This topic describes how to use proxies with VMware Enterprise PKS on AWS.
If your environment includes HTTP proxies, you can configure Enterprise PKS on AWS to use these proxies so that Enterprise PKS-deployed Kubernetes master and worker nodes access public Internet services and other internal services through a proxy.
In addition, Enterprise PKS proxy settings apply to the PKS API instance. When an Enterprise PKS operator creates a Kubernetes cluster, the PKS API instance VM behind a proxy is able to manage AWS components on the standard network.
You can also proxy outgoing HTTP/HTTPS traffic from Ops Manager and the BOSH Director so that all Enterprise PKS components use the same proxy service.
The following diagram illustrates the network architecture:
To configure a global HTTP proxy for all outgoing HTTP/HTTPS traffic from the Kubernetes cluster nodes and the PKS API server, perform the following steps:
Navigate to Ops Manager and log in.
Click the Enterprise PKS tile.
Note: This setting will not set the proxy for running Kubernetes workloads or pods.
Note: Using an HTTPS connection to the proxy server is not supported. HTTP and HTTPS proxy options can only be configured with an HTTP connection to the proxy server. You cannot populate either of the proxy URL fields with an HTTPS URL. The proxy host and port can be different for HTTP and HTTPS traffic, but the proxy protocol must be HTTP.
127.0.0.1,localhost, *.example1.com, .example2.com, example3.com, 198.51.100.0/24, 203.0.113.0/24, 192.0.2.0/24
Note: By default the
10.200.0.0/8 IP address ranges,
.svc.cluster, and your Enterprise PKS FQDN are not proxied. This allows internal Enterprise PKS communication.
Do not use the
_ character in the No Proxy field. Entering an underscore character in this field can cause upgrades to fail.
Because some jobs in the VMs accept
\*. as a wildcard, while others only accept
., we recommend that you define a wildcard domain using both of them. For example, to denote
example.com as a wildcard domain, add both
example.com to the No Proxy property.
To enable an HTTP proxy for outgoing HTTP/HTTPS traffic from Ops Manager and the BOSH Director, perform the following steps:
Navigate to Ops Manager and log in.
Select User Name > Settings in the upper right.
Click Proxy Settings.
Under HTTP Proxy, enter the FQDN or IP address of the HTTP proxy endpoint. For example,
Under HTTPS Proxy, enter the FQDN or IP address of the HTTPS proxy endpoint. For example,
Note: Using an HTTPS connection to the proxy server is not supported. Ops Manager and BOSH HTTP and HTTPS proxy options can be only configured with an HTTP connection to the proxy.
Under No Proxy, include the hosts that must bypass the proxy. This is required.
In addition to
localhost, include the BOSH Director IP and the PKS VM IP. The BOSH Director IP is typically the first IP address in the deployment network CIDR, and the PKS VM IP is the second IP address in the deployment network CIDR. In addition, be sure to include the Ops Manager IP address in the No Proxy field as well.
Note: Ops Manager does not allow the use of a CIDR range in the No Proxy field. You must specify each individual IP address to bypass the proxy.
The No Proxy field does not accept wildcard domain notation, such as
.docker.com. You must specify the exact IP or FQDN to bypass the proxy, such as
Return to the Ops Manager Installation Dashboard and click Review Pending Changes.
Click Apply Changes to deploy Ops Manager and the BOSH Director with the updated proxy settings.