openshift · bergerhoffer · May 4, 2022 · Apr 13, 2022
diff --git a/modules/osd-aws-privatelink-firewall-prerequisites.adoc b/modules/osd-aws-privatelink-firewall-prerequisites.adoc
@@ -4,7 +4,7 @@
 
 :_content-type: PROCEDURE
 [id="osd-aws-privatelink-firewall-prerequisites"]
-= Firewall prerequisites
+= AWS firewall prerequisites
 
 [IMPORTANT]
 ====
@@ -73,6 +73,11 @@ This section provides the necessary details that enable you to control egress tr
 |Provides core container images as a fallback when quay.io is not available.
 |===
 +
+[NOTE]
+====
+Creating a firewall with a ROSA private cluster (non-PrivateLink) is not supported.
+====
++
 When you add a site such as `quay.io` to your allowlist, do not add a wildcard entry such as `*.quay.io` to your denylist. In most cases, image registries use a content delivery network (CDN) to serve images. If a firewall blocks access, then image downloads are denied when the initial download request is redirected to a host name such as `cdn01.quay.io`.
 +
 CDN host names, such as `cdn01.quay.io`, are covered when you add a wildcard entry, such as `.quay.io`, in your allowlist.
@@ -154,6 +159,14 @@ Alternatively, if you wish to not use a wildcard for Amazon Web Services (AWS) A
 |`elasticloadbalancing.<aws_region>.amazonaws.com`
 |443
 |Used to install and manage clusters in an AWS environment.
+
+|`servicequotas.<aws region>.amazonaws.com`
+|443, 80
+|Required. Used to confirm quotas for deploying the service.
+
+|`tagging.<region>.amazonaws.com`
+|443, 80
+|Allows the assignment of metadata about AWS resources in the form of tags.
 |===
 
 . Allowlist the following OpenShift URLs: