{"id":50086,"date":"2025-07-11T10:09:46","date_gmt":"2025-07-11T10:09:46","guid":{"rendered":"https:\/\/www.devopsschool.com\/blog\/?p=50086"},"modified":"2026-02-21T07:34:56","modified_gmt":"2026-02-21T07:34:56","slug":"openshift-how-to-configure-azure-openshift-aro-with-custom-domain","status":"publish","type":"post","link":"https:\/\/www.devopsschool.com\/blog\/openshift-how-to-configure-azure-openshift-aro-with-custom-domain\/","title":{"rendered":"Openshift: How to configure Azure openshift ARO with Custom Domain"},"content":{"rendered":"\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"508\" src=\"https:\/\/www.devopsschool.com\/blog\/wp-content\/uploads\/2025\/07\/image-18-1024x508.png\" alt=\"\" class=\"wp-image-50089\" srcset=\"https:\/\/www.devopsschool.com\/blog\/wp-content\/uploads\/2025\/07\/image-18-1024x508.png 1024w, https:\/\/www.devopsschool.com\/blog\/wp-content\/uploads\/2025\/07\/image-18-300x149.png 300w, https:\/\/www.devopsschool.com\/blog\/wp-content\/uploads\/2025\/07\/image-18-768x381.png 768w, https:\/\/www.devopsschool.com\/blog\/wp-content\/uploads\/2025\/07\/image-18.png 1218w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">Step-by-Step Guide: Configuring Azure Red Hat OpenShift (ARO) with a Custom Domain<\/h2>\n\n\n\n<p>Setting up a custom domain for your ARO cluster involves both Azure and DNS provider configurations. Follow these steps for a successful setup.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">1. Prepare Your Custom Domain<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Choose the domain you want to use (e.g., <code>rajeshkumar.xyz<\/code>).<\/li>\n\n\n\n<li>Ensure you have access to the DNS management portal for your domain.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">2. Deploy or Identify Your ARO Cluster<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li>If you haven\u2019t already, deploy your ARO cluster via the Azure Portal, CLI, or ARM templates.<\/li>\n\n\n\n<li>Note your cluster\u2019s <strong>name<\/strong> and <strong>resource group<\/strong>.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">3. Retrieve Required ARO IP Addresses<\/h2>\n\n\n\n<p>You need two IP addresses:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>API Server IP<\/strong> (for <code>api.&lt;yourdomain&gt;<\/code>)<\/li>\n\n\n\n<li><strong>Ingress IP<\/strong> (for <code>*.apps.&lt;yourdomain&gt;<\/code>)<\/li>\n<\/ul>\n\n\n\n<p><strong>Command Line Method:<\/strong><\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">text<code>az aro show --name &lt;cluster_name&gt; --resource-group &lt;resource_group&gt; --query \"apiserverProfile.ip\" -o tsv\naz aro show --name &lt;cluster_name&gt; --resource-group &lt;resource_group&gt; --query \"ingressProfiles[0].ip\" -o tsv\n<\/code><\/pre>\n\n\n\n<p>Replace <code>&lt;cluster_name&gt;<\/code> and <code>&lt;resource_group&gt;<\/code> with your actual values.<\/p>\n\n\n\n<p>Alternatively, you can get these IPs from the Azure Portal under your ARO cluster\u2019s overview or networking section.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">4. Configure DNS Records<\/h2>\n\n\n\n<p>In your DNS provider\u2019s portal, create the following <strong>A records<\/strong>:<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><thead><tr><th>DNS Record<\/th><th>Points To<\/th><th>Purpose<\/th><\/tr><\/thead><tbody><tr><td><code>api.&lt;yourdomain&gt;<\/code><\/td><td>API Server IP<\/td><td>OpenShift API endpoint<\/td><\/tr><tr><td><code>*.apps.