DNS resolution: ROSA with Hosted Control Plane (HCP) compared to ROSA classic

Summary

Interoperability of the Amazon Route53 resolver and ROSA classic was reported as challenging and so for the ROSA with HCP architecture, DNS record handling is now consistent with other AWS services, such as Amazon EKS.

ROSA with HCP prepares certificates for private and public cluster API endpoints. In order to do this, ROSA needs at minimum a valid DNS name. With this model, in the customer’s VPC for the cluster, this DNS name will resolve to a private IP in the VPC only. Since these are always private IPs, clients without access to the private VPC may receive the IP, but cluster connectivity is blocked.It is necessary for ROSA w/ HCP to publish public DNS records as part of this for private and public clusters.

Red Hat and AWS are committed to keeping our services secure while reducing customer effort on undifferentiated work.
The use of private IP DNS is a method of uncoupling service access over connected VPCs in a loosely coupled way.
We have done this intentionally and have verified that it represents no customer risk according to the AWS AppSec team. There is currently no plan to change this decision at this time due to the increased ease of connectivity it gives our customers.

1. Why the Public Zone Exists

ROSA with Hosted Control Plane is a fully managed service. To ensure the Red Hat Site Reliability Engineering (SRE) team can manage the control plane, which resides in a Red Hat-owned AWS account, the service requires a reliable, consistent way to monitor and access cluster components.

Standardized Architecture: To avoid interoperability challenges found in the classic architecture, ROSA with Hosted Control Plane now aligns its DNS handling with other major AWS services like Amazon EKS.

Certificate Management: The clusters require valid, publicly trusted SSL/TLS certificates for its API and application routes. Issuing and renewing these certificates relies on a public DNS validation process. This ensures the connections are always encrypted and trusted without manual intervention.

2. How Privacy is Maintained

The presence of a Public Hosted Zone does not expose the clusters or its data to the internet.

Private Resolution: Within the VPC, these DNS names resolve strictly to Private IPs. Even if a client on the public internet sees a private IP address via DNS, they cannot establish a connection because the traffic is blocked at the network layer.

AWS PrivateLink: Actual network connectivity is controlled by AWS PrivateLink. The underlying load balancers have no internet-facing interfaces, meaning there is no physical path from the public internet into your cluster.

Non-Sensitive Data: Public DNS records for private resources are a standard AWS practice. Private IP addresses are not considered sensitive information and do not grant access to the data or control plane.

3. Verified Security & Reduced Overhead

This architecture was designed to reduce "undifferentiated heavy lifting".

AppSec Verified: This design has been verified by the AWS Application Security (AppSec) team and represents no risk to the customer.

Loosely Coupled Connectivity: Using private IP DNS allows for easier service access across connected VPCs, making your infrastructure more flexible and easier to scale without complex DNS workarounds.

The public zone is a technical requirement for Red Hat to manage the clusters and keep the certificates up to date.
It does not expose the data plane or API to the internet. Access is secured at the network level, ensuring your environment remains private.