The proxy server acts as an intermediary for requests coming from clients seeking resources from servers that provide those resources. A proxy server provides a gateway between servers and the internet. If customers want to configure proxy-server settings for Vantage site, then it can be done while deploying Vantage site using solution template. After you configure proxy-server in Vantage ecosystem, all nodes running in the system will access internet through your proxy-server.
The architecture diagram, shows one possible deployment of Vantage site with proxy-server support, where proxy-server is running in one subnet and Vantage site is in another, where proxy settings are configured in Vantage site.
How to enable Proxy Support
- You must have your own Proxy-server deployed already. Vantage DIY Solution template does not include deployment of proxy server.
- Proxy server and teradata ecosystem must be deployed in sameVnet.
- You need to deploy the vantage site with existingVnet option(where proxy-server is running), also they need specify proxy-server details while deploying Vantage site.
- The selected existingVnet/subnet should have internet connection (in Azure, by default all subnets have it) to make Vantage site deployment successful.
When deploying the site using solution template (Teradata Vantageā¢ ecosystem), you have to provide proxy server details in proxy server parameter fields by selecting existingVnet option. If you don't provide any value in proxy server parameter, then no proxy configurations are performed on Teradata ecosystem. You must provide the private IP address of proxy server.
Once you go on any Teradata Vantageā¢ offer on Azure portal, you need to perform the following steps on 'General setting' tab:
- On General setting tab, select existingVnet where proxy-server is already running. Also select subnet where you need to deploy Vantage site.
- Provide proxy-related fields: proxy-server-private-ip with port, username and password(if any).
- Provide proxy-server url in the following format.
http://<proxy_server_private_ip>:<port>
- Proxy support is not auto-configured to Server Management component, you can configure it using SM portal (Refer Configuring a Proxy Server in Server Management Configuration).
- Currently Backup/Restore(BAR) operations on Azure Blob storage don't work through Proxy-server, so if you are performing BAR operations then allow SQLE cluster and DSC node have direct internet connection.
- In node failure recovery scenario, proxy server details need to be updated manually on newly deployed node.
- In scale in/out operations, proxy configurations must be configured manually on new nodes.
- In case of non-proxy to proxy migration, proxy configuration on new node must be manually configured.
- In case of future migration of Vantage Ecosystem behind the proxy, all the proxy configurations should be applied manually to newly deployed components.
## Sets HTTP, HTTPS & FTP proxies to Proxy Server's Private IP. username, password are optional
PROXYSERVER=http://<user>:<passwd>@<proxy_server_ip>:<port>
## Sets Proxy and Noproxy for for Azure Metadata endpoint
echo "OK" | yast2 proxy set {http,https,ftp}=$PROXYSERVER noproxy=localhost,127.0.0.1,169.254.169.254,169.254.169.123,169.254.170.2,168.63.129.16
## Enables System-wide Proxy
echo "OK" | yast2 proxy enable
## Check Proxy Status
yast2 proxy summary
If you want to disable the proxy for all node, then run following commands on all nodes (except cimic, for CIMIC/SM node, you can disable it from SM portal).
## Disables System-wide Proxy echo "OK" | yast2 proxy disable
Supported Networking Scenarios
Following networking scenarios are supported for Vantage site deployment with Proxy-server support:
- Within single subnet, where proxy-server and vantage site are deployed on same subnet ofVnet.
- Within single Vnet but proxy-server and vantage site are deployed on two different subnets.
- In two different Vnets, where proxy server and Vantage site are deployed on two differentVnets and connected throughVnet peering, you have to create bothVnets and connect them throughVnet-peering and need to deploy Vantage site using existingVnet/subnet option.
Expected configuration of Proxy Server
- Allow re-directs from DNS to IPs of allowed domains
- Allow both HTTP & HTTPS communications
- May use self-signed certificate for HTTPS communications [Squid - SSL Bump, Peek & Splice]
- Allow access to all Azure endpoints, such as, *.azure.com, *.azure.net etc.
- Allow communication to Teradata sites like Service Connect, Artifactory.
- Block explicit IP of Azure Meta-Data, as redirection of metadata is restricted to instance itself. If allowed or redirected it will be invalid instance metadata data.
- Consider all the ports of Vantage Components as either Safe or SSL corresponding, without blocking the component interaction. You can get more information about ports at Network Security Groups in same page.
Allowed Egress Domains
Your proxy-server must allow egress traffic in the following minimal domains:
| Web Services | URL Regex | End points |
|---|---|---|
| Azure Endpoints |
|
|
| Teradata Endpoints | ||
| NTP | ntp.org | 0.pool.ntp.org |
| Python | ||
| Sophos Antivirus | sophos.com | |
| Tenable Vulnerability Scan | cloud.tenable.com | |
| Data Dog | datadoghq.com |