&lt;yourdomain&gt;<\/code><\/td><td>Ingress IP<\/td><td>Console &amp; app routes<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<p><strong>Example:<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><code>api.rajeshkumar.xyz<\/code> \u2192 <code>4.240.123.104<\/code><\/li>\n\n\n\n<li><code>*.apps.rajeshkumar.xyz<\/code> \u2192 <code>74.225.159.59<\/code><\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">5. (Optional) Upload Custom SSL Certificates<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li>By default, OpenShift uses self-signed certificates for custom domains.<\/li>\n\n\n\n<li>For production, generate or buy valid SSL certificates for both the API and ingress endpoints.<\/li>\n\n\n\n<li>Upload these certificates via the OpenShift console or CLI.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">6. Test Domain Resolution<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Use <code>nslookup<\/code> or <code>dig<\/code> to confirm your DNS records resolve to the correct IPs.<\/li>\n\n\n\n<li>Example: text<code>nslookup console-openshift-console.apps.rajeshkumar.xyz nslookup api.rajeshkumar.xyz<\/code><\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">7. Access the OpenShift Console<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Visit <code>https:\/\/console-openshift-console.apps.&lt;yourdomain&gt;<\/code> in your browser.<\/li>\n\n\n\n<li>If you see certificate warnings, check your SSL setup.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">8. Troubleshooting<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>DNS not resolving:<\/strong> Double-check your A records and allow time for DNS propagation.<\/li>\n\n\n\n<li><strong>SSL errors:<\/strong> Ensure certificates are valid and correctly uploaded.<\/li>\n\n\n\n<li><strong>Console inaccessible:<\/strong> Confirm that firewall\/network rules allow inbound access to the cluster IPs.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Summary Table<\/h2>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><thead><tr><th>Step<\/th><th>Action Required<\/th><\/tr><\/thead><tbody><tr><td>Prepare Domain<\/td><td>Own\/manage custom domain<\/td><\/tr><tr><td>Get ARO IPs<\/td><td>Use Azure CLI\/Portal<\/td><\/tr><tr><td>Set DNS Records<\/td><td>Create A records for API &amp; Ingress<\/td><\/tr><tr><td>Upload Certificates<\/td><td>(Optional) For production security<\/td><\/tr><tr><td>Test Access<\/td><td>Use browser &amp; DNS tools<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<p>By following these steps, your Azure Red Hat OpenShift cluster will be accessible via your custom domain, providing a professional and branded experience for users and developers.<\/p>\n\n\n\n<p>Absolutely! Here\u2019s a <strong>step-by-step, Azure-native guide<\/strong> for configuring <strong>Azure Red Hat OpenShift (ARO) with a custom domain<\/strong>, including DNS and what you must know about network security restrictions.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\">\n\n\n\n<h1 class=\"wp-block-heading\"><strong>Step-by-Step: Configure Azure OpenShift (ARO) with a Custom Domain<\/strong><\/h1>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\">\n\n\n\n<h2 class=\"wp-block-heading\"><strong>Step 1: Plan Your Custom Domain and Subdomains<\/strong><\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Decide your <strong>root domain<\/strong> (e.g., <code>rajeshkumar.xyz<\/code>).<\/li>\n\n\n\n<li>Plan the following records (examples):\n<ul class=\"wp-block-list\">\n<li><code>api.rajeshkumar.xyz<\/code> \u2192 OpenShift API endpoint<\/li>\n\n\n\n<li><code>*.apps.rajeshkumar.xyz<\/code> \u2192 All OpenShift app routes (console, etc.)<\/li>\n\n\n\n<li>Optionally, <code>api-int.rajeshkumar.xyz<\/code> for internal API.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\">\n\n\n\n<h2 class=\"wp-block-heading\"><strong>Step 2: Deploy ARO Cluster with Custom Domain<\/strong><\/h2>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Option A: Azure Portal<\/strong><\/h3>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Go to <strong>Create ARO<\/strong> cluster.