How do I configure an Internet proxy server for VMware Aria Automation

For VMware Aria Automation installations on isolated networks with no direct Internet access, you can use an Internet proxy server to allow Internet by proxy functionality. The Internet proxy server supports HTTP and HTTPS.

To configure and use public cloud providers such as Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform (GCP) and also external integration points such as IPAM, Ansible, and Puppet, with VMware Aria Automation, you must configure an Internet proxy server.

VMware Aria Automation contains an internal proxy server that communicates with your Internet proxy server. This server communicates with your proxy server if it has been configured with the vracli proxy set ... command. If you have not configured an Internet proxy server for your organization, then the VMware Aria Automation internal proxy server attempts to connect directly to the Internet.

You can set up VMware Aria Automation to use an Internet proxy server by using the supplied vracli command line utility. Information about how to use the vracli API is available by using the --help argument in the vracli command line, for examplevracli proxy –-help.

Note:

Access to Workspace ONE Access is not supported by the Internet proxy. You cannot use the vracli set vidm command to access Workspace ONE Access through the Internet proxy server.

The internal proxy server requires IPv4 as its default IP format. It doesn't require Internet protocol restrictions, authentication or man-in-the-middle actions on TLS (HTTPS) certificate traffic.

All external network traffic traverses the Internet proxy server. Internal network traffic bypasses the proxy.

Prerequisites

Verify that you have an existing HTTP or HTTPS server, that you can use as the Internet proxy server, in the VMware Aria Automation network that is able to pass outgoing traffic to external sites. The connection must be configured for IPv4.
Verify that the target Internet proxy server is configured to support IPv4 as its default IP format.
If the Internet proxy server uses TLS and requires an HTTPS connection with its clients, you must import the server certificate by using one of the following commands prior to setting the proxy configuration.
- vracli certificate proxy --set path_to_proxy_certificate.pem
- vracli certificate proxy --set stdin
  Use the stdin parameter for interactive input.

Procedure

Create a proxy configuration for the pods or containers that are used by Kubernetes. In this example, the proxy server is accessed by using the HTTP scheme.

vracli proxy set --host http://proxy.vmware.com:3128

Show the proxy configuration.

vracli proxy show

The result will be similar to the following:

{
    "config_timestamp": "1709214693",
    "enabled": true,
    "generation": "1709214693",
    "host": "proxy-service.prelude.svc.cluster.local",
    "java-proxy-exclude": "*.local|*.localdomain|localhost|127.0.0.1|127.*|kubernetes|*.cluster.local|*.svc.cluster.local|*.prelude.svc.cluster.local|sc2-10-43-195-99.nimbus.eng.vmware.com|10.43.195.99|*.nimbus.eng.vmware.com|10.244.0.*|10.244.1.*|10.244.2.*|10.244.3.*|10.244.4.*|10.244.5.*|10.244.6.*|10.244.7.*",
    "java-user": null,
    "password": null,
    "port": 3128,
    "proxy_connection_read_timeout": 15,
    "proxy_dns_query_timeout": 60,
    "scheme": "http",
    "system-proxy-exclude": ".local,.localdomain,localhost,127.0.0.1,127.,kubernetes,.cluster.local,.svc.cluster.local,.prelude.svc.cluster.local,sc2-10-43-195-99.nimbus.eng.vmware.com,10.43.195.99,.nimbus.eng.vmware.com,10.244.0.,10.244.1.,10.244.2.,10.244.3.,10.244.4.,10.244.5.,10.244.6.,10.244.7.",
    "upstream_proxy_host": "proxy.vmware.com",
    "upstream_proxy_password_encoded": "",
    "upstream_proxy_port": 3128,
    "upstream_proxy_user_encoded": "",
    "user": null,
    "user-proxy-exclude": "",
    "internal.proxy.config": "# Begin autogen configuration\ndns_v4_first on \nhttp_port 0.0.0.0:3128\nlogformat squid %ts.%03tu %6tr %>a %Ss/%03>Hs %<st %rm %ru %[un %Sh/%<a %mt\ncache deny all \nappend_domain .prelude.svc.cluster.local\naccess_log stdio:/tmp/logger\ncoredump_dir /\ndns_timeout 60 seconds\nacl mylan src all\nacl proxy-exclude-domain dstdomain localhost\nacl proxy-exclude-domain dstdomain .nimbus.eng.vmware.com\nacl proxy-exclude-domain dstdomain .local\nacl proxy-exclude-domain dstdomain .localdomain\nacl proxy-exclude-domain dstdomain kubernetes\nacl proxy-exclude-ip dst 10.43.195.99/32\nacl proxy-exclude-ip dst 10.244.0.0/21\nacl proxy-exclude-ip dst 127.0.0.0/8\nalways_direct allow proxy-exclude-ip\nalways_direct allow proxy-exclude-domain\n# Anonymize the proxy server.\nvia off\nforwarded_for delete\nhttp_access allow mylan\nhttp_access deny all\nread_timeout 15 minutes\nmax_filedescriptors 16384\n# End autogen configuration\n# http configuration of remote peer follows\ncache_peer proxy.vmware.com parent 3128 0 no-query default \nnever_direct allow all\n",
    "internal.proxy.config.type": "non-default"
}

Note: If you have configured an Internet proxy server for your organization, then "internal.proxy.config.type": "non-default" appears in the above example instead of 'default'. For security, the password is not shown.

(Optional) Exclude DNS domains, FQDNs, and IP addresses from being accessed by the Internet proxy server.
You can specify addresses that cannot be accessed through the Internet proxy server by specifying the --proxy-exclude parameter when running the vracli proxy set command. For example, if you want to add .acme.com as a domain that cannot be accessed by using the Internet proxy server, run the following command:
```
vracli proxy set .... --proxy-exclude .acme.com
```
Note: This command resets your previous proxy exclude settings and adds .acme.com to the list of domains that must be accessed directly rather than through the Internet proxy server. If you wish to preserve any previous settings, you must pass the previously existing proxy exclude list, extended with .acme.com, as a value for the --proxy-exclude parameter. You can check the currently set proxy exclude list by running the vracli proxy show command and inspecting the value of the user-proxy-exclude property. For example, if you have previously added exclude.vmware.com to the proxy exclude list, the vracli proxy show command will have output similar to the following:
```
{
...
    "user-proxy-exclude": "exclude.vmware.com",
...
}
```
To add .acme.com to the list of exclusions, without losing exclude.vmware.com as a exclusion, you must run the following command:
```
vracli proxy set .... --proxy-exclude exclude.vmware.com,.acme.com
```
After you set the Internet proxy server with vracli proxy set ... command, you can use the vracli proxy apply command to update the Internet proxy server configuration and make the latest proxy settings active.
(Optional) If needed, configure the proxy server to support external access on port 22.

To support integrations such as Puppet and Ansible, the proxy server must allow port 22 to access the relevant hosts.

Example: Sample Squid configuration

Relative to step 1, if you are setting up a Squid proxy, you can tune your configuration in /etc/squid/squid.conf by adapting it to the following sample:

acl localnet src 192.168.11.0/24

acl SSL_ports port 443

acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT

http_access allow !Safe_ports
http_access allow CONNECT !SSL_ports
http_access allow localnet

http_port 0.0.0.0:3128

maximum_object_size 5 GB
cache_dir ufs /var/spool/squid 20000 16 256
coredump_dir /var/spool/squid
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern (Release|Packages(.gz)*)$ 0 20% 2880
refresh_pattern . 0 20% 4320

client_persistent_connections on
server_persistent_connections on