Is AWS firewall supported on ROSA clusters without PrivateLink ?
Environment
- Red Hat OpenShift on AWS 4
Issue
- Supportability of AWS Firewall without PrivateLink for controlling egress traffic in ROSA.
- Why "Only ROSA clusters deployed with PrivateLink can use a firewall to control egress traffic." ?
- Why AWS Network Firewall is not supported by Red Hat for ROSA clusters without PrivateLink ?
Resolution
In ROSA cluster, the PrivateLink is the infrastructure requirement in order to consider a cluster not using an Internet Gateway. Therefore, technically it might be possible to replace the Internet Gateway, with some other mechanism that supports public egress however, Red Hat does not support this from an architecture perspective.
Having PrivateLink guarantees that Red Hat has the access that's required, Red Hat's requirements state that, without PrivateLink, the egress route from the cluster's subnets for 0.0.0.0/0 traverses directly through the Internet Gateway through the NAT Gateways.
This would preclude the ability for the customer to place a Network Firewall between the cluster and the Internet Gateway.
Root Cause
Without the PrivateLink, ROSA clusters do not meet the prerequisites to use AWS Firewall.
Only the ROSA clusters deployed with PrivateLink are supported for using a firewall to control egress traffic.
This has also been mentioned in ROSA Official Documentation.
This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.
Comments