Azure Bastion Host, Azure Firewall, Azure RedHat Openshift

N-Open 160 Reputation points
2023-11-16T04:25:33.9866667+00:00

Dear Team,

Hope you are doing well. We are working with a vendor who will be developing application on Azure Red openshift cluster. We have to give them secure access to ARO and at the same time access to internet to download some software on virtual machine (Azure CLI, OC, other programs for devlopment).

  1. Plan is to connect the vendor to Azure bastion to Virtual machines (Azure CLI, OC CLI) and than connect to ARO
  2. Can Private link be used between VM and ARO?
  3. Virtual machine will not have public IP (hope it works without it)
  4. Allow Vendor to connect from virtual machines to Internet via Azure Firewall rules to specific sites and ports. Is this possible via rules please??
  5. Control traffic between Azure Firewall, Virtual machine and ARO via NSG
  6. Any other traffic to block between the components.

Please advice.

Azure Firewall
Azure Firewall
An Azure network security service that is used to protect Azure Virtual Network resources.
662 questions
Azure Bastion
Azure Bastion
An Azure service that provides private and fully managed Remote Desktop Protocol (RDP) and Secure Shell (SSH) access to virtual machines.
262 questions
Azure Red Hat OpenShift
Azure Red Hat OpenShift
An Azure service that provides a flexible, self-service deployment of fully managed OpenShift clusters.
84 questions
0 comments No comments
{count} votes

Accepted answer
  1. GitaraniSharma-MSFT 49,591 Reputation points Microsoft Employee
    2023-11-16T08:02:26.06+00:00

    Hello @N-Open ,

    Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.

    I understand that you would like to know how to give a user secure access to ARO (Azure Red OpenShift cluster) and access to internet to download some software from a virtual machine via Azure Firewall rules while making sure that Azure VM doesn't have a Public IP but is accessible via Azure Bastion. And the VM should be connected to the ARO via Private link.

    All your questions will be answered in the below document which provides design considerations and recommendations to protect and secure your Azure Red Hat OpenShift deployments:

    https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/scenarios/app-platform/azure-red-hat-openshift/security

    https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/scenarios/app-platform/azure-red-hat-openshift/landing-zone-accelerator

    Plan is to connect the vendor to Azure bastion to Virtual machines (Azure CLI, OC CLI) and then connect to ARO.

    You can use a bastion host, or jump box, to securely access Azure Red Hat OpenShift Private Cluster:

    https://learn.microsoft.com/en-us/azure/aks/operator-best-practices-network#securely-connect-to-nodes-through-a-bastion-host

    You can connect to the VM via Azure Bastion and then log into the cluster using the kubeadmin user CLI command to find the cluster console URL and then launch the console URL in a browser and login using the kubeadmin credentials.

    https://learn.microsoft.com/en-us/azure/bastion/bastion-connect-vm-rdp-windows

    https://learn.microsoft.com/en-us/azure/openshift/howto-create-private-cluster-4x#connect-to-the-private-cluster

    Can Private link be used between VM and ARO?

    Yes, this is possible.

    https://learn.microsoft.com/en-us/azure/container-registry/container-registry-private-link

    You can configure a private endpoint for your registry using the Azure portal (recommended) or the Azure CLI. This feature is available in the Premium container registry service tier.

    Keep in mind that some functionality may be unavailable or require more configuration in a container registry that restricts access to private endpoints, selected subnets, or IP addresses and this can be found in the above document.

    You can also use Azure Front Door Premium to secure access to private Azure Red Hat OpenShift cluster directly.

    Refer: https://learn.microsoft.com/en-us/azure/openshift/howto-secure-openshift-with-front-door

    Virtual machine will not have public IP (hope it works without it)

    Yes, virtual machine doesn't need a Public IP as the access to the VM will be via Azure Bastion host.

    Azure Bastion opens the RDP/SSH connection to your Azure VM by using the private IP address on your VM. You don't need a public IP address on your virtual machine.

    Refer: https://learn.microsoft.com/en-us/azure/bastion/bastion-overview

    Allow Vendor to connect from virtual machines to Internet via Azure Firewall rules to specific sites and ports. Is this possible via rules please?

    Yes, this is possible.

    By default, Azure Red Hat OpenShift clusters have unrestricted egress internet access.

    You can deploy Azure Red Hat OpenShift with restricted egress traffic by adding a user-defined route (UDR) that has a 0.0.0.0/0 route to Azure Firewall or to a network virtual appliance. Azure Red Hat OpenShift has an egress lockdown function that ensures access, even if the outbound traffic is restricted by a firewall appliance or by other means.

    Important: If you use Azure Firewall to restrict egress traffic and create a UDR to force all egress traffic, make sure that you create an appropriate Destination Network Address Translation (DNAT) rule in Azure Firewall to correctly allow ingress traffic. Using Azure Firewall with a UDR breaks the ingress setup due to asymmetric routing. The issue occurs if the Azure Red Hat OpenShift subnet has a default route that goes to the firewall's private IP address, but you're using a public load balancer (ingress or Kubernetes service of type Load Balancer). In this case, the incoming load balancer traffic is received via its public IP address, but the return path goes through the firewall's private IP address. Because the firewall is stateful, it drops the returning packet because the firewall doesn't detect an established session. To learn how to integrate Azure Firewall with your ingress or service load balancer, see Integrate Azure Firewall with Azure Standard Load Balancer.

    Refer: https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/scenarios/app-platform/azure-red-hat-openshift/network-topology-connectivity

    https://learn.microsoft.com/en-us/azure/openshift/howto-restrict-egress

    Control traffic between Azure Firewall, Virtual machine and ARO via NSG

    To control traffic between Azure Firewall, Virtual machine and ARO, you will need to configure UDR (User defined Routes) as mentioned above.

    Any other traffic to block between the components.

    All the security design recommendations are available in the below document, which you can review:

    https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/scenarios/app-platform/azure-red-hat-openshift/security#design-recommendations

    Kindly let us know if the above helps or you need further assistance on this issue.


    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    1 person found this answer helpful.
    0 comments No comments

0 additional answers

Sort by: Most helpful

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.