Permalink
Fetching contributors…
Cannot retrieve contributors at this time
446 lines (332 sloc) 18.7 KB
---
title: Understanding Application Security Groups
owner: Security
---
<strong><%= modified_date %></strong>
This topic provides an overview of Application Security Groups (ASGs), and describes how to manage and administer them. Many of the steps below require the [Cloud Foundry Command Line Interface](../cf-cli/install-go-cli.html) (cf CLI) tool.
<%= vars.asg_first_time %>
## <a id='introduction'></a> About Application Security Groups
Application Security Groups (ASGs) are a collections of egress rules that
specify the protocols, ports, and IP address ranges where app or task instances
send traffic.
ASGs define **allow** rules, and their order of evaluation is unimportant
when multiple ASGs apply to the same space or deployment.
The platform sets up rules to filter and log outbound network traffic from app and task instances.
ASGs apply to both buildpack-based and Docker-based apps and tasks.
### <a id='staging-running'></a> Staging and Running ASGs
Administrators can define a `staging` ASG for app and task staging, and a `running` ASG for app and task runtime.
When apps or tasks begin staging, they require traffic rules permissive enough to allow them to pull resources from the network.
A running app or task no longer needs to pull resources, so traffic rules can be more restrictive and secure.
To distinguish between these two security requirements, administrators can define a `staging` ASG for app and task staging with more permissive rules, and a `running` ASG for app and task runtime with less permissive rules.
### <a id='types'></a> Platform-Wide and Space-Scoped ASGs
To provide granular control when securing a deployment, administrators can
assign platform-wide ASGs that apply to all app and task instances for the entire deployment, or space-scoped ASGs that apply only to apps and tasks in a particular space.
In environments with both platform-wide and space-specific ASGs, the ASGs for a particular space combine with the platform ASGs to determine the rules for that space.
### <a id='simplifying'></a> Simplifying ASGs with a Services Subnet
ASGs can be complicated to configure correctly, especially when the specific IP
addresses listed in a group change.
To simplify securing a deployment while still allowing apps reach external
services, operators can deploy the services into a subnet that is separate from
their Cloud Foundry deployment, then create ASGs for the apps that whitelist those service subnets, while denying access to any virtual machine (VM) hosting other apps.
For examples of typical ASGs, see the <a href="#typical-groups">Typical Application Security Groups</a> section of this topic.
<% if vars.product_name.include? "CF" %>
### <a id='default-asg'></a> Default ASGs
<% if vars.product_name == 'CF' %>
<%= partial 'default_asg_oss' %>
<% else %>
<%= partial '../opsguide/default_asg' %>
<% end %>
<% end %>
### <a id="asg-sets"></a> ASG Sets
ASGs are applied by configuring ASG sets differentiated by _scope_, platform-wide or space specific, and _lifecycle_, staging or running.
Currently, four ASG sets exist in Cloud Foundry:
+ Platform-wide staging ASG set, also called "default-staging"
+ Platform-wide running ASG set, also called "default-running"
+ Space-scoped staging ASG set
+ Space-scoped running ASG set
In environments with both platform-wide and space-specific ASG sets, combine the ASG sets for a particular space with the platform ASG sets to determine the rules for that space.
The following table indicates the differences between the four sets.
<table>
<tr>
<th>When an ASG is bound to the... </th>
<th>the ASG rules are applied to...</th>
</tr>
<tr>
<td>Platform-wide staging ASG set</td>
<td>the staging lifecycle for all apps and tasks.</td>
</tr>
<tr>
<td>Platform-wide running ASG set</td>
<td>the running lifecycle for all app and task instances.</td>
</tr>
<tr>
<td>Space-scoped staging ASG set</td>
<td>the staging lifecycle for apps and tasks in a particular space.</td>
</tr>
<tr>
<td>Space-scoped running ASG set</td>
<td>the running lifecycle for app and task instances in a particular space.</td>
</tr>
</table>
Typically, ASGs applied during the staging lifecycle are more permissive than
the ASGs applied during the running lifecycle.
This is because staging often requires access to different resources, such as
dependencies.
You use different commands to apply an ASG to each of the four sets. For more information, see the [Procedures](#procedures) section of this topic.
