diff --git a/calico/getting-started/kubernetes/openshift/installation.mdx b/calico/getting-started/kubernetes/openshift/installation.mdx
index c1db796ad6..dbb756ac4f 100644
--- a/calico/getting-started/kubernetes/openshift/installation.mdx
+++ b/calico/getting-started/kubernetes/openshift/installation.mdx
@@ -68,6 +68,31 @@ Now generate the Kubernetes manifests using your configuration file:
openshift-install create manifests
```
+:::note
+
+For OpenShift **v4.16 or newer** on **AWS**, configure AWS security groups to allow BGP, typha and IP-in-IP encapsulation traffic by editing the OpenShift cluster-api manifests.
+
+Edit `spec.network.cni.cniIngressRules` in the `cluster-api/02_infra-cluster.yaml` file to add the following rules:
+
+```
+ cniIngressRules:
+ (...)
+ - description: BGP (calico)
+ fromPort: 179
+ protocol: tcp
+ toPort: 179
+ - description: IP-in-IP (calico)
+ fromPort: -1
+ protocol: "4"
+ toPort: -1
+ - description: Typha (calico)
+ fromPort: 5473
+ protocol: tcp
+ toPort: 5473
+```
+
+:::
+
### Optionally provide additional configuration
diff --git a/calico_versioned_docs/version-3.28/getting-started/kubernetes/openshift/installation.mdx b/calico_versioned_docs/version-3.28/getting-started/kubernetes/openshift/installation.mdx
index 5742a2f6f7..a62fe91647 100644
--- a/calico_versioned_docs/version-3.28/getting-started/kubernetes/openshift/installation.mdx
+++ b/calico_versioned_docs/version-3.28/getting-started/kubernetes/openshift/installation.mdx
@@ -68,6 +68,31 @@ Now generate the Kubernetes manifests using your configuration file:
openshift-install create manifests
```
+:::note
+
+For OpenShift **v4.16 or newer** on **AWS**, configure AWS security groups to allow BGP, typha and IP-in-IP encapsulation traffic by editing the OpenShift cluster-api manifests.
+
+Edit `spec.network.cni.cniIngressRules` in the `cluster-api/02_infra-cluster.yaml` file to add the following rules:
+
+```
+ cniIngressRules:
+ (...)
+ - description: BGP (calico)
+ fromPort: 179
+ protocol: tcp
+ toPort: 179
+ - description: IP-in-IP (calico)
+ fromPort: -1
+ protocol: "4"
+ toPort: -1
+ - description: Typha (calico)
+ fromPort: 5473
+ protocol: tcp
+ toPort: 5473
+```
+
+:::
+
### Optionally provide additional configuration
diff --git a/calico_versioned_docs/version-3.29/getting-started/kubernetes/openshift/installation.mdx b/calico_versioned_docs/version-3.29/getting-started/kubernetes/openshift/installation.mdx
index c61d1f004f..93b35a8824 100644
--- a/calico_versioned_docs/version-3.29/getting-started/kubernetes/openshift/installation.mdx
+++ b/calico_versioned_docs/version-3.29/getting-started/kubernetes/openshift/installation.mdx
@@ -68,6 +68,31 @@ Now generate the Kubernetes manifests using your configuration file:
openshift-install create manifests
```
+:::note
+
+For OpenShift **v4.16 or newer** on **AWS**, configure AWS security groups to allow BGP, typha and IP-in-IP encapsulation traffic by editing the OpenShift cluster-api manifests.
+
+Edit `spec.network.cni.cniIngressRules` in the `cluster-api/02_infra-cluster.yaml` file to add the following rules:
+
+```
+ cniIngressRules:
+ (...)
+ - description: BGP (calico)
+ fromPort: 179
+ protocol: tcp
+ toPort: 179
+ - description: IP-in-IP (calico)
+ fromPort: -1
+ protocol: "4"
+ toPort: -1
+ - description: Typha (calico)
+ fromPort: 5473
+ protocol: tcp
+ toPort: 5473
+```
+
+:::
+
### Optionally provide additional configuration