Set up Azure Bastion installation environment
In this section, set up the Bastion to the create and connect to the OpenShift clusters. You will:
- Set up a resource group
- Create a virtual network for the Bastion and the Virtual Machine you will use with the Bastion
- Create a virtual machine
- Create the Bastion
- Connect the Bastion to the Virtual Machine
- Use the Virtual Machine
The following diagram shows the architecture of the Bastion you will set up:
Prerequisites
You will need:
- Azure subscription
- Contributor access to create resource group, virtual networks, Bastion
- Azure CLI installed on your development computer, log in using
az loginand set your subscription usingaz account set --subscription <subscriptionid>
A virtual network design:
- Base virtual network for Bastion: 10.0.0.0/24
- Bastion subnet: 10.0.0.64/26
-
Bastion VM subnet: 10.0.0.128/26
-
Control plane subnet: 10.0.0.0/26
- Worker subnet: 10.0.0.64/26
OR
- Base virtual network for Bastion: 10.0.0.0/24
- Bastion subnet: 10.0.0.64/26
-
Bastion VM subnet: 10.0.0.128/26
-
Base virtual network for OpenShift: 10.0.2.0/24
- Control plane subnet: 10.0.2.0/26
- Worker subnet: 10.0.2.128/26
The following diagram shows how you can calculate the subnets in your environment:
NOTE: Azure requires the first five or so IPs in the subnet to be allocated to Azure.
Create the environment variables you will usse
Open the shell or your development computer and start Bash. Set the environment variables to use:
LOCATION=eastus
LOCATION_ABBR=eus
BASTION_RG=rg-costco-issue80-1
BASTION_VNET=vnet-$LOCATION_ABBR-bastion-01
BASTION_VM_SUBNET=sub-$LOCATION_ABBR-bastion-01
BASTION_SUBNET=AzureBastionSubnet
BASTION=b-$LOCATION_ABBR-bastion-01
BASTION_IP=ip-$LOCATION_ABBR-bastion-01
IP=ip-$LOCATION_ABBR-bastion-01
BASTION_VM_NAME=vm-bastion-01
## Base virtual network for Bastion: 10.0.0.0/24
## Bastion subnet: 10.0.0.64/26
## Bastion VM subnet: 10.0.0.128/26
BASE_VNET_IP_ADDRESS="10.0.0.0/24"
BASTION_SUBNET_IP_ADDRESS="10.0.0.64/26"
BASTION_VM_SUBNET_IP_ADDRESS="10.0.0.128/26"
Set up a Linux VM in the same virtual network
Create a virtual machine using the CLI.
# az group create --name $BASTION_RG --location $LOCATION
az network vnet create --resource-group $BASTION_RG --name $BASTION_VNET \
--address-prefix $BASE_VNET_IP_ADDRESS \
--subnet-name $BASTION_VM_SUBNET --subnet-prefix $BASTION_VM_SUBNET_IP_ADDRESS
The --generate-ssh-keys parameter is used to automatically generate an SSH key, and put it in the default key location (~/.ssh).
For more infomration, see Quickstart: Create a Linux virtual machine with the Azure CLI
Set up Bastion
Set up the Bastion.
az network vnet subnet create --resource-group $BASTION_RG --vnet-name $BASTION_VNET \
--name $BASTION_SUBNET --address-prefix $BASTION_SUBNET_IP_ADDRESS
az network public-ip create --resource-group $BASTION_RG --name $BASTION_IP \
--sku Standard --location $LOCATION
az network bastion create --name $BASTION --public-ip-address $BASTION_IP --resource-group $BASTION_RG \
--vnet-name $BASTION_VNET --location $LOCATION
For more information, see Deploy Bastion using Azure CLI
How to copy and paste
Install OpenShift virtual network
- Base virtual network for OpenShift: 10.0.2.0/24
- Control plane subnet: 10.0.2.0/26
- Worker subnet: 10.0.2.128/26
OPENSHIFT_RG=$BASTION_RG
INSTANCE=06
LOCATION_ABBR=eus
OPENSHIFT_VNET_NAME=vnet-$LOCATION_ABBR-openshift-$INSTANCE
OPENSHIFT_BASE_VNET_ADDR="10.0.2.0/24"
OPENSHIFT_CONTROLPLANESUBNET_NAME=sub-$LOCATION_ABBR-openshift-controlplane-$INSTANCE
OPENSHIFT_CONTROLPLANE_SUBNET_ADDR="10.0.2.0/26"
OPENSHIFT_WORKER_SUBNET_NAME=sub-$LOCATION_ABBR-openshift-worker-$INSTANCE
OPENSHIFT_WORKER_SUBNET_ADDR="10.0.2.128/26"
# Base virtual network for OpenShift: 10.0.2.0/24
# Control plane subnet: 10.0.2.0/26
# Worker subnet: 10.0.2.128/26
az network vnet create --resource-group $OPENSHIFT_RG --name $OPENSHIFT_VNET_NAME \
--address-prefix $OPENSHIFT_BASE_VNET_ADDR \
--subnet-name $OPENSHIFT_CONTROLPLANESUBNET_NAME --subnet-prefix $OPENSHIFT_CONTROLPLANE_SUBNET_ADDR
az network vnet subnet create --resource-group $OPENSHIFT_RG --vnet-name $OPENSHIFT_VNET_NAME \
--name $OPENSHIFT_WORKER_SUBNET_NAME --address-prefix $OPENSHIFT_WORKER_SUBNET_ADDR
Peer networks
Connect virtual networks to each other with virtual network peering. Once virtual networks are peered, resources in both virtual networks are able to communicate with each other, with the same latency and bandwidth as if the resources were in the same virtual network.
# Get the id for myVirtualNetwork1.
vNet1Id=$(az network vnet show \
--resource-group $OPENSHIFT_RG \
--name $OPENSHIFT_VNET_NAME \
--query id --out tsv)
# Get the id for myVirtualNetwork2.
vNet2Id=$(az network vnet show \
--resource-group $BASTION_RG \
--name $BASTION_VNET \
--query id \
--out tsv)
az network vnet peering create \
--name $OPENSHIFT_VNET_NAME-$BASTION_VNET \
--resource-group $BASTION_RG \
--vnet-name $BASTION_VNET \
--remote-vnet $OPENSHIFT_VNET \
--allow-vnet-access
For more information, see Connect virtual networks with virtual network peering using the Azure CLI
Install OpenShift
To install OpenShift from the Basion:
- Generate your ssh key required for OpenShift.
- Get the OpenShift entitlement key
Do Install OCP on Azure for Ops and Install OpenShift on Azure.
Configure VNet peering
To configure VNet peering to connect your OpenShift worker nodes to computers in other virtual networks:
- Verify that you have configured VNets, and virtual machines within the VNets.
- Configure VNet peering.
- Configure Bastion in one of the VNets.
- Verify permissions.
- Connect to a VM via Azure Bastion. In order to connect via Azure Bastion, you must have the correct permissions for the subscription you are signed into.
For more information, see VNet peering and Azure Bastion
Contributors
- Bruce Kyle
- Volodymyr Rozdolsky
- Hamza Elgindy
March 22, 2022