This feature enables customers to provision a privately hosted cluster where the API server is exclusively accessible via a private link service. Positioned on an internal load balancer within the management cluster, this configuration ensures that the API server is accessible through a private link endpoint within the customer's virtual network (vNet), thereby enhancing security and network integrity.

Goal

The primary outcome of this feature is the provision of a secure, private cluster environment for ARO HCP users, specifically designed for enterprises seeking enhanced security through network isolation. Users, particularly system administrators and network architects, will benefit from the ability to manage and interact with the ARO HCP API server within their private network space, without exposure to public internet. 

Requirements (aka. Acceptance Criteria)

1. Network Isolation: The API server must only be accessible within the customer’s vNet via the private link service.
2. Security Compliance: Adhere to Microsoft's security standards necessary for the GA of ARO HCP.
3. Performance: Test impact on perf/scale
4. Usability: Provide a seamless experience for customers setting up and managing their private clusters.

Deployment considerations

• Self-managed, managed, or both: Managed
• Classic (standalone cluster): N/A
• Hosted control planes: Applicable
• Multi-node, Compact (three-node), or Single node (SNO), or all: N/A
• Connected / Restricted Network: Primarily connected networks
• Architectures: x86_x64, ARM (aarch64)
• Operator compatibility: Must be compatible with current ARO operators
• Backport needed: To be determined based on further discussions
• UI need: Integration within the existing ARO management UI, potentially requiring new UI components

Use Cases (Optional)

• Main Success Scenario: An enterprise customer provisions a new ARO HCP cluster and successfully configures and accesses the API server solely through a private link, fully contained within their vNet.