Skip to main content

Proxy Configuration

Polaris Proxy Configuration

important

The client workload protected by Polaris Proxy must run on a confidential node and should not be publicly accessible from the internet to maintain full security guarantees.

When deploying Polaris and Polaris Pro through our Microsoft Marketplace offers, you will be asked to configure some parameters of the Polaris Proxy

  • Enable Input Encryption: Ensures all incoming requests to the application are encrypted.
  • Enable Output Encryption: Ensures all application responses are encrypted.
  • Enable CORS Policy: Allows cross-origin requests if enabled.
  • Enable Logging: Enables logging for all requests and responses.
  • Workload Base URL: Define the full internal URL of the workload in the Kubernetes cluster (e.g., http://<WORKLOAD_SERVICE>.<NAMESPACE>.svc.cluster.local:8080).
  • Workload Kubernetes App Name: Specify the app label of the Kubernetes deployment to ensure Polaris Proxy runs inside the same node as the workload.
  • Polaris Proxy Port: Set the port number for Polaris Proxy (default: 3000).

Optional: Enable Key Vault Integration for Polaris Pro

For Polaris, these parameters are not required as it uses an ephemeral key within the TEE. To deploy Polaris Pro, provide the following additional parameters.

  • Key Vault Endpoint: Enter the Azure Key Vault endpoint (including https://).
  • Key Vault Key ID: Provide the cryptographic key name stored in Azure Key Vault.
  • IMDS Client ID: Provide the managed identity client ID used for key release requests (this should be the AKS agentpool managed identity).