Azure Reference Network ArchitecturePDF version

Cloudera Private Links Network for Azure

Cloudera Private Links Network enables you to connect privately and securely to the Cloudera Control Plane without traversing the internet. You can use Cloudera Private Links Network for end-to-end encryption of your workloads between Cloudera Control Plane and Azure private endpoints.

This documentation provides the following details and steps about Cloudera Private Links Network:
  • High-level options of Virtual Network (VNet) endpoint placement
  • Cloudera Private Links Network deployment process
  • Instructions of how to set up both Private Link options:
    • VNet: Setup of Cloudera Private Links Network for a workload VNet through CDP CLI
    • Authorization: Authorization with CDP CLI to enable the setup of Cloudera Private Links Network through your automation tools
  • References for proxy profile configuration and considerations, and Cloudera Private Links Network commands
Without Cloudera Private Links Network, your workload environment communicates with the Cloudera Control Plane through the internet. This traffic may optionally flow through a managed egress proxy. The following two diagrams illustrate this:
Figure 1. Connectivity from workload environment to Cloudera Control Plane through the internet
Figure 2. Connectivity from workload environment to Cloudera Control Plane through the internet and egress proxy

With Cloudera Private Links Network, the Cloudera Control Plane is accessed as if the Cloudera Control Plane would be on your network. This means that IP addresses are assigned to the Cloudera Control Plane services from your network, and DNS lookups will return your local IP addresses.

To ensure private connectivity through network ingress between the workload environment and Cloudera Control Plane, private endpoints can be added. The following illustration details the scenario where the private endpoints are in the same VNet as your workload environment. In this case, the private endpoints receive IPs from the workload environment VNet subnets:
Figure 3. Private endpoints in workload environment VNet

The following options are available for DNS overrides:

  • DNS is a regional or global view: Installing overrides at a regional or global scope will impact DNS resolution for other VNets, these other VNets will attempt to use the local private endpoints of the VNet.

This section does not include an exhaustive list of design options, but should cover most cases. For more information about more advanced use cases, see the Additional VNet scenarios section.