Cloudera Docs

Installing a non-transparent proxy in a Cloudera AI environment

If Cloudera AI is used in an air-gapped environment, a proxy configuration is not mandatory. If a non-transparent proxy is used, then certain endpoints must be added to the list of allowed endpoints for the proxy.

Configure the No Proxy value with the Classless Inter-Domain Routing (CIDR) ranges for the Nodes, POD CIDR, and Service CIDR. Any IP range for internal services with seamless internal network connectivity must be added in the No Proxy configuration. Specify these CIDR ranges in the configuration to ensure that the traffic destined for these ranges bypasses the proxy. Add comma-separated no-proxy configurations without any spaces between them.

If your Cloudera Private Cloud deployment uses a non-transparent network proxy, configure proxy hosts that the workloads can use for connections with Cloudera AI Workbenches. You can configure the proxy configuration values from the Cloudera Management Console.

The procedure for updating these settings might be different and dependent on the proxy server software used.

  1. Sign in to the Cloudera console.
  2. Click Cloudera Management Console.
  3. On the Cloudera Management Console home page, select Administration > Networks to view the Networks page.
  4. Configure the following options for the proxy values:
    Table 1. Proxy values
    Field Description
    HTTPS proxy It is the HTTP or HTTPS proxy connection string used with the CML workspaces. You must specify this connection string in the form: http(s)://[***USERNAME***]:[***PASSWORD***]@[***HOST***]:[***PORT***].

    The [***USERNAME***] and [***PASSWORD***] parameters are optional. You can specify the connection proxy string without these parameters.
    HTTP proxy It is the HTTP or HTTPS proxy connection string used with the Cloudera AI Workbenches. You must specify this connection string in the form: http(s)://[***USERNAME***]:[***PASSWORD***]@[***HOST***]:[***PORT***].

    The [***USERNAME***] and [***PASSWORD***] parameters are optional. You can specify the connection proxy string without these parameters.
    No proxy

    This is a comma-separated list of hostnames, IP addresses, or hostnames and IP addresses that should not be accessed through the specified HTTPS or HTTP proxy URLs.

    In case of Cloudera Embedded Container Service deployments, you must include no-proxy URLs for the following:

    • All the Cloudera Embedded Container Service hosts in your deployment
    • Any Cloudera Private Cloud Base cluster that you want to access
    • CIDR IP addresses for internal operations in the Cloudera Embedded Container Service cluster: 10.42.0.0/16 and 10.43.0.0/16
  5. Click Save.
  6. Ensure that the following endpoint is allowed:
    Table 2. Endpoint details
    Description CDP Service Destination Protocol and authentication IP protocol/ Port Comments
    Accelerators for ML Projects (AMPs) Cloudera AI

    https://raw.githubusercontent.com

    https://github.com

    		 HTTPS TCP/443 Files for AMPs are hosted on GitHub.
    Additionally, ensure that the proxy server's allowlist includes the following specific URLs, which requires updates to the proxy server configuration:
    • Cloudera AI Workbench URL, for example: ml-samplexxxx.host-1.proxy.kcloud.cloudera.com
    • Cloudera console URL, for example consoles.ml-samplexxxx.apps.host-1.proxy.kcloud.cloudera.com
    • External registry if used in Cloudera AI
Consider the following example:
Figure 1. NTP Proxy configuration example