<\/li>\n\n\n\n<li>Under <strong>Domain<\/strong>, <strong>enter your custom domain<\/strong> (e.g., <code>rajeshkumar.xyz<\/code>).<\/li>\n\n\n\n<li>Continue with normal ARO setup (location, node count, vNet, etc.).<\/li>\n\n\n\n<li>Deploy the cluster.<\/li>\n<\/ol>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Option B: Azure CLI<\/strong><\/h3>\n\n\n\n<p>If using ARM\/Bicep\/Terraform, set the <code>domain<\/code> property to your custom domain.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\">\n\n\n\n<h2 class=\"wp-block-heading\"><strong>Step 3: Wait for ARO Deployment<\/strong><\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li>ARO will deploy, but <strong>will NOT manage your DNS<\/strong>\u2014it assumes you will configure DNS records.<\/li>\n\n\n\n<li>After deployment, obtain the <strong>public IPs<\/strong> for API and Apps endpoints.<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\">\n\n\n\n<h2 class=\"wp-block-heading\"><strong>Step 4: Find Your Public IP Addresses<\/strong><\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Go to the <strong>ARO managed resource group<\/strong> (name starts with <code>aro-infra-<\/code> or <code>mc_<\/code>).<\/li>\n\n\n\n<li>In <strong>Azure Portal<\/strong> or CLI: <code>az network public-ip list -g &lt;MANAGED-RG&gt; -o table<\/code><\/li>\n\n\n\n<li>You will see two public IPs, usually named:\n<ul class=\"wp-block-list\">\n<li><code>*-default-v4<\/code> (for API)<\/li>\n\n\n\n<li><code>*-pip-v4<\/code> (for Apps\/Router)<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\">\n\n\n\n<h2 class=\"wp-block-heading\"><strong>Step 5: Create DNS Records at Your Registrar<\/strong><\/h2>\n\n\n\n<p>Go to your <strong>domain registrar\u2019s DNS management panel<\/strong> and add:<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><thead><tr><th>Subdomain<\/th><th>Type<\/th><th>Value (Public IP)<\/th><th>Purpose<\/th><\/tr><\/thead><tbody><tr><td>api.<\/td><td>A<\/td><td>[API Public IP]<\/td><td>API server<\/td><\/tr><tr><td>api-int. (optional)<\/td><td>A<\/td><td>[API Public IP]<\/td><td>Internal API<\/td><\/tr><tr><td>*.apps.<\/td><td>A<\/td><td>[Apps Public IP]<\/td><td>All apps routes<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<p><strong>Example:<\/strong><\/p>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><thead><tr><th>Subdomain<\/th><th>Type<\/th><th>Value<\/th><\/tr><\/thead><tbody><tr><td>api.rajeshkumar.xyz<\/td><td>A<\/td><td>74.225.159.59<\/td><\/tr><tr><td>api-int.rajeshkumar.xyz<\/td><td>A<\/td><td>74.225.159.59<\/td><\/tr><tr><td>*.apps.rajeshkumar.xyz<\/td><td>A<\/td><td>4.240.123.104<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\">\n\n\n\n<h2 class=\"wp-block-heading\"><strong>Step 6: Wait for DNS Propagation<\/strong><\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Use <a href=\"https:\/\/dnschecker.org\/\" target=\"_blank\" rel=\"noopener\">dnschecker.org<\/a> to verify DNS records.<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\">\n\n\n\n<h2 class=\"wp-block-heading\"><strong>Step 7: NSG\/Firewall (Critical for Custom Domains!)<\/strong><\/h2>\n\n\n\n<p><strong>Azure ARO managed RGs<\/strong> have locked-down NSGs.<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>If port 443 to the Apps\/Router public IP is not allowed<\/strong>, you cannot change this yourself.<\/li>\n\n\n\n<li>If you cannot access the console or app routes after DNS, <strong>open an Azure support ticket<\/strong> and request: &#8220;Allow inbound TCP 443 from Internet to the APPS\/Router public IP (<code>&lt;your-apps-ip&gt;<\/code>) in NSG <code>&lt;your-nsg&gt;<\/code> of managed RG <code>&lt;your-managed-rg&gt;<\/code> for my custom domain.