Azure Virtual Appliance Routing with Ansible Automation Platform on Azure

Updated -

Your organization may use Azure firewall services or third-party firewall appliances through a Virtual Appliance connection.  When configuring outbound routes within the route table for Ansible Automation Platform on Azure, you will need to take into account expected outbound traffic that Ansible on Azure will require in order to be managed by Red Hat properly including upgrades and security patching.

When configuring virtual appliance firewalls, you will need to allow outbound traffic from the CIDR block (i.e. 192.168.0.0/24) of the Ansible on Azure managed application to the following top level domains and their sub-domains.  The entire CIDR block of the managed application VNET is required since any machine in the AKS cluster could submit a request to the domains in order to pull updates for containers used by Ansible Automation Platform.

  • redhat.com
  • *.redhat.com
  • registry.redhat.io
  • *.registry.redhat.io
  • quay.io
  • *.quay.io
  • letsencrypt.org
  • *.letsencrypt.org
  • gcr.io
  • *.gcr.io
  • docker.com
  • *.docker.com
  • docker.io
  • *.docker.io
  • googleapis.com
  • *.googleapis.com
  • *.microsoftonline.com
  • mcr.microsoft.com
  • *.mcr.microsoft.com
  • dynatrace.com - Port 443
  • *.dynatrace.com - Port 443
  • segment.io
  • *.segment.io
  • github.com
  • *.github.com

The following Azure Storage URLs need to be allow listed to allow certain operational tasks to be completed:

  • *.blob.core.windows.net - Port 443

On the following link, Azure will keep updated the list of possible FQDNs used by AKS cluster to communicate and integrate with other Azure-based services. Allowing traffic to all the endpoints listed may not be necessary, but it's something to keep in mind if traffic is observed to be routed to the following endpoints:

  • https://learn.microsoft.com/en-us/azure/aks/outbound-rules-control-egress

Additionally to that, Azure publishes the complete list of IP ranges used by their services in the next link:

  • https://www.microsoft.com/en-us/download/details.aspx?id=56519

This might be helpful in the event of understanding what kind of connections are going in and out of your AKS cluster.

Based on the requirements of importing certain collections/roles and to resolve their dependencies, one might have to consider unblocking additional domains beyond the list mentioned above. Customers can ensure that additional domains are unblocked by adjusting the firewall rules according to their usage of the product.

You will also need to allow traffic from your firewall to any other external domain or IP address that Ansible Automation Platform would need to run automation jobs against.  Otherwise, your firewall will block connectivity between Ansible Automation Platform and destinations for automation.

Comments