TCP proxy (HAProxy) operations

This page is the operational runbook for maintaining the TCP proxy that powers *.db.lef database endpoints.

The canonical endpoint → VIP → backend mapping lives in Reference.

Preconditions

You are on VPN/LAN (see VPN access (support)).
You have SSH access to proxy.core.lef and authorization to change routing.
You know:
- the endpoint hostname (<name>.db.lef)
- the destination port (commonly 1433 for SQL Server, 5432 for PostgreSQL)
- the backend target (prefer hostnames where possible, otherwise IP:port)

Prefer consuming an existing VIP from the documented pool on proxy.core.lef to avoid expanding the pool.
Validate the VIP is not already assigned in TCP proxy (facts) and is not documented as used elsewhere in Core LAN.

If the VIP is not already present on the host, add it to /etc/network/interfaces and bring it up.

The current pool on proxy.core.lef uses a 255.255.255.0 netmask for VIP aliases (see proxy.core.lef).

auto ens18:<n>
iface ens18:<n> inet static
    address <vip-ip>
    netmask 255.255.255.0

Bring it up:

sudo ifup ens18:<n>
ip -4 addr show dev ens18

At minimum, HAProxy must:

After changes, validate and reload HAProxy (use your local standard once captured above).

Update DNS for <name>.db.lef to point to the VIP.

Prefer using the DNS tooling/process documented for dns.core.lef and follow DNS split horizon when relevant.

Add/update the row in TCP proxy (facts).
If you introduced a new VIP or touched LAN allocations, regenerate the derived Core LAN map:

npm run generate:core-lan-address-map

From a machine that can reach the Core LAN:

nc -vz <name>.db.lef <port>
nc -vz <vip-ip> <port>

Then validate at the application layer (SQL client / app connection), if applicable.

For symptom-driven connectivity issues, see TCP proxy connectivity (support).