&#8221;<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\">\n\n\n\n<h2 class=\"wp-block-heading\"><strong>Step 8: Validate Access<\/strong><\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Open your browser to<br><code>https:\/\/console-openshift-console.apps.&lt;yourdomain&gt;\/<\/code><\/li>\n\n\n\n<li>You may see a certificate warning for up to an hour until OpenShift issues a valid TLS cert for your custom domain.<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\">\n\n\n\n<h2 class=\"wp-block-heading\"><strong>Step 9: (Optional) Configure Email, Branding, etc.<\/strong><\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Optionally update cluster branding and notification settings in the OpenShift console.<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\">\n\n\n\n<h2 class=\"wp-block-heading\"><strong>Azure Official References<\/strong><\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/learn.microsoft.com\/en-us\/azure\/openshift\/howto-custom-domain\" target=\"_blank\" rel=\"noopener\">ARO custom domain docs<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/learn.microsoft.com\/en-us\/azure\/openshift\/openshift-faq#networking\" target=\"_blank\" rel=\"noopener\">ARO FAQ: Networking &amp; NSG<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/learn.microsoft.com\/en-us\/azure\/openshift\/openshift-public-endpoints\" target=\"_blank\" rel=\"noopener\">ARO public endpoint docs<\/a><\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\">\n\n\n\n<h1 class=\"wp-block-heading\"><strong>Quick Recap Checklist<\/strong><\/h1>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Deploy ARO with custom domain set.<\/li>\n\n\n\n<li>Note down API and Apps public IPs from managed RG.<\/li>\n\n\n\n<li>Create required A records at your DNS provider.<\/li>\n\n\n\n<li>Wait for DNS propagation.<\/li>\n\n\n\n<li>(If needed) Request Azure to open 443 to your Apps\/Router IP in managed RG NSG.<\/li>\n\n\n\n<li>Access your console and apps via custom domain URLs.<\/li>\n<\/ol>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\">\n\n\n\n<p><strong>That\u2019s it!<\/strong><br>If you need an exact support ticket template, sample DNS config, or troubleshooting guide, just ask!<\/p>\n\n\n\n<p>Absolutely! Here\u2019s a <strong>compact cheat sheet of all key Azure CLI commands<\/strong> you\u2019ll use for working with Azure resource groups and for <strong>troubleshooting ARO custom domain public IPs, NSGs, and load balancers<\/strong>.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\">\n\n\n\n<h1 class=\"wp-block-heading\"><strong>Essential Azure CLI Commands for ARO\/Resource Groups<\/strong><\/h1>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\">\n\n\n\n<h2 class=\"wp-block-heading\"><strong>1. List All Resource Groups<\/strong><\/h2>\n\n\n<pre class=\"wp-block-code\" aria-describedby=\"shcb-language-1\" data-shcb-language-name=\"PHP\" data-shcb-language-slug=\"php\"><span><code class=\"hljs language-php\">az group <span class=\"hljs-keyword\">list<\/span> -o table\n<\/code><\/span><small class=\"shcb-language\" id=\"shcb-language-1\"><span class=\"shcb-language__label\">Code language:<\/span> <span class=\"shcb-language__name\">PHP<\/span> <span class=\"shcb-language__paren\">(<\/span><span class=\"shcb-language__slug\">php<\/span><span class=\"shcb-language__paren\">)<\/span><\/small><\/pre>\n\n\n<h2 class=\"wp-block-heading\"><strong>2. Show Details of a Resource Group<\/strong><\/h2>\n\n\n<pre class=\"wp-block-code\" aria-describedby=\"shcb-language-2\" data-shcb-language-name=\"HTML, XML\" data-shcb-language-slug=\"xml\"><span><code class=\"hljs language-xml\">az group show -n <span class=\"hljs-tag\">&lt;<span class=\"hljs-name\">RESOURCE-GROUP-NAME<\/span>&gt;<\/span>\n<\/code><\/span><small