<p class="note"><strong>Note</strong>: To apply a staging ASG to apps within a space, you must use cf CLI 6.28.0 or later.
</p>
### <a id='creating-groups'></a> The Structure and Attributes of ASGs
ASG rules are specified as a JSON array of ASG objects. An ASG object has the following attributes:
|Attribute |Description |Notes
|--- |--- |---
|`protocol` |`tcp`, `udp`, `icmp`, or `all` |Required
|`destination` |A single IP address, an IP address range like `192.0.2.0-192.0.2.50`, or a CIDR block that can receive traffic
|`ports` |A single port, multiple comma-separated ports, or a single range of ports that can receive traffic. Examples: `443`, `80,8080,8081`, `8080-8081` |Required when `protocol` is `tcp` or `udp`
|`code` |ICMP code |Required when `protocol` is `icmp`. A value of `-1` allows all codes.
|`type` |ICMP type |Required when `protocol` is `icmp`. A value of `-1` allows all types.
|`log` |Set to `true` to enable logging. For more information about how to configure system logs to be sent to a syslog drain, see the <a href="../devguide/services/log-management.html">Using Log Management Services</a> topic. |Logging is only supported with protocol type `tcp`
| `description` |An optional text field for operators managing security group rules
<% if vars.product_name.include? "CF" %>
##<a id="process"></a> Process for Administering ASGs
The following table outlines the flow of tasks that the administrator carries out over the lifecycle of ASGs.
Procedures for each of these tasks are given in [Managing ASGs with the cf CLI](#procedures) below.
<%= vars.asg_first_time %>
<table>
<tr>
<th></th>
<th>Task</th>
<th>For more information, see</th>
</tr>
<tr>
<td>1.</td>
<td>Review the existing ASGs. If this is a new deployment, these consist of only the <a href="#default-asg">Default ASGs</a>.</td>
<td><a href="#viewing">View ASGs</a></td>
</tr>
<tr>
<td>2. </td>
<td>Create new ASGs.</td>
<td><a href="#asg-individual">Create ASGs</a></td>
</tr>
<tr>
<td>3.</td>
<td>Update the existing ASGs.</td>
<td><a href="#updating-groups">Update ASGs</a></td>
</tr>
<tr>
<td>4.</td>
<td>Bind ASGs to an ASG set.</td>
<td><a href="#binding-groups">Bind ASGs</a></td>
</tr>
<tr>
<td>5.</td>
<td>If you need to delete an ASG, first unbind it, then delete it.</td>
<td><a href="#unbinding-asgs">Unbind ASGs</a><br>
<a href="#deleting-groups">Delete ASGs</a></td>
</tr>
</table>
## <a id='procedures'></a> Managing ASGs with the cf CLI
This section provides the commands you need to create and manage ASGs.
### <a id='viewing'></a> View ASGs
Run the following cf CLI commands to view information about existing ASGs:
|Command |Output
|--- |---
|`cf security-groups` |All ASGs
|`cf staging-security-groups` |All ASGs applied to the platform-wide staging ASG set
|`cf running-security-groups` |All ASGs applied to the platform-wide running ASG set
|`cf security-group SECURITY-GROUP` |All rules in the ASG named `SECURITY-GROUP`, for example, <code>cf security-group dns</code>
<%= vars.asg_note %>
### <a id='asg-individual'></a> Create ASGs
To create an ASG, perform the following steps:
1. Create a rules file: a JSON-formatted single array containing objects that describe the rules.
See the following example, which allows ICMP traffic of code `1` and type `0` to all destinations, and TCP traffic to `10.0.11.0/24` on ports `80` and `443`. Also see [The Structure and Attributes of ASGs](#creating-groups).
<pre>
[
{
"protocol": "icmp",
"destination": "0.0.0.0/0",
"type": 0,
"code": 0
},
{
"protocol": "tcp",
"destination": "10.0.11.0/24",
"ports": "80,443",
"log": true,
"description": "Allow http and https traffic from ZoneA"
}
]
</pre>
1. Run `cf create-security-group SECURITY-GROUP PATH-TO-RULES-FILE`. Replace `SECURITY-GROUP` with the name of your security group, and `PATH-TO-RULES-FILE`
with the absolute or relative path to a rules file.
