This topic describes how to configure proxy settings for the BOSH Cloud Provider Interface (CPI), the API that the BOSH Director uses to interact with your IaaS endpoint. If you use a proxy to mediate traffic between your BOSH installation and your IaaS endpoint, you must enter your proxy information when VMware Tanzu Operations Manager starts for the first time.

The following diagram illustrates how a proxy mediates HTTP and HTTPS requests between the CPI of the BOSH Director and the IaaS endpoint.

The IaaS API connects to the the BOSH Director through a proxy that connects to the BOSH CPI.

For more information about BOSH components, see the BOSH documentation.

Tanzu Operations Manager only supports proxying requests between the BOSH CPI and the IaaS API. It does not support proxying blobstore and database traffic.

Configure the proxy

Complete the following steps to configure your proxy for the BOSH CPI when Tanzu Operations Manager starts for the first time:

  1. Ensure that you have installed your proxy and that it is functioning properly. You can install one proxy for HTTPS requests and another proxy for HTTP requests, or choose to use the same proxy for both kinds of traffic.

  2. Follow the Tanzu Operations Manager installation instructions for your IaaS.

For more information, see Installing Tanzu Operations Manager.

  1. When Tanzu Operations Manager starts for the first time, you must select Use an Identity Provider or Internal Authentication. For more information, see the following IaaS-specific topics:

  2. Both the Use an Identity Provider and the Internal Authentication login pages include fields for HTTP proxy, HTTPS proxy, and No proxy.

For the VMware Tanzu Application Service for VMs (TAS for VMs) runtime, editing proxy settings in the BOSH Director propagates those settings to the Garden Diego cells in TAS for VMs. Sharing these proxy settings between Tanzu Operations Manager and TAS for VMs enables you to reach a Docker Hub through a proxy within an environment that lacks internet connectivity.

Complete the fields with the following information:

  • HTTP proxy: Enter the URL for the proxy that handles HTTPS requests between the BOSH CPI and the IaaS API.
  • HTTPS proxy: Enter the URL for the proxy that handles HTTP requests between the BOSH CPI and the IaaS API. If you are using the same proxy to handle both HTTPS and HTTP traffic, enter the same URL as HTTP proxy.
  • No proxy: Enter the following IP addresses:

    • - This is the metadata server for many IaaS such as Amazon’s AWS.
    • The IP address of your BOSH Director. This is the first IP address not in your reserved range. For example, if you enter in the Reserved IP Ranges field of the Create Networks page when configuring the BOSH Director, the BOSH Director IP is

      When the BOSH Director talks to other components on its VM, such as the database and the User Account and Authentication (UAA) module, it communicates with them as if they were external. You must enter the BOSH Director IP address in the no-proxy list to prevent traffic from the BOSH Director to other components on the same VM from passing through the proxy.

      The values in the No Proxy field must be comma-delimited, with no spaces or quotation marks between values.


check-circle-line exclamation-circle-line close-line
Scroll to top icon