ARO Diagnostic Data Collection Script

This script collects network, DNS, routing, and firewall configuration data relevant to troubleshooting Azure Red Hat OpenShift (ARO) provisioning failures.

Prerequisites

• Azure CLI installed and authenticated (az login)
• Appropriate permissions to read network resources in your subscription
• For DNS resolution tests (nslookup), run from a VM inside the same VNet as the ARO cluster for accurate results

Configuration

Before running the script, set the following environment variables:

Required Variables

export RESOURCE_GROUP=""      # Resource group containing the VNet
export VNET_NAME=""           # VNet name used by ARO
export MASTER_SUBNET_NAME=""  # ARO master subnet name
export WORKER_SUBNET_NAME=""  # ARO worker subnet name
export REGION=""              # Azure region

Optional Variables

export FIREWALL_RG=""       # Resource group of the firewall
export FIREWALL_NAME=""     # Azure Firewall name (leave empty if using 3rd-party NVA)
export ARO_SUBNET_PREFIX="" # ARO subnet prefix for log filtering (e.g., 10.0.1)

Note: If using a third-party network virtual appliance (NVA) like Palo Alto or Fortinet, omit the FIREWALL_NAME variable or set it to an empty string.

Usage

Option 1: Set variables and run

# Make the script executable
chmod +x aro-network-diagnostics.sh

# Set required environment variables
export RESOURCE_GROUP="your-rg"
export VNET_NAME="your-vnet"
export MASTER_SUBNET_NAME="your-master-subnet"
export WORKER_SUBNET_NAME="your-worker-subnet"
export REGION="eastus"

# Optional: Set firewall variables
export FIREWALL_RG="your-firewall-rg"
export FIREWALL_NAME="your-firewall"

# Run the script
./aro-network-diagnostics.sh

Output

The script will generate an output file named aro-diagnostics-YYYYMMDD-HHMMSS.txt

What It Collects

The script gathers the following information:

1. VNet and Subnet Configuration

   • VNet details (address space, DNS servers, location)
   • Master and worker subnet configuration
   • Route tables and NSG associations

2. DNS Configuration

   • VNet DNS server settings
   • DNS resolution tests for critical ARO endpoints:
     • arosvc.azurecr.io
     • arosvc.<region>.data.azurecr.io
     • management.azure.com
     • login.microsoftonline.com

3. Private DNS Zones

   • All private DNS zones in the subscription
   • VNet links for zones in the resource group
   • Common ARO-related privatelink zones

4. Route Tables (UDR)

   • Routes configured on master and worker subnets
   • User-defined routing configuration

5. Network Security Groups (NSG)

   • NSG rules applied to master and worker subnets

6. VNet Peering

   • Peering connections configured on the VNet

7. Azure Firewall Configuration (if applicable)

   • Firewall settings and threat intelligence mode
   • Network rule collections
   • Application rule collections

Output

The script creates a timestamped output file containing all collected diagnostic data. Share this file with Red Hat support when troubleshooting ARO deployment issues.

Compatibility

This script is compatible with both bash and zsh shells.

Troubleshooting

• If DNS resolution tests fail, ensure you're running the script from within the VNet or from a location with network connectivity to the VNet
• If firewall data collection fails, verify the FIREWALL_RG and FIREWALL_NAME variables are correct
• For third-party NVAs, you'll need to manually export firewall rules and traffic logs as noted in the script output