the NLB endpoint (for example `https://api.example.com`).
155+
156+
Create a KUBECONFIG file with Entra ID details for a [ROSA HCP cluster with external auth enabled](/experts/rosa/entra-external-auth/). For example, create **rosa-auth.kubeconfig** with the following information:
157+
158+
```bash
159+
kube_config="
160+
apiVersion: v1
161+
clusters:
162+
- cluster:
163+
server: ${API_URL}
164+
name: cluster
165+
contexts:
166+
- context:
167+
cluster: cluster
168+
namespace: default
169+
user: oidc
170+
name: admin
171+
current-context: admin
172+
kind: Config
173+
preferences: {}
174+
users:
175+
- name: oidc
176+
user:
177+
exec:
178+
apiVersion: client.authentication.k8s.io/v1
179+
args:
180+
- oidc-login
181+
- get-token
182+
- --oidc-issuer-url=https://login.microsoftonline.com/${TENANT_ID}/v2.0
183+
- --oidc-client-id=${CLIENT_ID}
184+
- --oidc-client-secret=${CLIENT_SECRET}
185+
- --oidc-extra-scope=email
186+
- --oidc-extra-scope=openid
187+
command: oc
188+
env: null
189+
interactiveMode: Never
190+
"
191+
echo "${kube_config}" > rosa-auth.kubeconfig
192+
```
193+
194+
Set the `KUBECONFIG` environment variable to the location of the `rosa-auth.kubeconfig` file. This will configure the OpenShift CLI to authenticate against the ROSA cluster with the OIDC client.
195+
196+
197+
```bash
198+
export KUBECONFIG=$(pwd)/rosa-auth.kubeconfig
199+
```
200+
201+
Confirm your access to the cluster by running the following command:
202+
203+
```bash
204+
oc get nodes
205+
```
206+
example output:
207+
208+
```bash
209+
NAME STATUS ROLES AGE VERSION
210+
ip-10-0-0-170.ec2.internal Ready worker 3h29m v1.30.7
211+
ip-10-0-1-171.ec2.internal Ready worker 3h30m v1.30.7
212+
ip-10-0-2-161.ec2.internal Ready worker 3h29m v1.30.7
213+
```
214+
To verify you are logged in as user of the group, run the following command:
215+
216+
```bash
217+
oc auth whoami
218+
```
219+
example output:
220+
```bash
221+
ATTRIBUTE VALUE
222+
Username XXXXXXX@redhat.com
223+
Groups [0000000000000000 system:authenticated]
224+
```
146 KB
Loading
113 KB
Loading
194 KB
Loading

0 commit comments

Comments
 (0)