class=\"shcb-language\" id=\"shcb-language-2\"><span class=\"shcb-language__label\">Code language:<\/span> <span class=\"shcb-language__name\">HTML, XML<\/span> <span class=\"shcb-language__paren\">(<\/span><span class=\"shcb-language__slug\">xml<\/span><span class=\"shcb-language__paren\">)<\/span><\/small><\/pre>\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\">\n\n\n\n<h2 class=\"wp-block-heading\"><strong>3. Find ARO Managed Resource Group<\/strong><\/h2>\n\n\n\n<p><em>(If you only know your ARO cluster&#8217;s resource group and name):<\/em><\/p>\n\n\n<pre class=\"wp-block-code\" aria-describedby=\"shcb-language-3\" data-shcb-language-name=\"HTML, XML\" data-shcb-language-slug=\"xml\"><span><code class=\"hljs language-xml\">az aro show -g <span class=\"hljs-tag\">&lt;<span class=\"hljs-name\">YOUR-CLUSTER-RG<\/span>&gt;<\/span> -n <span class=\"hljs-tag\">&lt;<span class=\"hljs-name\">YOUR-CLUSTER-NAME<\/span>&gt;<\/span> --query \"clusterProfile.resourceGroupId\"\n<\/code><\/span><small class=\"shcb-language\" id=\"shcb-language-3\"><span class=\"shcb-language__label\">Code language:<\/span> <span class=\"shcb-language__name\">HTML, XML<\/span> <span class=\"shcb-language__paren\">(<\/span><span class=\"shcb-language__slug\">xml<\/span><span class=\"shcb-language__paren\">)<\/span><\/small><\/pre>\n\n\n<p><em>(Extract the managed RG name from the result.)<\/em><\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\">\n\n\n\n<h2 class=\"wp-block-heading\"><strong>4. List All Public IPs in a Resource Group<\/strong><\/h2>\n\n\n<pre class=\"wp-block-code\" aria-describedby=\"shcb-language-4\" data-shcb-language-name=\"PHP\" data-shcb-language-slug=\"php\"><span><code class=\"hljs language-php\">az network <span class=\"hljs-keyword\">public<\/span>-ip <span class=\"hljs-keyword\">list<\/span> -g &lt;MANAGED-RG&gt; -o table\n<\/code><\/span><small class=\"shcb-language\" id=\"shcb-language-4\"><span class=\"shcb-language__label\">Code language:<\/span> <span class=\"shcb-language__name\">PHP<\/span> <span class=\"shcb-language__paren\">(<\/span><span class=\"shcb-language__slug\">php<\/span><span class=\"shcb-language__paren\">)<\/span><\/small><\/pre>\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\">\n\n\n\n<h2 class=\"wp-block-heading\"><strong>5. List All NSGs in a Resource Group<\/strong><\/h2>\n\n\n<pre class=\"wp-block-code\" aria-describedby=\"shcb-language-5\" data-shcb-language-name=\"HTML, XML\" data-shcb-language-slug=\"xml\"><span><code class=\"hljs language-xml\">az network nsg list -g <span class=\"hljs-tag\">&lt;<span class=\"hljs-name\">MANAGED-RG<\/span>&gt;<\/span> -o table\n<\/code><\/span><small class=\"shcb-language\" id=\"shcb-language-5\"><span class=\"shcb-language__label\">Code language:<\/span> <span class=\"shcb-language__name\">HTML, XML<\/span> <span class=\"shcb-language__paren\">(<\/span><span class=\"shcb-language__slug\">xml<\/span><span class=\"shcb-language__paren\">)<\/span><\/small><\/pre>\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\">\n\n\n\n<h2 class=\"wp-block-heading\"><strong>6. List All Inbound Rules for an NSG<\/strong><\/h2>\n\n\n<pre class=\"wp-block-code\" aria-describedby=\"shcb-language-6\" data-shcb-language-name=\"HTML, XML\" data-shcb-language-slug=\"xml\"><span><code class=\"hljs language-xml\">az network nsg rule list -g <span class=\"hljs-tag\">&lt;<span class=\"hljs-name\">MANAGED-RG<\/span>&gt;<\/span> --nsg-name <span class=\"hljs-tag\">&lt;<span class=\"hljs-name\">NSG-NAME<\/span>&gt;<\/span> -o table\n<\/code><\/span><small class=\"shcb-language\" id=\"shcb-language-6\"><span class=\"shcb-language__label\">Code language:<\/span> <span class=\"shcb-language__name\">HTML, XML<\/span> <span class=\"shcb-language__paren\">(<\/span><span