The issue is found when QE testing the minimal Firewall list required by an AWS installation
(https://docs.openshift.com/container-platform/4.15/installing/install_config/configuring-firewall.html) for 4.16. The way we're verifying this is by setting all the URLs listed in the doc into the whitelist of a proxy server[1], adding the proxy to install-config.yaml, so addresses outside of the doc will be rejected by the proxy server during cluster installation. 
[1]https://steps.ci.openshift.org/chain/proxy-whitelist-aws

We're seeing such error from Masters' console
``` 
[  344.982244] ignition[782]: GET https://api-int.ci-op-b2hcg02h-ce587.qe.devcluster.openshift.com:22623/config/master: attempt #73
[  344.985074] ignition[782]: GET error: Get "https://api-int.ci-op-b2hcg02h-ce587.qe.devcluster.openshift.com:22623/config/master": Forbidden
```

And the deny log from proxy server 
```
1717653185.468   0 10.0.85.91 TCP_DENIED/403 2252 CONNECT api-int.ci-op-b2hcg02h-ce587.qe.devcluster.openshift.com:22623 - HIER_NONE/- text/html

```
So looks Master is using proxy to visit the MCS address, and the Internal API domain - api-int.ci-op-b2hcg02h-ce587.qe.devcluster.openshift.com  is not in the whitelist of proxy, so the request is denied by proxy. But actually such Internal API address should be already in the NoProxy list, so master shouldn't use proxy to send the internal request. 

This is a proxy info collected from another cluster, the api-int.<cluter_domain> is added in the no proxy list by default. 
```
[root@ip-10-0-11-89 ~]# cat /etc/profile.d/proxy.sh 
export HTTP_PROXY="http://ec2-3-16-83-95.us-east-2.compute.amazonaws.com:3128"
export HTTPS_PROXY="http://ec2-3-16-83-95.us-east-2.compute.amazonaws.com:3128"
export NO_PROXY=".cluster.local,.svc,.us-east-2.compute.internal,10.0.0.0/16,10.128.0.0/14,127.0.0.1,169.254.169.254,172.30.0.0/16,api-int.gpei-dis3.qe.devcluster.openshift.com,localhost,test.no-proxy.com" 
```

registry.ci.openshift.org/ocp/release:4.16.0-0.nightly-2024-06-02-202327

1.
2.
3.