In the following example, `my-asg` is the name of a security group, and `~/workspace/my-asg.json` is the path to a rules file.
<pre class="terminal">
$ cf create-security-group my-asg ~/workspace/my-asg.json
</pre>
After the ASG is created, you must bind it to an ASG set before it takes effect.
See <a href="#binding-groups">Bind ASGs</a> below.
### <a id='binding-groups'></a> Bind ASGs
<p class='note'><strong>Note</strong>: Binding an ASG does not affect started apps until you restart them. To restart all of the apps in an org or a space, use the <a href="https://github.com/cloudfoundry-incubator/app-restarter">app-restarter</a> cf CLI plugin.
</p>
To apply an ASG, you must first bind it to an ASG set.
To bind an ASG to the platform-wide staging ASG set, run `cf bind-staging-security-group SECURITY-GROUP`. Replace `SECURITY-GROUP` with the name of your security group.
Example:
<pre class="terminal">
$ cf bind-staging-security-group my-asg
</pre>
To bind an ASG to the platform-wide running ASG set, run `cf bind-running-security-group SECURITY-GROUP` command. Replace `SECURITY-GROUP` with the name of your security group.
Example:
<pre class="terminal">
$ cf bind-running-security-group my-asg
</pre>
To bind an ASG to a space-scoped running ASG set, run `cf bind-security-group SECURITY-GROUP ORG SPACE`. Replace `SECURITY-GROUP` with the name of your security group. Replace `ORG` and `SPACE` with the org and space where you want to bind the ASG set.
Example:
<pre class="terminal">
$ cf bind-security-group my-asg my-org my-space
</pre>
To bind an ASG to a space-scoped staging ASG set, run `cf bind-security-group SECURITY-GROUP ORG SPACE --lifecycle staging`. Replace `SECURITY-GROUP` with the name of your security group. Replace `ORG` and `SPACE` with the org and space where you want to bind the ASG set.
### <a id='updating-groups'></a> Update ASGs
To update an existing ASG, perform the following steps.
1. Edit the ASG rules in the JSON file.
2. Run `cf update-security-group SECURITY-GROUP PATH-TO-RULES-FILE`. Replace `SECURITY-GROUP` with the name of the existing ASG you want to change, and `PATH-TO-RULES-FILE` with the absolute or relative path to a rules file.
In the following example, `my-asg` is the name of a security group, and `~/workspace/my-asg-v2.json` is the path to a rules file.
<pre class="terminal">
$ cf update-security-group my-asg ~/workspace/my-asg-v2.json
</pre>
<p class='note'><strong>Note</strong>: Updating an ASG does not affect started apps until you restart them. To restart all of the apps in an org or a space,
use the <a href="https://github.com/cloudfoundry-incubator/app-restarter">app-restarter</a> cf CLI plugin.
</p>
### <a id='unbinding-groups'></a> Unbind ASGs
<p class='note'><strong>Note</strong>: Unbinding an ASG does not affect started apps until you restart them. To restart all of the apps in an org or a space,
use the <a href="https://github.com/cloudfoundry-incubator/app-restarter">app-restarter</a> cf CLI plugin.
</p>
To unbind an ASG from the platform-wide staging ASG set, run `cf unbind-staging-security-group SECURITY-GROUP`. Replace `SECURITY-GROUP` with the name of your security group.
Example:
<pre class="terminal">
$ cf unbind-staging-security-group my-asg
</pre>
To unbind an ASG from the platform-wide running ASG set, run `cf unbind-running-security-group SECURITY-GROUP`. Replace `SECURITY-GROUP` with the name of your security group.
Example:
<pre class="terminal">
$ cf unbind-running-security-group my-asg
</pre>
To unbind an ASG from a specific space, run `cf unbind-security-group SECURITY-GROUP ORG SPACE --lifecycle running`. Replace `SECURITY-GROUP` with the name of your security group. Replace `ORG` and `SPACE` with the org and space where you want to unbind the ASG set, and replace `running` with `staging` if you want to unbind from the staging ASG set.
