ROSA with PrivateLink deployment does not support custom VPC Endpoints for S3

Solution Verified - Updated -

Environment

  • Red Hat OpenShift Service on AWS
    • With PrivateLink

Issue

  • You want to create and use your VPC with custom VPC Endpoint for S3 routing within only AWS network when deploying ROSA with PL(PrivateLink).

Resolution

  • Unfortunately, at the moment writing this article, it's not supported adding VPC Endpoint regardless of the type for affecting S3 traffic from ROSA with PL.
  • ROSA with PL assumes the S3 outbound traffic through the Internet, it's mentioned our ROSA docs as follows.
For AWS PrivateLink clusters, internet gateways, NAT gateways and public subnets are not required, 
but the private subnets must have internet connectivity provided to install required components.
  • "AWS::EC2::VPCEndpoint" mentioned in the ROSA docs is only for user's another access points. Not included AWS service used by ROSA with PL cluster like S3.
  • As a workaround, if you already installed with the custom VPC Endpoint, you can back to your cluster supported states by removing the unsupported VPC endpoints.

Root Cause

  • Our ROSA installer does not aware of the custom VPC Endpoints, for that, we need to add new feature about that. Already the RFE ticket has been filed here: https://issues.redhat.com/browse/OHSS-6937

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

Comments