Configuring CycleCloud to Use an HTTP(s) Proxy

  • Article

Azure CycleCloud can be configured to use a proxy for all internet-bound HTTP and/or HTTPS traffic. This is generally useful when direct internet access is not allowed, or for traffic monitoring purposes.

Proxy Setup

To enable proxies, go into the CycleCloud GUI and navigate to the Settings tab from the left frame, then double click on the HTTP(s) Proxies row. In the configuration dialog that pops up, verify that Enabled is checked and enter the proxy details in the form.

Proxy Settings window

Changes to the proxy settings will not take effect until after a restart. To restart CycleCloud, run the following command:

/opt/cycle_server/cycle_server restart --wait

Add storage endpoint for Blob access

CycleCloud requires access to a Blob Storage container in your subscription in order to cache installation files for nodes. When operating behind a proxy or on a locked down network, you should configure a Virtual Network Service Endpoint or a Private Endpoint to the storage service. This will route requests to the storage container through the Azure backbone network instead of through the public management URLs.

Tip

When combining a Service Endpoint for Azure Storage access with an HTTPS Proxy for outbound Azure API traffic, CycleCloud itself can be configured to avoid the Proxy and send Storage requests directly via the Service Endpoint.

To disable the proxy for Storage Account access, add: -Dhttp.nonProxyHosts="*.core.windows.net" to the webServerJvmOptions= property in the: /opt/cycle_server/config/cycle_server.properties file and then restart CycleCloud.

Export HTTPS_PROXY before running the CycleCloud CLI installer

The CycleCloud CLI installer requires outbound access to install packages via pip. Prior to running the install script, be sure to set the HTTPS_PROXY environment variable to point to your proxy server and port:

export HTTPS_PROXY=myserver:8080

Exporting proxy settings on nodes

If the nodes started by CycleCloud also need to have traffic routed through a proxy server, we suggest the use of cloud-init to help configure your proxy settings as needed. For example:

[node scheduler]
CloudInit = '''#cloud-config
write_files:
- content: |
    export http_proxy=10.12.0.5:3128
    export https_proxy=10.12.0.5:3128
    export no_proxy=169.254.169.254  # special rule exempting Azure metadata URL from proxy
  owner: root:root
  permissions: '0644'
  path: /etc/profile.d/proxy.sh
'''