diff --git a/modules/osd-aws-privatelink-firewall-prerequisites.adoc b/modules/osd-aws-privatelink-firewall-prerequisites.adoc index ae363b5ae034..fac94c05e68b 100644 --- a/modules/osd-aws-privatelink-firewall-prerequisites.adoc +++ b/modules/osd-aws-privatelink-firewall-prerequisites.adoc @@ -4,7 +4,7 @@ :_content-type: PROCEDURE [id="osd-aws-privatelink-firewall-prerequisites"] -= Firewall prerequisites += AWS firewall prerequisites [IMPORTANT] ==== @@ -73,6 +73,11 @@ This section provides the necessary details that enable you to control egress tr |Provides core container images as a fallback when quay.io is not available. |=== + +[NOTE] +==== +Creating a firewall with a ROSA private cluster (non-PrivateLink) is not supported. +==== ++ When you add a site such as `quay.io` to your allowlist, do not add a wildcard entry such as `*.quay.io` to your denylist. In most cases, image registries use a content delivery network (CDN) to serve images. If a firewall blocks access, then image downloads are denied when the initial download request is redirected to a host name such as `cdn01.quay.io`. + CDN host names, such as `cdn01.quay.io`, are covered when you add a wildcard entry, such as `.quay.io`, in your allowlist. @@ -154,6 +159,14 @@ Alternatively, if you wish to not use a wildcard for Amazon Web Services (AWS) A |`elasticloadbalancing..amazonaws.com` |443 |Used to install and manage clusters in an AWS environment. + +|`servicequotas..amazonaws.com` +|443, 80 +|Required. Used to confirm quotas for deploying the service. + +|`tagging..amazonaws.com` +|443, 80 +|Allows the assignment of metadata about AWS resources in the form of tags. |=== . Allowlist the following OpenShift URLs: