Cloudera Docs

Additional VPC scenarios

Learn more about the additional VPC scenarios that show how VPC can be configured between your workload environment and CDP Control Plane.

Scenario 1: VPC endpoint in your egress VPC with no HTTP proxy
This scenario has the VPC endpoints in your egress VPC, allowing the VPC endpoints to be shared by multiple VPCs in your network. In this setup, VPC endpoints receive IPs from egress VPC.
  • DNS overrides where DNS is a per-VPC view:
    • Deploying a VPC endpoint with private DNS option enabled will automatically install the DNS overrides in the egress VPC, but this does not solve the overrides for the workload environment VPC.
    • DNS override zones and records can be deployed in each workload environment VPC, or a single set of DNS override zones and records are deployed and the zones are associated with each workload environment VPC.
  • DNS overrides where DNS is a regional or global view:
    • The DNS override will have a regional or global impact to resolution of the CDP hostnames, clients in the region/globally will receive these VPC endpoints.
Scenario 2: VPC endpoint in your egress VPC, HTTP proxy
Similar to scenario 1, except you have egress traffic flowing through an HTTP proxy in the egress VPC. In this setup, VPC endpoints receive IPs from egress VPC.
  • DNS overrides:
    • Deploying a VPC endpoint with private DNS option enabled will automatically install the DNS overrides in the egress VPC. If the egress proxy is performing the DNS lookup for the destination service, this approach should be sufficient.
    • Transparent proxy or egress firewall policy configurations may require the original destination IP to match the DNS resolution. If this is the case, the override zones/records/VPC associations can be deployed as described in scenario 1.
Scenario 3: VPC endpoint in your workload environment VPC, HTTP proxy
VPC endpoints deployed in your workload environment network. In this setup, VPC endpoints receive IPs from egress VPC.
  • DNS overrides where DNS is a per-VPC view:
    • Deploying a VPC endpoint with “private DNS” option enabled will automatically install the DNS overrides in the egress VPC. This is recommended.
  • DNS overrides where DNS is a regional or global view:
    • The overrides will impact resolution for clients elsewhere in the region and globally.
    • Traffic to these hostnames from outside this VPC will attempt to use these VPC endpoints, which may not be a desired configuration
  • HTTP forward proxy or non-transparent proxy
    • Workload environment will be configured to use an HTTP proxy profile.
    • The no_proxy configuration of the profile must include the hostnames of the APIs reachable through VPC endpoint. HTTP requests for destinations in the no_proxy list will not be forwarded to the proxy, local DNS and therefore the VPC endpoints will be used for that traffic