class=\"shcb-language__slug\">xml<\/span><span class=\"shcb-language__paren\">)<\/span><\/small><\/pre>\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\">\n\n\n\n<h2 class=\"wp-block-heading\"><strong>7. List All Load Balancers in a Resource Group<\/strong><\/h2>\n\n\n<pre class=\"wp-block-code\" aria-describedby=\"shcb-language-7\" data-shcb-language-name=\"HTML, XML\" data-shcb-language-slug=\"xml\"><span><code class=\"hljs language-xml\">az network lb list -g <span class=\"hljs-tag\">&lt;<span class=\"hljs-name\">MANAGED-RG<\/span>&gt;<\/span> -o table\n<\/code><\/span><small class=\"shcb-language\" id=\"shcb-language-7\"><span class=\"shcb-language__label\">Code language:<\/span> <span class=\"shcb-language__name\">HTML, XML<\/span> <span class=\"shcb-language__paren\">(<\/span><span class=\"shcb-language__slug\">xml<\/span><span class=\"shcb-language__paren\">)<\/span><\/small><\/pre>\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\">\n\n\n\n<h2 class=\"wp-block-heading\"><strong>8. Show LB Frontend IP Configuration (see what public IP is attached)<\/strong><\/h2>\n\n\n<pre class=\"wp-block-code\" aria-describedby=\"shcb-language-8\" data-shcb-language-name=\"HTML, XML\" data-shcb-language-slug=\"xml\"><span><code class=\"hljs language-xml\">az network lb frontend-ip list -g <span class=\"hljs-tag\">&lt;<span class=\"hljs-name\">MANAGED-RG<\/span>&gt;<\/span> --lb-name <span class=\"hljs-tag\">&lt;<span class=\"hljs-name\">LB-NAME<\/span>&gt;<\/span> -o table\n<\/code><\/span><small class=\"shcb-language\" id=\"shcb-language-8\"><span class=\"shcb-language__label\">Code language:<\/span> <span class=\"shcb-language__name\">HTML, XML<\/span> <span class=\"shcb-language__paren\">(<\/span><span class=\"shcb-language__slug\">xml<\/span><span class=\"shcb-language__paren\">)<\/span><\/small><\/pre>\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\">\n\n\n\n<h2 class=\"wp-block-heading\"><strong>9. List Subnets in a VNET<\/strong><\/h2>\n\n\n<pre class=\"wp-block-code\" aria-describedby=\"shcb-language-9\" data-shcb-language-name=\"HTML, XML\" data-shcb-language-slug=\"xml\"><span><code class=\"hljs language-xml\">az network vnet subnet list -g <span class=\"hljs-tag\">&lt;<span class=\"hljs-name\">MANAGED-RG<\/span>&gt;<\/span> --vnet-name <span class=\"hljs-tag\">&lt;<span class=\"hljs-name\">VNET-NAME<\/span>&gt;<\/span> -o table\n<\/code><\/span><small class=\"shcb-language\" id=\"shcb-language-9\"><span class=\"shcb-language__label\">Code language:<\/span> <span class=\"shcb-language__name\">HTML, XML<\/span> <span class=\"shcb-language__paren\">(<\/span><span class=\"shcb-language__slug\">xml<\/span><span class=\"shcb-language__paren\">)<\/span><\/small><\/pre>\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\">\n\n\n\n<h2 class=\"wp-block-heading\"><strong>10. List All Public IPs in Your Subscription (across all RGs)<\/strong><\/h2>\n\n\n<pre class=\"wp-block-code\" aria-describedby=\"shcb-language-10\" data-shcb-language-name=\"CSS\" data-shcb-language-slug=\"css\"><span><code class=\"hljs language-css\"><span class=\"hljs-selector-tag\">az<\/span> <span class=\"hljs-selector-tag\">network<\/span> <span class=\"hljs-selector-tag\">public-ip<\/span> <span class=\"hljs-selector-tag\">list<\/span> <span class=\"hljs-selector-tag\">--query<\/span> \"<span class=\"hljs-selector-attr\">&#91;]<\/span>.{<span class=\"hljs-attribute\">ResourceGroup<\/span>:resourceGroup, Name:name, IP:ipAddress}\" <span class=\"hljs-selector-tag\">-o<\/span> <span class=\"hljs-selector-tag\">table<\/span>\n<\/code><\/span><small class=\"shcb-language\" id=\"shcb-language-10\"><span class=\"shcb-language__label\">Code language:<\/span> <span class=\"shcb-language__name\">CSS<\/span> <span class=\"shcb-language__paren\">(<\/span><span class=\"shcb-language__slug\">css<\/span><span class=\"shcb-language__paren\">)<\/span><\/small><\/pre>\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\">\n\n\n\n<h1 class=\"wp-block-heading\"><strong>BONUS: DNS &amp; Connectivity Checks (From any shell)<\/strong><\/h1>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Check DNS Resolution<\/strong> <code>nslookup console-openshift-console.apps.