Learn more about the additional VPC scenarios that show how VPC can be configured
between your workload environment and CDP Control Plane.
Scenario 1: VPC endpoint in your egress VPC with no HTTP proxy
This scenario has the VPC endpoints in your egress VPC, allowing the VPC endpoints to be
shared by multiple VPCs in your network. In this setup, VPC endpoints receive IPs from
egress VPC.
DNS overrides where DNS is a per-VPC view:
Deploying a VPC endpoint with private DNS option enabled will
automatically install the DNS overrides in the egress VPC, but this does not solve
the overrides for the workload environment VPC.
DNS override zones and records can be deployed in each workload
environment VPC, or a single set of DNS override zones and records are deployed
and the zones are associated with each workload environment VPC.
DNS overrides where DNS is a regional or global view:
The DNS override will have a regional or global impact to resolution
of the CDP hostnames, clients in the region/globally will receive these VPC
endpoints.
Scenario 2: VPC endpoint in your egress VPC, HTTP proxy
Similar to scenario 1, except you have egress traffic flowing through an HTTP proxy in
the egress VPC. In this setup, VPC endpoints receive IPs from egress VPC.
DNS overrides:
Deploying a VPC endpoint with private DNS option enabled will
automatically install the DNS overrides in the egress VPC. If the egress proxy is
performing the DNS lookup for the destination service, this approach should be
sufficient.
Transparent proxy or egress firewall policy configurations may require
the original destination IP to match the DNS resolution. If this is the case, the
override zones/records/VPC associations can be deployed as described in scenario
1.
Scenario 3: VPC endpoint in your workload environment VPC, HTTP proxy
VPC endpoints deployed in your workload environment network. In this setup, VPC
endpoints receive IPs from egress VPC.
DNS overrides where DNS is a per-VPC view:
Deploying a VPC endpoint with “private DNS” option enabled will
automatically install the DNS overrides in the egress VPC. This is
recommended.
DNS overrides where DNS is a regional or global view:
The overrides will impact resolution for clients elsewhere in the
region and globally.
Traffic to these hostnames from outside this VPC will attempt to use
these VPC endpoints, which may not be a desired configuration
HTTP forward proxy or non-transparent proxy
Workload environment will be configured to use an HTTP proxy profile.
The no_proxy configuration of the profile must include the hostnames
of the APIs reachable through VPC endpoint. HTTP requests for destinations in the
no_proxy list will not be forwarded to the proxy, local DNS and therefore the VPC
endpoints will be used for that traffic