Add support for NAT Gateway for egress (#8)

First version will use az commands as this is not exposed in azure collection
rcarrata · May 20, 2022 · 68e348b · 68e348b
1 parent f8a8753
commit 68e348b
Show file tree

Hide file tree

Showing 5 changed files with 42 additions and 1 deletion.
diff --git a/docs/egress-nat.md b/docs/egress-nat.md
@@ -2,7 +2,9 @@
 
 ## 1 Install and Configure Azure with Nat Gateway as Egress Outbound
 
-TODO
+```
+ansible-playbook install-private.yml -e "egress=natgateway" -e "azure_outboundtype=UserDefinedRouting" --vault-password-file .vault-file-password
+```
 
 ## 1.2 Checking the Azure Firewall
 

diff --git a/install-private.yml b/install-private.yml
@@ -7,6 +7,7 @@
     - vault/azure.yml
     - vars/vars-private.yml
     - vars/vars-firewall.yml # Only used in egress=firewall
+    - vars/vars-nat-gateway.yml # Only used in egress=natgateway
   environment:
     AZURE_SUBSCRIPTION_ID: "{{ azure_subscription_id }}"
     AZURE_TENANT: "{{ azure_tenant }}"

diff --git a/roles/ocp4-cloud-ipi/tasks/azure-infra-nat-gateway.yml b/roles/ocp4-cloud-ipi/tasks/azure-infra-nat-gateway.yml
@@ -0,0 +1,24 @@
+---
+
+# Based on: https://docs.microsoft.com/en-us/azure/virtual-network/nat-gateway/quickstart-create-nat-gateway-cli
+## Create PIP for NAT Gateway
+# TODO: check the sku standard that could be deprecated in the future
+- name: Create a public ip address for NAT Gateway
+  azure_rm_publicipaddress:
+    resource_group: "{{ azure_resource_group }}"
+    name: "{{ azure_natgateway_pip_name }}"
+    allocation_method: static
+    sku: standard
+  register: natgateway_pip
+
+## Create Azure NAT Gateway
+# TODO: replace with Ansible module when available
+- name: Create Azure NAT Gateway
+  shell: "az network nat gateway create --resource-group {{ azure_resource_group }} --name {{ azure_natgateway_name }} --public-ip-addresses {{ azure_natgateway_pip_name }}"
+
+## Associate Azure NAT Gateway with subnets
+# TODO: replace with Ansible module when available
+- name: Associate NAT Gateway to the compute subnet
+  shell: "az network vnet subnet update --resource-group {{ azure_resource_group }} --vnet-name {{ azure_vnet_name }} --name \"compute\" --nat-gateway {{ azure_natgateway_name }}"
+- name: Associate NAT Gateway to the control-plane subnet
+  shell: "az network vnet subnet update --resource-group {{ azure_resource_group }} --vnet-name {{ azure_vnet_name }} --name \"control-plane\" --nat-gateway {{ azure_natgateway_name }}"
diff --git a/roles/ocp4-cloud-ipi/tasks/main.yml b/roles/ocp4-cloud-ipi/tasks/main.yml
@@ -40,6 +40,15 @@
     - egress == "firewall"
     - action == "provision-infra"
 
+### Adding the Azure Private only for Private Installs and Egress Modes Azure NAT Gateway
+- block:
+    - import_tasks: azure-infra-nat-gateway.yml        # Adding the Azure NAT Gateway
+  when:
+    - cloud == "azure"
+    - mode == "private" or mode == "disconnected"
+    - egress == "natgateway"
+    - action == "provision-infra"
+
 ### Private/Disconnected Azure Login/Creds and Bastion Packages
 - block:
     - import_tasks: bastion-azure-login.yml

diff --git a/vars/vars-nat-gateway.yml b/vars/vars-nat-gateway.yml
@@ -0,0 +1,5 @@
+# Azure NAT gateway vars (only working if egress=natgateway is set)
+azure_natgateway_name: az-ocp4-natgateway
+azure_natgateway_pip_name: az-ocp4-pip-natgateway
+
+azure_outboundtype: "UserDefinedRouting"
-Original file line number
+Diff line change
@@ Expand Up / @@ -2,7 +2,9 @@ @@
     ## 1 Install and Configure Azure with Nat Gateway as Egress Outbound
-    TODO
+    ```
+    ansible-playbook install-private.yml -e "egress=natgateway" -e "azure_outboundtype=UserDefinedRouting" --vault-password-file .vault-file-password
+    ```
     ## 1.2 Checking the Azure Firewall
@@ Expand Down @@