Cloud Experts Documentation

Configuring ROSA with HCP Private Cluster API Access

This content is authored by Red Hat experts, but has not yet been tested on every supported configuration.

With ROSA with HCP private clusters, the AWS PrivateLink endpoint exposed in the customer’s VPC has a default security group. This security group has access to the PrivateLink endpoint that is limited to only those resources that exist within the VPC or resources that are present with an IP address associated with the VPC CIDR range. In order to grant access to any entities outside of the VPC, through VPC peering and transit gateway, you must create and attach another security group to the PrivateLink endpoint to grant the necessary access.

Prerequisites

  • Your corporate network or other VPC has connectivity.
  • You have permission to create and attach security groups within the VPC.

Procedure

  1. Set your cluster name as an environment variable by running the following command:

    export CLUSTER_NAME=<cluster_name>
    

    You can verify that the variable has been set by running the following command:

    echo $CLUSTER_NAME
    

    Example output

    hcp-private
    
  2. Find the VPC endpoint (VPCE) ID and VPC ID by running the following command:

    read -r VPCE_ID VPC_ID <<< $(aws ec2 describe-vpc-endpoints --filters "Name=tag:api.openshift.com/id,Values=$(rosa describe cluster -c ${CLUSTER_NAME} -o yaml | grep '^id: ' | cut -d' ' -f2)" --query 'VpcEndpoints[].[VpcEndpointId,VpcId]' --output text)
    
  3. Create your security group by running the following command:

    export SG_ID=$(aws ec2 create-security-group --description "Granting API access to ${CLUSTER_NAME} from outside of VPC" --group-name "${CLUSTER_NAME}-api-sg" --vpc-id $VPC_ID --output text)
    
  4. Add an ingress rule to the security group by running the following command:

    aws ec2 authorize-security-group-ingress --group-id $SG_ID --ip-permissions FromPort=443,ToPort=443,IpProtocol=tcp,IpRanges=[{CidrIp=0.0.0.0/0}]
    
  5. Add the new security group to the VPCE by running the following command:

    aws ec2 modify-vpc-endpoint --vpc-endpoint-id $VPCE_ID --add-security-group-ids $SG_ID
    

You now can access the API with your ROSA with HCP private cluster.

Interested in contributing to these docs?

Collaboration drives progress. Help improve our documentation The Red Hat Way.

Red Hat logo LinkedIn YouTube Facebook Twitter

Products

Tools

Try, buy & sell

Communicate

About Red Hat

We’re the world’s leading provider of enterprise open source solutions—including Linux, cloud, container, and Kubernetes. We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

Subscribe to our newsletter, Red Hat Shares

Sign up now
© 2023 Red Hat, Inc.