Proxy server is a server application or appliance that acts as an intermediary for requests from clients seeking resources from servers that provide those resources. A proxy server provides a gateway between servers and the internet.
How to enable Proxy support
While deploying the stack (Teradata vantage eco system), User must provide proxy server details in proxy server parameter field. If user doesn’t provide any value in proxy server parameter, then no proxy configurations are performed on teradata eco system. User must provide the private IP address of proxy server. Proxy server and teradata eco system must be deployed in same VPC.
• Proxy support is not available to Server Management component.
• In Node failure recovery scenario, proxy server details need to be updated manually on newly node deployed.
• In Scale in/out operations, proxy configurations must be configured manually on new nodes.
• In case of non-proxy to proxy migration, proxy configuration on new node must be manually configured.
• In case of future migration of Vantage Ecosystem behind the proxy, all the proxy configurations should be applied manually to newly deployed components in the Private Subnet
How to configure proxy on Teradata eco system instancesYast2 binary allows you to to configure system wide proxy.
The following are the commands to enable/disable proxy:
## Sets HTTP, HTTPS & FTP proxies to Proxy Server's Private IP from VPC echo "OK" | yast2 proxy set {http,https,ftp}=http://<proxy_server_private_ip>:<proxy_server_port> ## Sets NO Proxy for AWS EC2 Metadata, AWS NTP Server, AWS ECS Metadata sites and VPC CIDR viz., 176.20.0.0/16 echo "OK" | yast2 proxy noproxy=localhost,127.0.0.1,169.254.169.254,169.254.169.123,169.254.170.2,<VPC_CIDR> ## Optional: Sets Proxy Authentication echo "OK" | yast2 proxy authentication username=<proxy_server_username> password=<proxy_server_password> ## Enables System-wide Proxy echo "OK" | yast2 proxy enable ## Check Proxy Status yast2 proxy summary ## Disables System-wide Proxy echo "OK" | yast2 proxy disableExpected configuration of proxy server:
• Should allow re-directs from DNS to IP's of allow list domains
• Should allow both HTTP & HTTPS communications
• May use self-signed certificate for HTTPS communications.
• Should allow all amazon endpoints viz., *.amazonaws.com, *.amazon.com
• Should allow communication to Teradata sites like Service Connect, Artifactory.
• Should block explicit IP of AWS EC2 Meta-Data, as redirection of Metadata is restricted to instance itself. If allowed/redirected it will be invalid instance metadata data.
• Should consider all the ports of Vantage Components as either Safe or SSL corresponding, without blocking the component interaction
Alloed Egress DomainsYour proxy-server must allow egress traffic in the following minimal domains:
Web Services | URL Regex | End Points |
---|---|---|
AWS Endpoints (mandatory) | .amazonaws.com .amazon.com .amazontrust.com .awsstatic.com |
logs.us-west-2.amazonaws.com ec2.us-west-2.amazonaws.com dynamodb.us-west-2.amazonaws.com autoscaling.us-west-2.amazonaws.com lambda.us-west-2.amazonaws.com tagging.us-west-2.amazonaws.com |
Teradata Endpoints (optional) | .teradatacloud.com .teradatacloud.io .teradata.com .labsteradata.net .artportal.teradata.ws |
*.logs.security.intellicloud.teradata.com *.api.baas.teradatacloud.io *.icaws.intellicloud.teradata.com *.api.teradatacloud.io *.intellicloud.teradata.com *.migration.teradatacloud.io artportal.teradata.ws serviceconnect.teradata.com |
NTP (optional) | .ntp.org | 0.pool.ntp.org |
Python (optional) | .pypi.org .pythonhosted.org .python.org |
|
Sophos Antivirus (optional) | .sophos.com | |
Tenable Vulnerability Scan (optional) | .cloud.tenable.com | |
Data Dog (optional) | .datadoghq.com |