ARO egress lockdown conflicts with Entra ID Conditional Access due to dynamic egress IPs
Issue
-
When Azure Red Hat OpenShift (ARO) clusters are configured with egress lockdown, traffic destined for the public Microsoft Entra ID endpoint is routed through the ARO management infrastructure via a private link. This traffic then egresses to the internet from a pool of dynamic IP addresses managed by the ARO service, which frequently change, especially with new ARO releases.
-
This dynamic nature of egress IPs creates a conflict for customers who use Microsoft Entra ID Conditional Access policies to restrict access to Entra ID applications from known and trusted IP addresses. Since the ARO egress IPs are not static or published, it becomes impossible to create reliable and future-proof Conditional Access policies.
-
This forces customers into undesirable choices: either weakening their security posture by disabling IP-based Conditional Access or engaging in manual, and error-prone tracking and updating of IPs, which can lead to unexpected outages.
Environment
- Azure Red Hat OpenShift (ARO) clusters configured with egress lockdown.
- Microsoft Entra ID used for in-cluster authentication.
- Microsoft Entra ID Conditional Access policies that restrict access based on IP addresses.
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.