Use an HTTP proxy
This document shows you how to route traffic from the GKE on Azure through an HTTP/HTTPS proxy. You specify proxy configuration when you create a cluster.
Overview
GKE on Azure can route outbound internet traffic through a proxy for the following reasons:
- To register clusters with Google Cloud through Connect
- To run the Connect Agent
- To download images from Container Registry
Limitations
- The
httpProxy
andhttpsProxy
fields do not support URLs beginning withhttps://
. You must usehttp://
. Requests to port 443 use HTTPS. - You must set values for
httpProxy
,httpsProxy
, andnoProxy
. - A cluster's proxy configuration— the resource group ID and secret ID— is immutable. You must create a new cluster and node pool to update these values.
- You might need to add additional domains, IPs, or CIDRs to the
noProxy
field. We recommend adding your cluster's control planes subnet CIDRs (Pod address CIDR and Service address CIDR are added by default).
Prerequisites
This section describes the prerequisites you must apply before using a proxy.
Azure Key Vault configuration
GKE on Azure stores proxy configuration information in Azure Key Vault. To configure a proxy with GKE on Azure, you need to have permissions to create a secret in a Key Vault. The Key Vault must be accessible from your cluster's VNet.
Proxy Allowlist
For GKE on Azure to connect to Google Cloud services, the proxy server must allow traffic to specific Google and Microsoft domains.
.azure.com
.gcr.io
cloudresourcemanager.googleapis.com
container.googleapis.com
gkeconnect.googleapis.com
gkehub.googleapis.com
oauth2.googleapis.com
securetoken.googleapis.com
storage.googleapis.com
sts.googleapis.com
www.googleapis.com
servicecontrol.googleapis.com
logging.googleapis.com
monitoring.googleapis.com
opsconfigmonitoring.googleapis.com
GCP_LOCATION-gkemulticloud.googleapis.com
Replace GCP_LOCATION
with the Google Cloud region in
which your GKE Enterprise cluster resides. Specify us-west1
or another
supported region.
Subnet Network Security Group requirement
If you're using Network Security Groups (NSGs) to manage traffic to your subnets, your NSG rules must allow outgoing TCP traffic to following destinations:
- AzureCloud: TCP, port 80 and 443
See Azure service tags for more information about using service tags with NSGs.
Create a proxy configuration file
The proxy configuration is stored in an Azure Key Vault secret as a JSON string.
You can pass this configuration to the az
command-line tool as a
file. This section describes how to create that file.
The following table describes the contents of this file.
Field | Description | Examples | Required |
---|---|---|---|
httpProxy |
A proxy server URL. The value should include a hostname/IP address and optionally a port, username, and password. | "http://user:password@10.184.37.42:80" "10.184.37.42" |
Yes |
httpsProxy |
A proxy URL for encrypted, HTTPS traffic. The httpProxy URL will be used if httpsProxy has an empty value. | "http://10.101.16.31:80"
|
Yes |
noProxy |
A comma-separated list of URLs to exclude from proxying. Each value can be an IP address, a CIDR range, a domain name, or the asterix character (*). Domains specified with a leading dot (for example, `.google.com`) indicate that a subdomain is required. A single asterix * ignores all proxy configuration. | "1.2.3.4,10.0.0.0/16,example.com,.site.com" |
Yes |
To create the configuration file, create a JSON file that contains values for
httpProxy
,noProxy
, and optionalhttpsProxy
keys.{ "httpProxy": "AUTHENTICATION_URL", "httpsProxy": "AUTHENTICATION_URL", "noProxy": "NO_PROXY_ADDRESSES" }
Replace the following:
AUTHENTICATION_URL
: Encoded URL containing the proxy username and the passwordNO_PROXY_ADDRESSES
: Comma-separated list of CIDR blocks and URLs— for example10.0.0.0/16,http://example.com
Save the file to use in the following section.
Create a secret with this JSON data as a secret in Azure Key Vault using the
az
command-line tool.az keyvault secret set --name SECRET_NAME \ --vault-name KEY_VAULT_NAME \ --file PROXY_CONFIGURATION_FILE
Replace the following:
SECRET_NAME
: the name of the new secretKEY_VAULT_NAME
: the name of your Key VaultPROXY_CONFIGURATION_FILE
: the path to your proxy configuration file.The output includes the secret's name and contents. You can now reference this secret when you create a cluster.
Create a cluster that uses a proxy
To configure GKE on Azure to use an HTTP proxy for outbound connectivity, perform the following steps:
Follow the steps in
Create a cluster and node pool
and pass the --proxy-resource-group-id
and --proxy-secret-id
flags.
gcloud container azure clusters create CLUSTER_NAME \
--proxy-resource-group-id=PROXY_RESOURCE_GROUP_ID \
--proxy-secret-id=PROXY_SECRET_ID
...
Replace the following:
CLUSTER_NAME
: your cluster's namePROXY_RESOURCE_GROUP_ID
: the resource group that hosts your clusterPROXY_SECRET_ID
: the ID of the secret that contains your proxy configuration— for example,https://VAULT_NAME.vault.azure.net/secrets/SECRET_NAME/SECRET_VERSION
What's next
- Read additional information on how to Create a cluster.