For vRealize Automation 8.0.1 forward installations on isolated networks with no direct Internet access, you can use an Internet proxy server to allow Internet by proxy functionality. The Internet proxy server supports HTTP and HTTPS.

To configure and use public cloud providers such as Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform (GCP) as well as external integration points such as IPAM, Ansible, and Puppet, with vRealize Automation, you must configure an Internet proxy server to access the internal vRealize Automation Internet proxy server.

vRealize Automation contains an internal proxy server that communicates with your Internet proxy server. This server communicates with your proxy server if it has been configured with the vracli proxy set ... command. If you have not configured an Internet proxy server for your organization, then the vRealize Automation internal proxy server attempts to connect directly to the Internet.

You can set up vRealize Automation to use an Internet proxy server by using the supplied vracli command line utility. Information about how to use the vracli API is available by using the --help argument in the vracli command line, for examplevracli proxy –-help.

Access to the Internet proxy server requires use of the actions-based extensibility (ABX) On-Prem Embedded controls that are built into vRealize Automation.


Access to Workspace ONE Access (previously named VMware Identify Manager) is not supported by way of the Internet proxy. You cannot use the vracli set vidm command to access Workspace ONE Access through the Internet proxy server.

The internal proxy server requires IPv4 as its default IP format. It doesn't require Internet protocol restrictions, authentication or man-in-the-middle actions on TLS (HTTPS) certificate traffic.


  • Verify that you have an existing HTTP or HTTPS server, that you can use as the Internet proxy server, in the vRealize Automation network that is able to pass outgoing traffic to external sites. The connection must be configured for IPv4.
  • Verify that the target Internet proxy server is configured to support IPv4 as its default IP format and not IPv6.
  • If the Internet proxy server uses TLS and requires an HTTPS connection with its clients, you must import the server certificate by using one of the following commands, prior to setting the proxy configuration.
    • vracli certificate proxy --set path_to_proxy_certificate.pem
    • vracli certificate proxy --set stdin

      Use the stdin parameter for interactive input.


  1. Create a proxy configuration for the pods or containers that are used by Kubernetes. In this example, the proxy server is accessed by using the HTTP scheme.

    vracli proxy set --host

  2. Show the proxy configuration.

    vracli proxy show

    The result will be similar to:
        "enabled": true,
        "host": "",
        "java-proxy-exclude": "*.local|*.localdomain|localhost|10.244.*|192.168.*|172.16.*|kubernetes|||*|||||",
        "java-user": null,
        "password": null,
        "port": 3128,
        "proxy-exclude": ".local,.localdomain,localhost,10.244.,192.168.,172.16.,kubernetes,,,,,,,,",
        "scheme": "http",
        "upstream_proxy_host": null,
        "upstream_proxy_password_encoded": "",
        "upstream_proxy_port": null,
        "upstream_proxy_user_encoded": "",
        "user": null,
        "internal.proxy.config": "dns_v4_first on \nhttp_port\nlogformat squid %ts.%03tu %6tr %>a %Ss/%03>Hs %<st %rm %ru %[un %Sh/%<a %mt\naccess_log stdio:/tmp/logger squid\ncoredump_dir /\ncache deny all \nappend_domain .prelude.svc.cluster.local\nacl mylan src\nacl mylan src\nacl mylan src\nacl proxy-exclude dstdomain .local\nacl proxy-exclude dstdomain .localdomain\nacl proxy-exclude dstdomain localhost\nacl proxy-exclude dstdomain 10.244.\nacl proxy-exclude dstdomain 192.168.\nacl proxy-exclude dstdomain 172.16.\nacl proxy-exclude dstdomain kubernetes\nacl proxy-exclude dstdomain\nacl proxy-exclude dstdomain\nacl proxy-exclude dstdomain\nacl proxy-exclude dstdomain\nalways_direct allow proxy-exclude\nhttp_access allow mylan\nhttp_access deny all\n# End autogen configuration\n",
        "internal.proxy.config.type": "default"
    Note: If you have configured an Internet proxy server for your organization, then "internal.proxy.config.type": "non-default" appears in the above example instead of 'default'. For security, the password is not shown.
    Note: If you use the -proxy-exclude parameter, you must edit the default values. For example, if you want to add as a domain that cannot be accessed by using the Internet proxy server, use the following steps:
    1. Enter vracli proxy default-no-proxy to obtain the default proxy-exclude settings. This is a list of automatically generated domains and networks.
    2. Edit the value to add
    3. Enter vracli proxy set .... --proxy-exclude ... to update the configuration settings.
    4. Run the /opt/scripts/ command to redeploy the environment.
  3. (Optional) Exclude DNS domains, FQDNs, and IP addresses from being accessed by the Internet proxy server.

    Always modify the default values of the proxy-exclude variable using parameter --proxy-exclude. To add the domain, first use the vrali proxy show command, then copy the proxy-exclude variable, and add the domain value using the vracli proxy set ... command as below:

    vracli proxy set --host --proxy-exclude ",docker-registry.prelude.svc.cluster.local,localhost,.local,.cluster.local,10.244.,192.,172.16.,,,"
    Note: Add elements to proxy-exclude instead of replacing values. If you delete proxy-exclude default values, vRealize Automation does not function properly. If this happens, delete the proxy configuration and start over.
  4. After you set the Internet proxy server with vracli proxy set ... command, you can use the vracli proxy apply command to update the Internet proxy server configuration and make the latest proxy settings active.
  5. If you have not already done so, activate the script changes by running the following command:


  6. (Optional) If needed, configure the proxy server to support external access on port 22.

    To support integrations such as Puppet and Ansible, the proxy server must allow port 22 to access the relevant hosts.

Example: Sample Squid configuration

Relative to step 1, if you are setting up a Squid proxy, you can tune your configuration in /etc/squid/squid.conf by adapting it to the following sample:

acl localnet src

acl SSL_ports port 443

acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http

http_access allow !Safe_ports
http_access allow CONNECT !SSL_ports
http_access allow localnet


maximum_object_size 5 GB
cache_dir ufs /var/spool/squid 20000 16 256
coredump_dir /var/spool/squid
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern (Release|Packages(.gz)*)$ 0 20% 2880
refresh_pattern . 0 20% 4320

client_persistent_connections on
server_persistent_connections on