&lt;yourdomain&gt;<\/code><\/li>\n\n\n\n<li><strong>Test OpenShift Console Endpoint<\/strong> <code>curl -vk https:\/\/console-openshift-console.apps.&lt;yourdomain&gt;\/<\/code><\/li>\n\n\n\n<li><strong>Test OpenShift API Endpoint<\/strong> <code>curl -vk https:\/\/api.&lt;yourdomain&gt;:6443\/<\/code><\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\">\n\n\n\n<h1 class=\"wp-block-heading\"><strong>Typical Workflow Example<\/strong><\/h1>\n\n\n\n<ol class=\"wp-block-list\">\n<li><strong>Find managed RG for your cluster:<\/strong><br><code>az aro show -g DevOpsSchool -n devopsschool --query \"clusterProfile.resourceGroupId\"<\/code><\/li>\n\n\n\n<li><strong>List public IPs in managed RG:<\/strong><br><code>az network public-ip list -g aro-infra-mcyj58v7-devopsschool -o table<\/code><\/li>\n\n\n\n<li><strong>List NSGs:<\/strong><br><code>az network nsg list -g aro-infra-mcyj58v7-devopsschool -o table<\/code><\/li>\n\n\n\n<li><strong>Check NSG rules:<\/strong><br><code>az network nsg rule list -g aro-infra-mcyj58v7-devopsschool --nsg-name devopsschool-8v55v-nsg -o table<\/code><\/li>\n\n\n\n<li><strong>Find which LB is using which public IP:<\/strong><br><code>az network lb frontend-ip list -g aro-infra-mcyj58v7-devopsschool --lb-name &lt;LB-NAME&gt; -o table<\/code><\/li>\n<\/ol>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\">\n\n\n\n<p><strong>If you want an even more detailed script or one-liner to run all at once, let me know!<\/strong><\/p>\n\n\n\n<p>That\u2019s <strong>exactly the problem with ARO and AKS managed resource groups:<\/strong><br><strong>Microsoft locks the managed resource group with \u201cDeny Assignments\u201d,<\/strong> so only Microsoft support can make NSG changes in that resource group.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\">\n\n\n\n<h2 class=\"wp-block-heading\"><strong>You Cannot:<\/strong><\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Add, remove, or edit NSG rules<\/strong> in the managed RG (<code>aro-infra-mcyj58v7-devopsschool<\/code>)<\/li>\n\n\n\n<li><strong>Delete or unlock the deny assignment<\/strong> (it is by Azure policy for managed services)<\/li>\n\n\n\n<li><strong>Change inbound traffic rules for your public IPs<\/strong> in the managed RG<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\">\n\n\n\n<h2 class=\"wp-block-heading\"><strong>Why?<\/strong><\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li>This is by Azure design, so customers can\u2019t accidentally break cluster networking.<\/li>\n\n\n\n<li><a href=\"https:\/\/learn.microsoft.com\/en-us\/azure\/aks\/faq#why-cant-i-modify-objects-in-the-managed-resource-group\" target=\"_blank\" rel=\"noopener\">See official docs (\u201cWhy can\u2019t I modify objects in the managed resource group?\u201d)<\/a><\/li>\n\n\n\n<li>This is the same for both <strong>ARO<\/strong> and <strong>AKS<\/strong>.<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\">\n\n\n\n<h2 class=\"wp-block-heading\"><strong>What Are Your Options?<\/strong><\/h2>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>A.<\/strong> <strong>Contact Microsoft Support (Recommended and only supported way)<\/strong><\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>This is the <strong>only way<\/strong> to add or change NSG rules in the managed resource group for ARO clusters.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>B.