Expose application workloads running on a Private ROSA Cluster through ALB Ingress to Internet

Solution Verified - Updated -


  • Red Hat OpenShift Service on AWS (ROSA)
    • 4


  • To expose application workloads running on a Private Red Hat OpenShift Service on AWS (ROSA) cluster through Application Load Balancer (ALB) Ingress to Internet.

  • Need to transfer workload from Classic Load Balancer (CLB) to Application Load Balancer (ALB) for security issue.


Disclaimer: Links contained herein to external website(s) are provided for convenience only. Red Hat has not reviewed the links and is not responsible for the content or its availability. The inclusion of any link to an external website does not imply endorsement by Red Hat of the website or their entities, products or services. You agree that Red Hat is not responsible or liable for any loss or expenses that may result due to your use of (or reliance on) the external site or content.

It is possible to create ALB Ingress on a ROSA Public/Private cluster:

Root Cause

Red Hat does provide support for ALB Ingress.

Diagnostic Steps

In between implementation, user might be receiving an error like:

{"level":"error","ts":XXXX,"logger":"backend-sg-provider","msg":"Failed to auto-create backend SG","error":"UnauthorizedOperation: You are not authorized to perform this operation. Encoded authorization failure message: -

The IAM policy attached to the role needs to have permissions to create ALB in the specified subnet.

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.