Skip to content

Customizing agent networking and connectivity

This document contains additional information for configuring connectivity to a Hybrid SaaS agent. It covers configuration considerations for common use cases, such as using the agent with a proxy server.

Agents don't interact with proxy servers by default, but can be configured to do so if required. This is true of both AWS and Azure hosted agents.

There is no support for using proxy servers with Matillion hosted agents in a Full-SaaS solution.

Note

This article is not intended as a guide for how to set up a proxy server; we assume you are already using a proxy in your infrastructure, and need to know how to use your Data Productivity Cloud agent with it.


Environment variables for outbound connections

There are a number of optional environment variables that must be set to configure outbound connections for the agent. See below for how to configure these variables in an AWS or Azure based agent. The variables are:

Variable Description
PROXY_HTTP Holds your HTTP proxy server name and port used. For example: myproxy.com:3000.
PROXY_HTTPS Holds your HTTPS proxy server name and port used. For example: myproxy.com:3000.
PROXY_EXCLUDES Lists addresses for the proxy to ignore. Separate multiple addresses using a pipe character. For example: example.com|example.net.
CUSTOM_CERT_LOCATION Points to the storage location for custom certificates that you want the agent to trust. For example, my_storage/my_certs

Valid certificate file types

Only the .cer and .pem file types will be downloaded for use as certificates. When using external storage to supply the agent with certificates, any other file types in the storage location will not be downloaded by the agent.


AWS hosted agents

Loading externally hosted certificates

To load certificates into an AWS-hosted agent for proxy-routed communications, store the certificates in an S3 bucket that's in the same account space as the agent and accessible by the agent.

The IAM role for the account the agent is hosted in will need to have at least the following permissions to access S3 buckets:

  • s3:ListAllMyBuckets
  • s3:ListBucket
  • s3:GetObject
  • s3:GetBucketLocation

These will be applied automatically if you created the agent using the provided CloudFormation template.

The agent must have the CUSTOM_CERT_LOCATION environment variable added and set to the location of the bucket, for example s3://my-additional-libraries. You can omit s3:// from this, as the agent will assume the connection is to an S3 bucket and automatically use the correct protocol.

When you launch a new agent with the CloudFormation template, the configuration page in the AWS console will have a field for each environment variable you have created. Enter the proxy values you need for each variable.

If you are updating an existing agent, you will need to create a new revision of the task definition in use, and add CUSTOM_CERT_LOCATION plus any other optional environment variables you require, along with their required values. Then, restart the service using the new task definition.

Proxying service and container traffic

When both AWS service traffic and container traffic must pass through a proxy, the following additional steps will be needed:

  1. Deploy the service on an EC2 instance to gain more control over network configurations.
  2. Export the proxy configuration at node level. Configure the EC2 instance to route all outbound traffic through the proxy.
  3. Apply proxy variable settings for the agent, as described above.

Azure hosted agents

Loading externally hosted certificates

To load certificates into an Azure-hosted agent, store the certificates in an Azure Blob container in a storage account that is in the same resource group as the agent and accessible by the agent.

The storage account's managed identity associated with the agent's container will need to have at least the following permissions:

  • Storage Account Contributor
  • Storage Blob Data Contributor
  • Storage Blob Data reader

These will be applied automatically if you create the agent using the provided ARM template.

The agent must have the CUSTOM_CERT_LOCATION environment variable added and set to the location of the Azure Blob container, for example https://mystorageaccount.blob.core.windows.net/my-certificates. You can omit https:// from this, as the agent will assume the connection is to a Blob container and automatically use the correct protocol.

When you launch a new agent with the ARM template, the configuration page in the Azure Portal will have a field named Custom Certificate Location, along with fields for each other environment variable you have created. Enter the proxy values you need for each variable.

If you are updating an existing agent, you will need to edit and deploy the existing container and add CUSTOM_CERT_LOCATION plus any other optional environment variables you require, along with their required values.