Hello @N-Open ,
Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.
I understand that you would like to know how to give a user secure access to ARO (Azure Red OpenShift cluster) and access to internet to download some software from a virtual machine via Azure Firewall rules while making sure that Azure VM doesn't have a Public IP but is accessible via Azure Bastion. And the VM should be connected to the ARO via Private link.
All your questions will be answered in the below document which provides design considerations and recommendations to protect and secure your Azure Red Hat OpenShift deployments:
Plan is to connect the vendor to Azure bastion to Virtual machines (Azure CLI, OC CLI) and then connect to ARO.
You can use a bastion host, or jump box, to securely access Azure Red Hat OpenShift Private Cluster:
You can connect to the VM via Azure Bastion and then log into the cluster using the kubeadmin
user CLI command to find the cluster console URL and then launch the console URL in a browser and login using the kubeadmin
credentials.
https://learn.microsoft.com/en-us/azure/bastion/bastion-connect-vm-rdp-windows
Can Private link be used between VM and ARO?
Yes, this is possible.
https://learn.microsoft.com/en-us/azure/container-registry/container-registry-private-link
You can configure a private endpoint for your registry using the Azure portal (recommended) or the Azure CLI. This feature is available in the Premium container registry service tier.
Keep in mind that some functionality may be unavailable or require more configuration in a container registry that restricts access to private endpoints, selected subnets, or IP addresses and this can be found in the above document.
You can also use Azure Front Door Premium to secure access to private Azure Red Hat OpenShift cluster directly.
Refer: https://learn.microsoft.com/en-us/azure/openshift/howto-secure-openshift-with-front-door
Virtual machine will not have public IP (hope it works without it)
Yes, virtual machine doesn't need a Public IP as the access to the VM will be via Azure Bastion host.
Azure Bastion opens the RDP/SSH connection to your Azure VM by using the private IP address on your VM. You don't need a public IP address on your virtual machine.
Refer: https://learn.microsoft.com/en-us/azure/bastion/bastion-overview
Allow Vendor to connect from virtual machines to Internet via Azure Firewall rules to specific sites and ports. Is this possible via rules please?
Yes, this is possible.
By default, Azure Red Hat OpenShift clusters have unrestricted egress internet access.
You can deploy Azure Red Hat OpenShift with restricted egress traffic by adding a user-defined route (UDR) that has a 0.0.0.0/0 route to Azure Firewall or to a network virtual appliance. Azure Red Hat OpenShift has an egress lockdown function that ensures access, even if the outbound traffic is restricted by a firewall appliance or by other means.
Important: If you use Azure Firewall to restrict egress traffic and create a UDR to force all egress traffic, make sure that you create an appropriate Destination Network Address Translation (DNAT) rule in Azure Firewall to correctly allow ingress traffic. Using Azure Firewall with a UDR breaks the ingress setup due to asymmetric routing. The issue occurs if the Azure Red Hat OpenShift subnet has a default route that goes to the firewall's private IP address, but you're using a public load balancer (ingress or Kubernetes service of type
Load Balancer
). In this case, the incoming load balancer traffic is received via its public IP address, but the return path goes through the firewall's private IP address. Because the firewall is stateful, it drops the returning packet because the firewall doesn't detect an established session. To learn how to integrate Azure Firewall with your ingress or service load balancer, see Integrate Azure Firewall with Azure Standard Load Balancer.
https://learn.microsoft.com/en-us/azure/openshift/howto-restrict-egress
Control traffic between Azure Firewall, Virtual machine and ARO via NSG
To control traffic between Azure Firewall, Virtual machine and ARO, you will need to configure UDR (User defined Routes) as mentioned above.
Any other traffic to block between the components.
All the security design recommendations are available in the below document, which you can review:
Kindly let us know if the above helps or you need further assistance on this issue.
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.