<\/strong> <strong>(Re)Create the Cluster with a Default Domain<\/strong> (temporary workaround)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>If you use the <strong>default domain<\/strong> (<code>&lt;cluster&gt;.&lt;region&gt;.aroapp.io<\/code>), Azure sets up all DNS and NSG rules for you.<\/li>\n\n\n\n<li><strong>You lose your custom domain<\/strong>, but your cluster will be accessible without support intervention.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>C.<\/strong> <strong>Wait for Microsoft\u2019s Newer Capabilities<\/strong> (not available as of July 2026)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Azure is working on making managed resource groups more flexible, but today, only support can do this.<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\">\n\n\n\n<h2 class=\"wp-block-heading\"><strong>Summary Table<\/strong><\/h2>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><thead><tr><th>Task<\/th><th>Possible by You<\/th><th>Possible by Microsoft Support<\/th><\/tr><\/thead><tbody><tr><td>Edit NSG in managed RG<\/td><td>\u274c No<\/td><td>\u2705 Yes<\/td><\/tr><tr><td>Unlock RG<\/td><td>\u274c No<\/td><td>\u274c No<\/td><\/tr><tr><td>Use default domain<\/td><td>\u2705 Yes<\/td><td>N\/A<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\">\n\n\n\n<h2 class=\"wp-block-heading\"><strong>What to Do Now<\/strong><\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Open a support ticket:<\/strong><br><em>Only Microsoft support<\/em> can change NSG rules for you, and it\u2019s a known, routine request.<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\">\n\n\n\n<h2 class=\"wp-block-heading\"><strong>Support Ticket Template (Copy &amp; Paste):<\/strong><\/h2>\n\n\n\n<p><strong>Subject:<\/strong><br>ARO Custom Domain: Please open port 443 on APPS Public IP in Managed RG<\/p>\n\n\n\n<p><strong>Body:<\/strong><br>Hello,<br>I have deployed an Azure Red Hat OpenShift (ARO) cluster with a custom domain.<br>The console and apps endpoints are not accessible because the Network Security Group in the managed resource group does not allow inbound TCP 443 to the APPS\/Router public IP.<br>Please add an allow rule for TCP 443 from Internet (0.0.0.0\/0) to 4.240.123.104 in NSG <code>devopsschool-8v55v-nsg<\/code> (managed RG <code>aro-infra-mcyj58v7-devopsschool<\/code>).<br>Thank you.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\">\n\n\n\n<p><strong>This is the only way to solve this for any production ARO with a custom domain.<\/strong><br>Let me know if you want help opening the ticket or have any questions!<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Step-by-Step Guide: Configuring Azure Red Hat OpenShift (ARO) with a Custom Domain Setting up a custom domain for your ARO cluster involves both Azure and DNS provider configurations. Follow these&#8230; <\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"_joinchat":[],"footnotes":""},"categories":[5153],"tags":[],"class_list":["post-50086","post","type-post","status-publish","format-standard","hentry","category-openshift"],"_links":{"self":[{"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/posts\/50086","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/comments?post=50086"}],"version-history":[{"count":4,"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/posts\/50086\/revisions"}],"predecessor-version":[{"id":59107,"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/posts\/50086\/revisions\/59107"}],"wp:attachment":[{"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/media?parent=50086"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/categories?post=50086"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/tags?post=50086"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}