You can install a new cloud proxy as part of the vCenter-based cloud account creation process, or you can select a previously installed cloud proxy as you create the cloud account in Automation Assembler.
The supplied cloud proxy OVA contains the credentials and protocols you need to connect a proxy appliance on a host vCenter to vCenter-based cloud accounts and integrations in Automation Assembler. You download the OVA and deploy it to a target vCenter. Once the cloud proxy is installed and running, you can associate it to one or more vCenter-based cloud accounts and integrations.
- The cloud proxy OVA must be deployed on a vCenter. Deployment to an ESX server is not supported.
- A VMware Cloud on AWS cloud account can only be associated to a cloud proxy that is deployed to a vCenter in a target VMware Cloud on AWS SDDC.
- While there is no specific limit on the number of cloud accounts that a single cloud proxy can support, the cloudassembly-sddc-agent has a limit of 2GB memory. As you associate additional cloud accounts to the cloud proxy, you may reach this limit. If you do, you'll see out-of-memory exceptions in the logs. While you can temporarily increase the agent memory, the 2GB limit is reset when you restart the cloud proxy or upgrade the agent. If the cloud proxy is running out of memory, remove some of its cloud account associations and associate those cloud accounts to a different cloud proxy.
- A network proxy that performs TLS terminations is not supported.
Regarding general resource requirements, the cloud proxy uses a default size when deploying the cloud proxy OVA. While the value can be changed, you should not reduce the size. This does not impact the resources consumed by the agents running inside the cloud proxy. Each agent has different resource requirements. For example, the cloudassembly-sddc-agent uses 2GB memory and 1 CPU. These settings can be changed, but they are not persistent. When the agent is upgraded or restarted, it reverts back to using the 2GB and 1 CPU settings.
- Verify that you have cloud administrator credentials. See Credentials required for working with cloud accounts in VMware Aria Automation.
- Verify that you have the cloud administrator user role. See What are the VMware Aria Automation user roles.
- If you are creating a cloud proxy to use with a VMware Cloud on AWS cloud account, see Configure and use a cloud proxy for a VMware Cloud on AWS cloud account in VMware Aria Automation.
- To support the cloud proxy, access to the following domains is required. For more detailed information about cloud proxy requirements, see the Understanding the VMware Cloud services cloud proxy configuration document:
- ci-data-collector.s3.amazonaws.com – enables Amazon Web Services S3 access for cloud proxy OVA download.
- symphony-docker-external.jfrog.io – allows JFrog Artifactory to access Docker images.
- console.cloud.vmware.com – enables the Web API and cloud proxy service connection to the VMware Cloud service.
- data.mgmt.cloud.vmware.com - enables the data pipeline service connection to VMware Cloud services for secure data communication between cloud and on-premises elements. For non-US regions, substitute the region value. For example, for the UK, use uk.data.mgmt.cloud.vmware.com and for Japan, use ja.data.mgmt.cloud.vmware.com. Other non-US region values include sg (Singapore), br (Brazil), and ca (Canada).
- api.mgmt.cloud.vmware.com – enables the Web API and cloud proxy service connection to VMware Cloud services. For non-US regions, substitute the region value. For example, for the UK, use uk.api.mgmt.cloud.vmware.com and for Japan, use ja.api.mgmt.cloud.vmware.com. Other non-US region values include sg (Singapore), br (Brazil), and ca (Canada).
- If you are using the cloud proxy for a VMware Cloud on AWS cloud account, configure management gateway firewall rules in the VMware Cloud on AWS console to support cloud proxy communication.
- Allow network traffic to ESXi for HTTPS (TCP 443) services to the discovered IP address of the cloud proxy.
- Allow network traffic to vCenter for ICMP (All ICMP), SSO (TCP 7444), and HTTPS (TCP 443) services to the discovered IP address of the cloud proxy.
- Allow network traffic to the NSX-T Manager for HTTPS (TCP 443) services to the discovered IP address of the cloud proxy.
- Select New Cloud Proxy.
- Download the cloud proxy OVA.
- Rename the downloaded OVA something unique, for example vCenter1_vmc_va.ova.
You can download and name the cloud proxy OVA to make it obvious what it is used for, for example when using a particular cloud account for a particular purpose.
You can also change the name of the cloud proxy when you install it on the vCenter.
- Navigate to your vSphere web client data center, click the name of your vCenter cluster, and select Deploy OVF Template.
- Enter information as prompted to install the OVA on your vCenter.
- When prompted to enter the key or token, return to the Install Cloud Proxy page and click Copy.
- (Optional) To configure additional security and force connections to pass through a proxy server, use the Network Proxy Hostname/IP Address, Network Proxy Port, Network Proxy Username, and Network Proxy Password options to configure the network proxy:
For details about configuring these cloud proxy settings, see Understanding the VMware Cloud services cloud proxy.
- Return to the vSphere web client and paste the provided key value to install the cloud proxy's virtual appliance.
- In Automation Assembler, wait for a connection to be made with your vSphere web client and then click Done.
It might take several minutes to connect.
- (Optional) To configure a network proxy after the cloud proxy virtual appliance is deployed, modify the configure-network-proxy file in the cloud proxy VA by using the following procedure:
- SSH into the cloud proxy VA.
- Open the /root/configure-network-proxy file and provide the network proxy configuration settings.
- Save the file.
What to do next
To verify that the cloud proxy is running, see Verify that a cloud proxy is running on a target virtual machine.
You can now add vCenter-based cloud accounts and integrations that require the cloud proxy.