Proxy Server - Teradata® VantageCloud Enterprise on AWS

VantageCloud Enterprise on AWS (DIY) Installation and Administration Guide - 2.4

Deployment
VantageCloud
Edition
Enterprise
Product
Teradata® VantageCloud Enterprise on AWS
Release Number
2.4
Published
April 2024
Language
English (United States)
Last Update
2024-07-15
dita:mapPath
kma1662437965174.ditamap
dita:ditavalPath
nat1649317391363.ditaval
dita:id
jnv1467245119674
Product Category
Cloud

Proxy server is a server application or appliance that acts as an intermediary for requests from clients seeking resources from servers that provide those resources. A proxy server provides a gateway between servers and the internet.

Proxy Server

How to enable Proxy support

While deploying the stack (Teradata vantage eco system), User must provide proxy server details in proxy server parameter field. If user doesn’t provide any value in proxy server parameter, then no proxy configurations are performed on teradata eco system. User must provide the private IP address of proxy server. Proxy server and teradata eco system must be deployed in same VPC.

• Proxy support is not available to Server Management component.

• In Node failure recovery scenario, proxy server details need to be updated manually on newly node deployed.

• In Scale in/out operations, proxy configurations must be configured manually on new nodes.

• In case of non-proxy to proxy migration, proxy configuration on new node must be manually configured.

• In case of future migration of Vantage Ecosystem behind the proxy, all the proxy configurations should be applied manually to newly deployed components in the Private Subnet

How to configure proxy on Teradata eco system instances

Yast2 binary allows you to to configure system wide proxy.

The following are the commands to enable/disable proxy:

## Sets HTTP, HTTPS & FTP proxies to Proxy Server's Private IP from VPC
echo "OK" | yast2 proxy set {http,https,ftp}=http://<proxy_server_private_ip>:<proxy_server_port>
 
## Sets NO Proxy for AWS EC2 Metadata, AWS NTP Server, AWS ECS Metadata sites and VPC CIDR viz., 176.20.0.0/16
echo "OK" | yast2 proxy noproxy=localhost,127.0.0.1,169.254.169.254,169.254.169.123,169.254.170.2,<VPC_CIDR>
 
## Optional: Sets Proxy Authentication
echo "OK" | yast2 proxy authentication username=<proxy_server_username> password=<proxy_server_password>
 
## Enables System-wide Proxy
echo "OK" | yast2 proxy enable
 
## Check Proxy Status
yast2 proxy summary
 
## Disables System-wide Proxy
echo "OK" | yast2 proxy disable
Expected configuration of proxy server:

• Should allow re-directs from DNS to IP's of allow list domains

• Should allow both HTTP & HTTPS communications

• May use self-signed certificate for HTTPS communications.

• Should allow all amazon endpoints viz., *.amazonaws.com, *.amazon.com

• Should allow communication to Teradata sites like Service Connect, Artifactory.

• Should block explicit IP of AWS EC2 Meta-Data, as redirection of Metadata is restricted to instance itself. If allowed/redirected it will be invalid instance metadata data.

• Should consider all the ports of Vantage Components as either Safe or SSL corresponding, without blocking the component interaction

Alloed Egress Domains

Your proxy-server must allow egress traffic in the following minimal domains:

Web Services URL Regex End Points
AWS Endpoints (mandatory)

.amazonaws.com

.amazon.com

.amazontrust.com

.awsstatic.com

logs.us-west-2.amazonaws.com

ec2.us-west-2.amazonaws.com

dynamodb.us-west-2.amazonaws.com

autoscaling.us-west-2.amazonaws.com

lambda.us-west-2.amazonaws.com

tagging.us-west-2.amazonaws.com

Teradata Endpoints (optional)

.teradatacloud.com

.teradatacloud.io

.teradata.com

.labsteradata.net

.artportal.teradata.ws

*.logs.security.intellicloud.teradata.com

*.api.baas.teradatacloud.io

*.icaws.intellicloud.teradata.com

*.api.teradatacloud.io

*.intellicloud.teradata.com

*.migration.teradatacloud.io

artportal.teradata.ws

serviceconnect.teradata.com

NTP (optional) .ntp.org 0.pool.ntp.org
Python (optional)

.pypi.org

.pythonhosted.org

.python.org

 
Sophos Antivirus (optional) .sophos.com  
Tenable Vulnerability Scan (optional) .cloud.tenable.com  
Data Dog (optional) .datadoghq.com  
Most the endpoints shared previously are primarily required for the VaaS platform. The primary reason to keep this optional on the DIY side is to allow these endpoints to use in case of hybrid environment (VaaS + DIY).