Network & Proxy Configuration
Enterprise environments often require that all outbound traffic from applications passes through a corporate proxy, firewall, or API gateway. Align provides two layers of network control for self-hosted deployments.
Layer 1: HTTP Proxy (Network-Level)
Route all outbound traffic through a corporate HTTP/HTTPS proxy. This applies to every pod in the Align deployment.
Configuration
global:
proxy:
# Forward proxy for HTTPS traffic (most common)
httpsProxy: "http://proxy.corp.example.com:3128"
# Forward proxy for HTTP traffic (optional, usually same as above)
httpProxy: "http://proxy.corp.example.com:3128"
# Additional hosts to bypass the proxy (comma-separated)
# Internal Align services are automatically excluded
noProxy: "*.internal.corp.com,10.0.0.0/8"
When configured, every Align pod receives HTTP_PROXY, HTTPS_PROXY, and NO_PROXY environment variables (both uppercase and lowercase for compatibility). Internal service-to-service traffic is automatically added to NO_PROXY.
How It Works
- Connectors (Slack, Teams, Jira, GitHub, Linear) use
undici.fetchwhich respectsHTTPS_PROXYautomatically - Teams Bot Framework SDK has explicit proxy agent support wired in - all token acquisition and proactive messaging traffic is routed through the proxy
- Brain service (Python/FastAPI) respects
HTTPS_PROXYviahttpxandaiohttp - Gateway respects proxy vars for any outbound calls (credential exchange, etc.)
Backward Compatibility
When no proxy values are configured, no environment variables are injected. Existing deployments are unaffected.
Layer 2: API Base URL Overrides (Application-Level)
For more granular control, you can redirect each connector's API traffic to a specific endpoint - for example, a corporate API gateway, reverse proxy, or custom MCP server that wraps the upstream API.
Per-Connector Configuration
connectors:
slack:
# Route all Slack API calls through your corporate gateway
apiBaseUrl: "https://api-gateway.corp.example.com/slack/api"
teams:
# Route all Microsoft Graph API calls through your corporate gateway
graphApiBaseUrl: "https://api-gateway.corp.example.com/graph"
jira:
# Route all Jira/Atlassian API calls through your corporate gateway
apiBaseUrl: "https://api-gateway.corp.example.com/atlassian/ex/jira"
github:
# GitHub Enterprise Server or corporate gateway
apiBaseUrl: "https://github.corp.example.com/api/v3"
linear:
# Route Linear API calls through your corporate gateway
apiBaseUrl: "https://api-gateway.corp.example.com/linear/graphql"
Environment Variables
Each override maps to an environment variable:
| Connector | Helm Value | Environment Variable | Default |
|---|---|---|---|
| Slack | connectors.slack.apiBaseUrl | SLACK_API_BASE_URL | https://slack.com/api |
| Teams | connectors.teams.graphApiBaseUrl | TEAMS_GRAPH_API_BASE_URL | https://graph.microsoft.com |
| Jira | connectors.jira.apiBaseUrl | JIRA_API_BASE_URL | https://api.atlassian.com/ex/jira |
| GitHub | connectors.github.apiBaseUrl | GITHUB_API_BASE_URL | https://api.github.com |
| Linear | connectors.linear.apiBaseUrl | LINEAR_API_BASE_URL | https://api.linear.app/graphql |
You can also set these via extraEnv on each connector if you prefer managing environment variables directly.
For Jira, the base URL must include the /ex/jira path prefix. The connector appends /{cloudId}/rest/api/3/... to this base. If routing through a gateway, ensure it proxies to api.atlassian.com/ex/jira with the correct path structure.
Kubernetes NetworkPolicy
For defense-in-depth, you can enable Kubernetes NetworkPolicies to restrict egress traffic at the network level.
Configuration
networkPolicies:
enabled: true
# Allow DNS (required for service discovery)
allowDNS: true
# Restrict egress to specific CIDRs
# Empty = allow all external (permissive default)
allowedExternalCIDRs:
- 10.0.0.0/8 # Internal network
- 172.16.0.0/12 # Corporate proxy network
When enabled:
- All pod-to-pod traffic within the Align namespace is allowed
- DNS egress (UDP/TCP 53) is allowed when
allowDNS: true - External egress is restricted to the specified CIDRs
- Cloud metadata endpoints (169.254.169.254) are blocked by default
- If
allowedExternalCIDRsis empty, all external egress is allowed
NetworkPolicies require a CNI plugin that supports them (Calico, Cilium, etc.). Most managed Kubernetes services support this.
Required Outbound Domains
If you need to configure a firewall allowlist, here are the external domains Align connects to:
| Domain | Used By | Purpose |
|---|---|---|
slack.com | Slack connector | Slack API, OAuth |
graph.microsoft.com | Teams connector | Microsoft Graph API |
login.microsoftonline.com | Teams connector | Azure AD authentication |
login.botframework.com | Teams connector | Bot Framework token service |
smba.trafficmanager.net | Teams connector | Teams bot messaging |
api.atlassian.com | Jira connector | Jira Cloud API |
api.github.com | GitHub connector | GitHub API |
api.linear.app | Linear connector | Linear GraphQL API |
api.openai.com | Brain service | OpenAI LLM (if configured) |
api.anthropic.com | Brain service | Anthropic LLM (if configured) |
Combining Both Layers
For maximum security, use both layers together:
global:
proxy:
httpsProxy: "http://squid.corp.example.com:3128"
connectors:
slack:
apiBaseUrl: "https://api-gw.corp.example.com/slack/api"
teams:
graphApiBaseUrl: "https://api-gw.corp.example.com/graph"
jira:
apiBaseUrl: "https://api-gw.corp.example.com/atlassian/ex/jira"
github:
apiBaseUrl: "https://api-gw.corp.example.com/github"
networkPolicies:
enabled: true
allowDNS: true
allowedExternalCIDRs:
- 10.0.0.0/8
This ensures:
- All outbound HTTP traffic routes through your proxy (Layer 1)
- Each connector's API calls go through your API gateway (Layer 2)
- Kubernetes network policy blocks any unexpected egress (defense-in-depth)