IaaC with Openshift on Azure

#infrastructure automation   #azure  


Enabling Infrastructure as Code for Azure Redhat Openshift.

There are various ways to provision ARO on Azure. Following are some of them:

  • Azure CLI
  • Azure Portal GUI

Both the above options give very little options to actually customize your ARO cluster, for example if you want more number of worker nodes or specific sizes of the worker nodes or one or more machine sets in the cluster having machines of different specifications.

Provisioning via ARM template gives all the flexibilities and more. It also gives an option to run one or more pre or post deployment scripts to further automate the Azure landing zone setup. The ARM template in the below Github link is a working version of the template to provision ARO on an existing Azure landing zone having all the network components available:



Complete the following prerequisites before executing the ARO ARM template:

  1. Create a service principal with ‘Contributor’ role:

az ad sp create-for-rbac --name sp-arm-aro --role Contributor

Following is a sample output:

"appId": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
"displayName": "sp-arm-aro",
"name": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
"password": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
"tenant": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"

  1. Register the Microsoft.RedHatOpenShift resource provider:

az provider register -n Microsoft.RedHatOpenShift --wait

For the parameter, 'rpObjectId' in the ARM template, please execute the following commands in
Azure CLI:

#az ad sp list --filter "displayname eq 'Azure Red Hat OpenShift RP'" --query "[?
appDisplayName=='Azure Red Hat OpenShift RP'].{name: appDisplayName, objectId: objectId}" -o

  1. Get a Red Hat pull secret from Redhat website and save it to pull-secret.txt. This file should be
    present in the same folder as ARM parameters.json.
  2. Create a virtual network either using ARM template or using the following Azure CLI command:

az network vnet create \

--resource-group $RESOURCEGROUP \

--name aro-vnet \


  1. Add an empty subnet for the master nodes.

az network vnet subnet create \

--resource-group $RESOURCEGROUP \

--vnet-name aro-vnet \

--name master-subnet \

--address-prefixes \

--service-endpoints Microsoft.ContainerRegistry

  1. Add an empty subnet for the worker nodes.

az network vnet subnet create \

--resource-group $RESOURCEGROUP \

--vnet-name aro-vnet \

--name worker-subnet \

--address-prefixes \

--service-endpoints Microsoft.ContainerRegistry

  1. Disable subnet private endpoint policies on the master subnet. This is required for the service to be
    able to connect to and manage the cluster.

az network vnet subnet update \

--name master-subnet \

--resource-group $RESOURCEGROUP \

--vnet-name aro-vnet \

--disable-private-link-service-network-policies true

Running the template

Run the template from IaC pipeline or from Azure CLI using the following command:

az deployment group create \

--name ARODeployment \

--resource-group <resourceGroupName> \

--template-uri "https://<sample-github-repo-link/aro_template_arm.json" \

--parameters “https://<sample-github-repo-link/aro_parameter_arm.json” \

--pull-secret @/path/to/my/pull-secret.txt

Only registered users can post comments. Please, login or signup.

Start blogging about your favorite technologies and get more readers

Join other developers and claim your FAUN account now!


sormita chakraborty

Azure Solution Architect, IBM




Total Hits



Discussed tools