Azure Front Door with ARO ( Azure Red Hat OpenShift )

Securing exposing an Internet facing application with a private ARO Cluster.

When you create a cluster on ARO you have several options in making the cluster public or private. With a public cluster you are allowing Internet traffic to the api and *.apps endpoints. With a private cluster you can make either or both the api and .apps endpoints private.

How can you allow Internet access to an application running on your private cluster where the .apps endpoint is private? This document will guide you through using Azure Frontdoor to expose your applications to the Internet. There are several advantages of this approach, namely your cluster and all the resources in your Azure account can remain private, providing you an extra layer of security. Azure FrontDoor operates at the edge so we are controlling traffic before it even gets into your Azure account. On top of that, Azure FrontDoor also offers WAF and DDoS protection, certificate management and SSL Offloading just to name a few benefits.

Adopted from ARO Reference Architecture

Prerequisites

• az cli
• oc cli
• a custom domain
• a DNS zone that you can easily modify
  

To build and deploy the application

• maven cli
• quarkus cli
• OpenJDK Java 8

Make sure to use the same terminal session while going through guide for all commands as we will reference envrionment variables set or created through the guide.

Get Started

• Create a private ARO cluster.

  Follow this guide to Create a private ARO cluster or simply run this bash script

Set Evironment Variables

1. Manually set environment variables

2. Set environment variables with Bash

Create a Private Link Service

After we have the cluster up and running, we need to create a private link service. The private link service will provide private and secure connectivity between the Front Door Service and our cluster.

1. Disable the worker subnet private link service network policy for the worker subnet

2. Create a private link service targeting the worker subnets

Create and Configure an instance of Azure Front Door

1. Create a Front Door Instance

2. Create an endpoint for the ARO Internal Load Balancer

3. Create a Front Door Origin Group that will point to the ARO Internal Loadbalancer

4. Create a Front Door Origin with the above Origin Group that will point to the ARO Internal Loadbalancer

5. Approve the private link connection

6. Add your custom domain to Azure Front Door

7. Create an Azure Front Door endpoint for your custom domain

8. Add an Azure Front Door route for your custom domain

9. Update DNS

   Get a validation token from Front Door so Front Door can validate your domain

10. Create a DNS Zone

    You will need to configure your nameservers to point to azure. The output of running this zone create will show you the nameservers for this record that you will need to set up within your domain registrar.

    Create a new text record in your DNS server

11. Check if the domain has been validated:

    Note this can take several hours Your FQDN will not resolve until Front Door validates your domain.

12. Add a CNAME record to DNS

    Get the Azure Front Door endpoint:

    Create a cname record for the application

Deploy an application

Now the fun part, let’s deploy an application! We will be deploying a Java based application called microsweeper . This is an application that runs on OpenShift and uses a PostgreSQL database to store scores. With ARO being a first class service on Azure, we will create an Azure Database for PostgreSQL service and connect it to our cluster with a private endpoint.

1. Create a Azure Database for PostgreSQL servers service

2. Create a private endpoint connection for the database

3. Create and configure a private DNS Zone for the Postgres database

4. Create a postgres database that will contain scores for the minesweeper application

Deploy the minesweeper application

1. Clone the git repository

2. change to the root directory

3. Ensure Java 1.8 is set at your Java version

   Look for Java version - 1.8XXXX if not set to Java 1.8 you will need to set your JAVA_HOME variable to Java 1.8 you have installed. To find your java versions run:

   then export your JAVA_HOME variable

4. Log into your openshift cluster

   Before you deploy your application, you will need to be connected to a private network that has access to the cluster.

   A great way to establish this connectity is with a VPN connection. Follow this guide to setup a VPN connection with your Azure account.

5. Create a new OpenShift Project

6. add the openshift extension to quarkus

7. Edit microsweeper-quarkus/src/main/resources/application.properties

   Make sure your file looks like the one below, changing the IP address on line 3 to the private ip address of your postgres instance.

   To find your Postgres private IP address run the following commands:

   Sample microsweeper-quarkus/src/main/resources/application.properties

8. Build and deploy the quarkus application to OpenShift

9. Create a route to your custom domain Change the snippet below replacing your hostname for the host:

10. Check the dns settings of your application.

    notice that the application URL is routed through Azure Front Door at the edge. The only way this application that is running on your cluster can be access is through Azure Front Door which is connected to your cluster through a private endpoint.

    sample output:

Test the application

Point your broswer to your domain!!

Clean up

To clean up everything you created, simply delete the resource group