OpenShift icon indicating copy to clipboard operation
OpenShift copied to clipboard

Published 20 hours ago verified publisher icon Azure

Bring Your Own NSG (Network Security Group)

Open 0kashi opened this issue 2 years ago • 10 comments
trafficstars

Allow customers more flexibility with using NSGs.

0kashi avatar Dec 21 '22 20:12 0kashi

I have a need for a customer to be able to add an allowed port to the created NSG in an ARO deployment. Specifically they will allow port UDP/4789 to allow a F5 BIG-IP to join the vxlan overlay and route directly to pods.

Will adding a port to the Inbound Security Rules be allowed by this planned work?

mikeoleary avatar Dec 22 '22 18:12 mikeoleary

Hi guys Checking in. Wondering if you could let me know if editing inbound security rules will be supported after this planned feature? Mike

mikeoleary avatar Jan 03 '23 18:01 mikeoleary

Yes, this feature will enable customers to create ARO clusters with their own NSG (instead of the auto-created NSGs).

konghot avatar Jan 06 '23 22:01 konghot

We need some clarification from the product team so we can move forward. We need this capability in the future however we can operate under process waivers until it becomes available.

The problem we have is that we need to stand up Dev and Prod clusters now. We are told that we either:

  1. Join the private preview to enable this feature now (but will forfeit all SLAs until the feature goes GA) or
  2. Wait until the GA and then rebuild the clusters to take advantage of the new feature.

Neither of these are tenable. Are you unable to support an "in-place upgrade" to BYO-NSG when you go GA?

wadebee avatar Aug 08 '23 21:08 wadebee

@wadebee

This feature is still in development, but we have an early version available for private preview. The purpose of the private preview is to gather customer feedback and make improvements in the feature till it becomes GA.

While the private preview version is not for production deployments, if you enable this feature on a cluster today, you will NOT need to rebuild the cluster when this feature becomes GA (unless we discover a severe defect that warrants such a change). You will be able to simply continue using the cluster with GA level support.

konghot avatar Aug 08 '23 22:08 konghot

Has this gone GA'd? Or ETA if not?

genechucrl avatar Dec 12 '23 18:12 genechucrl

@genechucrl This feature will be made GA in the next 4-6 weeks.

konghot avatar Dec 12 '23 19:12 konghot

Okay. Thanks for the update.

genechucrl avatar Dec 12 '23 19:12 genechucrl

Any update? Is it GA? Can one opt into a preview-feature?

davidkarlsen avatar Feb 27 '24 17:02 davidkarlsen

Also related issue in azurerm resource: https://github.com/hashicorp/terraform-provider-azurerm/issues/25059

davidkarlsen avatar Feb 29 '24 10:02 davidkarlsen

Hello team, any update on this feature GA?

mohamedsaif avatar Apr 22 '24 06:04 mohamedsaif

@konghot , is there a way for users to opt-in to the "private preview" feature you mentioned?

AWSmith0216 avatar May 01 '24 15:05 AWSmith0216

@0kashi , I see that you closed this ticket as 'shipped' on May 8th. However, checking the documentation at:

https://learn.microsoft.com/en-us/cli/azure/aro?view=azure-cli-latest#az-aro-create

...I see no obvious means of using this feature. Using the Azure CLI version 2.52.0, I also see no apparent NSG related input option.

How should users take advantage of this feature?

AWSmith0216 avatar Aug 15 '24 13:08 AWSmith0216