Enable TCP proxy V2 Azure Private Link

Julio Forniés 26 Reputation points
2022-02-27T11:31:04.343+00:00

Currently in the private links of Azure they have implemented the possibility of activating proxy protocol v2. In our company we intend to share our outgoing proxies through a private link. Currently the problem was that you didn't know the source ip when going through the plink. My scenario is:

-Virtual machines with the browser proxy configured pointing to the plink

-On the other side of the plink is a squid proxy

I don't know if I misunderstood the v2 protocol and that protocol would be useful only for consuming an app that collects the headers or if it would work in our scenario, since we are already connecting with a proxy protocol from the machines.

By now, the moment we activate the TCP proxy V2 on the private link our scenario stops working.

Azure Private Link
Azure Private Link
An Azure service that provides private connectivity from a virtual network to Azure platform as a service, customer-owned, or Microsoft partner services.
473 questions
0 comments No comments
{count} vote

Accepted answer
  1. lfavtx 76 Reputation points
    2022-03-11T22:40:45.41+00:00

    Just tried, use squid version 4.10 with following configuration works on aws setup:
    client --> private link service --> squid --> internet
    http_port 3128 require-proxy-header
    http_port 3128
    proxy_protocol_access allow localnet

    0 comments No comments

4 additional answers

Sort by: Most helpful
  1. ChaitanyaNaykodi-MSFT 23,501 Reputation points Microsoft Employee
    2022-02-28T23:23:12.703+00:00

    Hello @Julio Forniés , Welcome to the Microsoft Q&A forum.
    Based on my understanding of the question, when using private link service, the source IP address of the packets coming from private endpoint is network address translated (NAT). As source Ip is not known you enabled TCP proxy V2 but your scenario stopped working.

    From the documentation for TCP Proxy V2 the source IP is included proxy protocol header and the Service provider is responsible for making sure that the service behind the standard load balancer is configured to parse the proxy protocol header as per the specification when proxy protocol is enabled on private link service. The request will fail if proxy protocol setting is enabled on private link service but service provider's service is not configured to parse the header. Similarly, the request will fail if the service provider's service is expecting a proxy protocol header while the setting is not enabled on the private link service. So, in your case the application will be required to parse the proxy protocol header for TCP Proxy V2 to work.

    Incase if your backend is configured to parse the proxy protocol header and the requests are still failing, you can do a packet capture on your target VM and determine if the TCP Proxy V2 is set-up correctly by checking the proxy protocol header values for LinkID and the source IP.
    Hope this helps! Please let me know if you have any additional questions, I will be glad to continue with our discussion. Thank you!


  2. Julio Forniés 26 Reputation points
    2022-02-28T23:36:03.717+00:00

    Thank you for the answer. Yes, I saw the documentation, but I haven't seen any proxy on the market that can support that configuration.
    With one that exists in the Azure market it would be enough for me.

    That's why I was asking if this configuration is compatible with having a proxy on the other side of a private link or if a different application is needed.

    Now we have a squid, but we can change it if it can really be made to work with a market proxy behind a private link enabling TCP proxy V2 on the private link.

    0 comments No comments

  3. Julio Forniés 26 Reputation points
    2022-03-03T01:17:11.333+00:00

    What I mean is a scenario like this:
    User equipment with configured browsing proxy to 192.168.0.5:8080
    The idea is that this user can surf the internet

    The IP 192.168.0.5 would be the private link

    And on the other side of the private link, published by a private service, there would be a squid with access to the internet listening on port 8080

    This scenario works, but stops working if you enable protocol v2.

    The question is if this scenario would really work with a web proxy as I have put, or if it will never work because on the other side it is thought that there is a web application and not an outgoing proxy to the internet

    user browser --> plink (tcp protocol v2) --> squid --> internet


  4. Julio Forniés 26 Reputation points
    2022-03-11T23:00:58.337+00:00

    Thanks for the reply.

    I already tried that configuration too when I opened this thread. Because I found something similar here:

    https://www.spinics.net/lists/squid/msg94673.html

    But it didn't work for me either with the tcp v2 protocol active on the private link.

    Can you copy the entire squid configuration please?

    Is it a squid from the Azure market or configured by you on an Ubuntu?