Proxy integration HCX

Note: This article won’t cover the steps to deploy it, please see the Azure VMware Solution documentation for that.

HCX connector, the component on-prem needs egress internet connectivity. It needs it in order to activate itself at initial deployment time and after that to provide the option to update itself. Updating still is a user decision however the recommendation is to keep an eye on this as HCX does release quite a few updates often in short succession.

In order to allow the on-prem proxy to egress out we need a SNAT facility. This often is arranged by a FW and the default gateway toward it is advertized. In that case nothing out of the ordinary needs to be done. Don’t need write an article about that.

WHenever there is an on-prem proxy in place however and it needs to be used to egress out that’s where usually the fun starts.

Setting it up is done through the HCX admin part of the initial HCX configuration. (Administration/proxy) Nothing special here as you specify the IP,port,user,password and exclusion list.

Warning: Do you have to use domain joined usernames to authenticate to the proxy? HCX doesnt support Kerberos/NTLM authenticated proxies! A proxy bypass will have to be setupas an alternative.

Mind the exclusion list, often overlooked but very important! Keep in mind the proxy is used for all HTTP(S) traffic so yes you need to exclude AVS vCenter, NSX-T, … appliances to avoid them from being pushed out across that happy highway. Best is to add to the exclusion list the private address space in use. Starting of with the /22 assinged to the SDDC

Once that is all done, lets verify a few things.

Here’s a very good command to check if the proxy works after you completed that setup. (to be run from the HCX connector)

*curl --proxy "proxy-ip:proxy-port:"  -kv https://connect.hcx.vmware.com"*

more cert attention points

Having to work with a proxy c