Control egress traffic for your Azure Red Hat OpenShift (ARO) cluster

This article provides the necessary details that allow you to secure outbound traffic from your Azure Red Hat OpenShift cluster (ARO). With the release of the Egress Lockdown Feature, all of the required connections for an ARO cluster are proxied through the service. There are additional destinations that you may want to allow to use features such as Operator Hub or Red Hat telemetry.

Important

Do not attempt these instructions on older ARO clusters if those clusters don't have the Egress Lockdown feature enabled. To enable the Egress Lockdown feature on older ARO clusters, see Enable Egress Lockdown.

Endpoints proxied through the ARO service

The following endpoints are proxied through the service, and do not need additional firewall rules. This list is here for informational purposes only.

Destination FQDN Port Use
arosvc.azurecr.io HTTPS:443 Global container registry for ARO required system images.
arosvc.$REGION.data.azurecr.io HTTPS:443 Regional container registry for ARO required system images.
management.azure.com HTTPS:443 Used by the cluster to access Azure APIs.
login.microsoftonline.com HTTPS:443 Used by the cluster for authentication to Azure.
Specific subdomains of monitor.core.windows.net HTTPS:443 Used for Microsoft Geneva Monitoring so that the ARO team can monitor the customer's cluster(s).
Specific subdomains of monitoring.core.windows.net HTTPS:443 Used for Microsoft Geneva Monitoring so that the ARO team can monitor the customer's cluster(s).
Specific subdomains of blob.core.windows.net HTTPS:443 Used for Microsoft Geneva Monitoring so that the ARO team can monitor the customer's cluster(s).
Specific subdomains of servicebus.windows.net HTTPS:443 Used for Microsoft Geneva Monitoring so that the ARO team can monitor the customer's cluster(s).
Specific subdomains of table.core.windows.net HTTPS:443 Used for Microsoft Geneva Monitoring so that the ARO team can monitor the customer's cluster(s).

List of optional endpoints

Additional container registry endpoints

Destination FQDN Port Use
registry.redhat.io HTTPS:443 Used to provide container images and operators from Red Hat.
quay.io HTTPS:443 Used to provide container images and operators from Red Hat and third-parties.
cdn.quay.io HTTPS:443 Used to provide container images and operators from Red Hat and third-parties.
cdn01.quay.io HTTPS:443 Used to provide container images and operators from Red Hat and third-parties.
cdn02.quay.io HTTPS:443 Used to provide container images and operators from Red Hat and third-parties.
cdn03.quay.io HTTPS:443 Used to provide container images and operators from Red Hat and third-parties.
access.redhat.com HTTPS:443 Used to provide container images and operators from Red Hat and third-parties.
registry.access.redhat.com HTTPS:443 Used to provide third-party container images and certified operators.
registry.connect.redhat.com HTTPS:443 Used to provide third-party container images and certified operators.

Red Hat Telemetry and Red Hat Insights

By default, ARO clusters are opted-out of Red Hat Telemetry and Red Hat Insights. If you wish to opt-in to Red Hat telemetry, allow the following endpoints and update your cluster's pull secret.

Destination FQDN Port Use
cert-api.access.redhat.com HTTPS:443 Used for Red Hat telemetry.
api.access.redhat.com HTTPS:443 Used for Red Hat telemetry.
infogw.api.openshift.com HTTPS:443 Used for Red Hat telemetry.
console.redhat.com/api/ingress HTTPS:443 Used in the cluster for the insights operator that integrates with Red Hat Insights.

For additional information on remote health monitoring and telemetry, see the Red Hat OpenShift Container Platform documentation.

Other additional OpenShift endpoints

Destination FQDN Port Use
api.openshift.com HTTPS:443 Used by the cluster to check if updates are available for the cluster. Alternatively, users can use the OpenShift Upgrade Graph tool to manually find an upgrade path.
mirror.openshift.com HTTPS:443 Required to access mirrored installation content and images.
*.apps.<cluster_domain>* HTTPS:443 When allowlisting domains, this is used in your corporate network to reach applications deployed in ARO, or to access the OpenShift console.

ARO integrations

Azure Monitor container insights

ARO clusters can be monitored using the Azure Monitor container insights extension. Review the pre-requisites and instructions for enabling the extension.