Secure access to Azure Red Hat OpenShift with Azure Front Door
This article explains how to use Azure Front Door Premium to secure access to Azure Red Hat OpenShift.
The following prerequisites are required:
You have an existing Azure Red Hat OpenShift cluster. Follow this guide to create a private Azure Red Hat OpenShift cluster.
The cluster is configured with private ingress visibility.
A custom domain name is used, for example:
The initial state doesn't have DNS configured. No applications are exposed externally from the Azure Red Hat OpenShift cluster.
Create an Azure Private Link service
This section explains how to create an Azure Private Link service. An Azure Private Link service is a reference to your own service that is powered by Azure Private Link.
Your service, which is running behind the Azure Standard Load Balancer, can be enabled for Private Link access so that consumers to your service can access it privately from their own VNets. Your customers can create a private endpoint inside their VNet and map it to this service.
For more information about the Azure Private Link service and how it's used, see Azure Private Link service.
Create an AzurePrivateLinkSubnet. This subnet includes a netmask that permits visibility of the subnet to the control plane and worker nodes of the Azure cluster. Don't delegate this new subnet to any services or configure any service endpoints.
For example, if the virtual network is 10.10.0.0/16 and:
- Existing Azure Red Hat OpenShift control plane subnet = 10.10.0.0/24
- Existing Azure Red Hat OpenShift worker subnet = 10.10.1.0/24
- New AzurePrivateLinkSubnet = 10.10.2.0/24
Create a new Private Link at Azure Private Link service, as explained in the following steps:
On the Basics tab, configure the following options:
- Project Details
- Select your Azure subscription.
- Select the resource group in which your Azure Red Hat OpenShift cluster was deployed.
- Instance Details
- Enter a Name for your Azure Private Link service, as in the following example: example-com-private-link.
- Select a Region for your Private Link.
- Project Details
On the Outbound Settings tab:
Set the Load Balancer to the -internal load balancer of the cluster for which you're enabling external access. The choices are populated in the drop-down list.
Set the Load Balancer frontend IP address to the IP address of the Azure Red Hat OpenShift ingress controller, which typically ends in .254. If you're unsure, use the following command.
az aro show -n <cluster-name> -g <resource-group> -o tsv --query ingressProfiles.ip
The Source NAT subnet should be the AzurePrivateLinkSubnet, which you created.
No items should be changed in Outbound Settings.
On the Access Security tab, no changes are required.
- At the Who can request access to your service? prompt, select Anyone with your alias.
- Don't add any subscriptions for auto-approval.
On the Tags tab, select Review + create.
Select Create to create the Azure Private Link service, and then wait for the process to complete.
When your deployment is complete, select Go to resource group under Next steps.
In the Azure portal, enter the Azure Private Link service that was deployed. Retain the Alias that was generated for the Azure Private Link service. It will be used later.
Register domain in Azure DNS
This section explains how to register a domain in Azure DNS.
Create a global Azure DNS zone for example.com.
Create a global Azure DNS zone for apps.example.com.
Note the four nameservers that are present in Azure DNS for apps.example.com.
Create a new NS record set in the example.com zone that points to apps and specify the four nameservers that were present when the apps zone was created.
Create a new Azure Front Door Premium service
To create a new Azure Front Door Premium service:
On Microsoft Azure Compare offerings select Azure Front Door, and then select Continue to create a Front Door.
On the Create a front door profile page in the Subscription > Resource group, select the resource group in which your Azure Red Hat OpenShift cluster was deployed to house your Azure Front Door Premium resource.
Name your Azure Front Door Premium service appropriately. For example, in the Name field, enter the following name:
Select the Premium tier. The Premium tier is the only choice that supports Azure Private Link.
For Endpoint name, choose an endpoint name that is appropriate for Azure Front Door.
For each application deployed, a CNAME will be created in the Azure DNS to point to this hostname. Therefore, it's important to choose a name that is agnostic to applications. For security, the name shouldn't suggest the applications or architecture that you’ve deployed, such as example01.
The name you choose will be prepended to the .z01.azurefd.net domain.
For Origin type, select Custom.
For Origin Host Name, enter the following placeholder:
This placeholder will be deleted later.
At this stage, don't enable the Azure Private Link service, caching, or the Web Application Firewall (WAF) policy.
Select Review + create to create the Azure Front Door Premium resource, and then wait for the process to complete.
Initial configuration of Azure Front Door Premium
To configure Azure Front Door Premium:
In the Azure portal, enter the Azure Front Door Premium service that was deployed.
In the Endpoint Manager window, modify the endpoint by selecting Edit endpoint.
Delete the default route, which was created as default-route.
Close the Endpoint Manager window.
In the Origin Groups window, delete the default origin group that was named default-origin-group.
Exposing an application route in Azure Red Hat OpenShift
Azure Red Hat OpenShift must be configured to serve the application with the same hostname that Azure Front Door will be exposing externally (*.apps.example.com). In our example, we'll expose the Reservations application with the following hostname:
Also, create a secure route in Azure Red Hat OpenShift that exposes the hostname.
Configure Azure DNS
To configure the Azure DNS:
Enter the public apps DNS zone previously created.
Create a new CNAME record set named reservation. This CNAME record set is an alias for our example Azure Front Door endpoint:
Configure Azure Front Door Premium
The following steps explain how to configure Azure Front Door Premium.
In the Azure portal, enter the Azure Front Door Premium service you created previously:
In the Domains window:
Because all DNS servers are hosted on Azure, leave DNS Management set to Azure managed DNS.
Select the example domain:
Select the CNAME in our example:
Use the default values for HTTPS and Minimum TLS version.
When the Validation stat changes to Pending, select Pending.
To authenticate ownership of the DNS zone, for DNS record status, select Add.
Continue to select Refresh until the Validation state of the domain changes to Approved and the Endpoint association changes to Unassociated.
In the Origin Groups window:
Give your Origin Group an appropriate name, such as Reservations-App.
Select Add an origin.
Enter the name of the origin, such as ARO-Cluster-1.
Choose an Origin type of Custom.
Enter the fully qualified domain name (FQDN) hostname that was exposed in your Azure Red Hat OpenShift cluster, such as:
Enable the Private Link service.
Enter the Alias that was obtained from the Azure Private Link service.
Select Add to return to the origin group creation window.
Select Add to add the origin group and return to the Azure portal.
Grant approval in Azure Private Link
To grant approval to the example-com-private-link, which is the Azure Private Link service you created previously, complete the following steps.
On the Private endpoint connections tab, select the checkbox that now exists from the resource described as do from AFD.
Select Approve, and then select Yes to verify the approval.
Complete Azure Front Door Premium configuration
The following steps explain how to complete the configuration of Azure Front Door Premium.
In the Azure portal, enter the Azure Front Door Premium service you previously created:
In the Endpoint Manager window, select Edit endpoint to modify the endpoint.
Select +Add under Routes.
Give your route an appropriate name, such as Reservations-App-Route-Config.
Under Domains, then under Available validated domains, select the fully qualified domain name, for example:
To redirect HTTP traffic to use HTTPS, leave the Redirect checkbox selected.
Under Origin group, select Reservations-App, the origin group you previously created.
You can enable caching, if appropriate.
Select Add to create the route. After the route is configured, the Endpoint manager populates the Domains and Origin groups panes with the other elements created for this application.
Because Azure Front Door is a global service, the application can take up to 30 minutes to deploy. During this time, you may choose to create a WAF for your application. When your application goes live, it can be accessed using the URL used in this example:
Create an Azure Web Application Firewall on Azure Front Door using the Azure portal: