Merge pull request #87993 from michaelryanmcneill/OSDOCS-13277

EricPonvelle · web-flow · commit 45f3c458017e · 2025-02-04T14:28:59.000-05:00
OSDOCS-13277: 4.17.2 Security Group Update for ROSA HCP
diff --git a/modules/rosa-hcp-aws-private-security-groups.adoc b/modules/rosa-hcp-aws-private-security-groups.adoc
@@ -1,11 +1,17 @@
 // Module included in the following assemblies:
 //
+// * rosa_hcp/rosa-hcp-aws-private-creating-cluster.adoc
 
 [id="rosa-hcp-aws-private-security-groups_{context}"]
 :_mod-docs-content-type: PROCEDURE
-= Configuring AWS security groups to access the API
+= Adding additional AWS security groups to the AWS PrivateLink endpoint
 
-With {hcp-title} private clusters, the AWS PrivateLink endpoint exposed in the customer's VPC has a default security group. This security group has access to the PrivateLink endpoint that is limited to only those resources that exist within the VPC or resources that are present with an IP address associated with the VPC CIDR range. In order to grant access to any entities outside of the VPC, through VPC peering and transit gateway, you must create and attach another security group to the PrivateLink endpoint to grant the necessary access.
+With {hcp-title} clusters, the AWS PrivateLink endpoint exposed in the customer's VPC has a security group that limits access to requests that originate from within the cluster's Machine CIDR range. In order to grant access to the cluster's API to any entities outside of the VPC, through VPC peering, transit gateways, or other network connectivity, you must create and attach another security group to the PrivateLink endpoint to grant the necessary access.
+
+[IMPORTANT]
+====
+Adding additional AWS security groups to the AWS PrivateLink endpoint is only supported on {hcp-title} version 4.17.2 and later. 
+====
 
 .Prerequisites
 
@@ -41,20 +47,26 @@ hcp-private
 ----
 $ read -r VPCE_ID VPC_ID <<< $(aws ec2 describe-vpc-endpoints --filters "Name=tag:api.openshift.com/id,Values=$(rosa describe cluster -c ${CLUSTER_NAME} -o yaml | grep '^id: ' | cut -d' ' -f2)" --query 'VpcEndpoints[].[VpcEndpointId,VpcId]' --output text)
 ----
-
-. Create your security group by running the following command:
++
+[WARNING]
+====
+Modifying or removing the default AWS PrivateLink endpoint security group is not supported and might result in unexpected behavior.
+====
++
+. Create an additional security group by running the following command:
 +
 [source,terminal]
 ----
 $ export SG_ID=$(aws ec2 create-security-group --description "Granting API access to ${CLUSTER_NAME} from outside of VPC" --group-name "${CLUSTER_NAME}-api-sg" --vpc-id $VPC_ID --output text)
 ----
 
-. Add an ingress rule to the security group by running the following command:
+. Add an inbound (ingress) rule to the security group by running the following command:
 +
 [source,terminal]
 ----
-$ aws ec2 authorize-security-group-ingress --group-id $SG_ID --ip-permissions FromPort=443,ToPort=443,IpProtocol=tcp,IpRanges=[{CidrIp=0.0.0.0/0}]
+$ aws ec2 authorize-security-group-ingress --group-id $SG_ID --ip-permissions FromPort=443,ToPort=443,IpProtocol=tcp,IpRanges=[{CidrIp=<cidr-to-allow>}] <.> 
 ----
+<.> Specify the CIDR block you want to allow access from.
 
 . Add the new security group to the VPCE by running the following command:
 +
@@ -63,4 +75,4 @@ $ aws ec2 authorize-security-group-ingress --group-id $SG_ID --ip-permissions Fr
 $ aws ec2 modify-vpc-endpoint --vpc-endpoint-id $VPCE_ID --add-security-group-ids $SG_ID
 ----
 
-You now can access the API with your {hcp-title} private cluster.
+You now can access the API of your {hcp-title} private cluster from the specified CIDR block.
diff --git a/rosa_hcp/rosa-hcp-aws-private-creating-cluster.adoc b/rosa_hcp/rosa-hcp-aws-private-creating-cluster.adoc
@@ -11,6 +11,7 @@ For {hcp-title-first} workloads that do not require public internet access, you
 //include::modules/osd-aws-privatelink-about.adoc[leveloffset=+1]
 //include::modules/osd-aws-privatelink-required-resources.adoc[leveloffset=+1]
 include::modules/rosa-hcp-aws-private-create-cluster.adoc[leveloffset=+1]
+include::modules/rosa-hcp-aws-private-security-groups.adoc[leveloffset=+1]
 include::modules/rosa-additional-principals-overview.adoc[leveloffset=+1]
 include::modules/rosa-additional-principals-create.adoc[leveloffset=+2]
 include::modules/rosa-additional-principals-edit.adoc[leveloffset=+2]
diff --git a/rosa_release_notes/rosa-release-notes.adoc b/rosa_release_notes/rosa-release-notes.adoc
@@ -23,22 +23,26 @@ endif::openshift-rosa-hcp[]
 // These notes need to be duplicated until the ROSA with HCP split out is completed.
 ifdef::openshift-rosa[]
 * **{rosa-classic} cluster node limit update.** {rosa-classic} clusters versions 4.14.14 and greater can now scale to 249 worker nodes. This is an increase from the previous limit of 180 nodes. For more information, see xref:../rosa_planning/rosa-limits-scalability.adoc#rosa-limits-scalability[Limits and scalability].
-
++
 [IMPORTANT]
 ====
 Egress lockdown is a Technology Preview feature.
 ====
-
++
 * **Egress lockdown is now available as a Technology Preview on {product-title} clusters.** You can create a fully operational cluster that does not require a public egress by configuring a virtual private cloud (VPC) and using the `--properties zero_egress:true` flag when creating your cluster. For more information, see xref:../rosa_hcp/rosa-hcp-egress-lockdown-install.adoc#rosa-hcp-egress-lockdown-install[Creating a {product-title} cluster with egress lockdown].
 
-* **Red{nbsp}Hat SRE log-based alerting endpoints have been updated.** {product-title} customers who are using a firewall to control egress traffic can now remove all references to `*.osdsecuritylogs.splunkcloud.com:9997` from your firewall allowlist. {product-title} clusters still require the `http-inputs-osdsecuritylogs.splunkcloud.com:443` log-based alerting endpoint to be accessible from the cluster. This is applicable only to Red{nbsp}Hat OpenShift Service on AWS (classic architecture).
+* **ROSA with HCP now creates independent security groups for the AWS PrivateLink endpoint and worker nodes.** {hcp-title} clusters version 4.17.2 and greater can now add additional AWS security groups to the AWS PrivateLink endpoint to allow additional ingress traffic to the cluster's API. For more information, see xref:../rosa_hcp/rosa-hcp-aws-private-creating-cluster.adoc#rosa-hcp-aws-private-security-groups_rosa-hcp-aws-private-creating-cluster[Adding additional AWS security groups to the AWS PrivateLink endpoint].
+
+* **Red{nbsp}Hat SRE log-based alerting endpoints have been updated.** {rosa-classic} customers who are using a firewall to control egress traffic can now remove all references to `*.osdsecuritylogs.splunkcloud.com:9997` from your firewall allowlist. {rosa-classic} clusters still require the `http-inputs-osdsecuritylogs.splunkcloud.com:443` log-based alerting endpoint to be accessible from the cluster.
 endif::openshift-rosa[]
 ifdef::openshift-rosa-hcp[]
+* **ROSA with HCP now creates independent security groups for the AWS PrivateLink endpoint and worker nodes.** {hcp-title} clusters version 4.17.2 and greater can now add additional AWS security groups to the AWS PrivateLink endpoint to allow additional ingress traffic to the cluster's API. For more information, see xref:../rosa_hcp/rosa-hcp-aws-private-creating-cluster.adoc#rosa-hcp-aws-private-security-groups_rosa-hcp-aws-private-creating-cluster[Adding additional AWS security groups to the AWS PrivateLink endpoint].
++
 [IMPORTANT]
 ====
 Egress lockdown is a Technology Preview feature.
 ====
-
++
 * **Egress lockdown is now available as a Technology Preview on {product-title} clusters.** You can create a fully operational cluster that does not require a public egress by configuring a virtual private cloud (VPC) and using the `--properties zero_egress:true` flag when creating your cluster. For more information, see xref:../rosa_hcp/rosa-hcp-egress-lockdown-install.adoc#rosa-hcp-egress-lockdown-install[Creating a {product-title} cluster with egress lockdown].
 endif::openshift-rosa-hcp[]
 ifdef::openshift-rosa[]