Example:
<pre class="terminal">
$ cf unbind-security-group my-asg my-org my-space --lifecycle staging
</pre>
### <a id='deleting-groups'></a> Delete ASGs
<p class='note'><strong>Note</strong>: You can only delete unbound ASGs. To unbind ASGs, see <a href="#unbinding-groups">Unbind ASGs</a> above.
</p>
To delete an ASG, run `cf delete-security-group SECURITY-GROUP`. Replace `SECURITY-GROUP` with the name of your security group.
Example:
<pre class="terminal">
$ cf delete-security-group my-asg
</pre>
## <a id='typical-groups'></a> Typical ASGs
Below are examples of typical ASGs. Configure your ASGs in accordance with your organization's network access policy for untrusted apps.
|ASG |For access to
|--- |---
|`dns` |DNS, either public or private
|`public-networks` |Public networks, excluding IaaS metadata endpoints
|`private-networks` |Private networks in accordance with [RFC-1918](https://tools.ietf.org/html/rfc1918#section-3)
|`load-balancers` |The internal <%= vars.product_full %> load balancer and others
|`internal-proxies` |Internal proxies
|`internal-databases` |Internal databases
### <a id='dns-example'></a> DNS
To resolve hostnames to IP addresses, apps require DNS server connectivity,
which typically use port 53.
Administrators should create or update a `dns` ASG with appropriate rules. Administrators may further restrict the DNS servers to specific IP addresses or
ranges of IP addresses.
Example `dns` ASG:
```
[
{
"protocol": "tcp",
"destination": "0.0.0.0/0",
"ports": "53"
},
{
"protocol": "udp",
"destination": "0.0.0.0/0",
"ports": "53"
}
]
```
### <a id='public-networks-example'></a> Public Networks
Apps often require public network connectivity to retrieve app dependencies, or
to integrate with services available on public networks.
Example app dependencies include public Maven repositories, NPM, RubyGems, and
Docker registries.
<p class='note'><strong>Note</strong>: You should exclude IaaS metadata endpoints, such as <code>169.254.169.254</code>, because the metadata endpoint can expose sensitive environment information to untrusted apps. The <code>public_networks</code> example below accounts for this recommendation.
</p>
Example `public_networks` ASG:
```
[
{
"destination": "0.0.0.0-9.255.255.255",
"protocol": "all"
},
{
"destination": "11.0.0.0-169.253.255.255",
"protocol": "all"
},
{
"destination": "169.255.0.0-172.15.255.255",
"protocol": "all"
},
{
"destination": "172.32.0.0-192.167.255.255",
"protocol": "all"
},
{
"destination": "192.169.0.0-255.255.255.255",
"protocol": "all"
}
]
```
### <a id='private-networks-example'></a> Private Networks
Network connections that are commonly allowable in private networks include
endpoints such as proxy servers, Docker registries, load balancers, databases,
messaging servers, directory servers, and file servers. Configure appropriate
private network ASGs as appropriate. You may find it helpful to use a naming
convention with `private_networks` as part of the ASG name, such as `private_networks_databases`.
<p class='note'><strong>Note</strong>: You should exclude any private networks and IP addresses that app and task instances should not have access to.
</p>
Example `private_networks` ASG:
```
[
{
"protocol": "tcp",
"destination": "10.0.0.0-10.255.255.255",
"ports": "443"
},
{
"protocol": "tcp",
"destination": "172.16.0.0-172.31.255.255",
"ports": "443"
},
{
"protocol": "tcp",
"destination": "192.168.0.0-192.168.255.255",
"ports": "443"
}
]
```
### <a id='marketplace-services'></a> Marketplace Services
Each installed Marketplace Service requires its own set of ASG rules to
function properly. See the installation instructions for each
installed Marketplace Service to determine which ASG rules it requires.
For more information about how to provision and integrate services, see the [Services Overview](../devguide/services/index.html) topics.
## <a id='asg-baseline'></a> About the ASG Creator Tool
The ASG Creator is a command line tool that you can use to create JSON rules
files.
The ASG Creator lets you specify IP addresses, CIDRs, and IP address ranges
that you want to disallow traffic to, as well as the addresses that you want to allow traffic to.
Based on these disallow/allow (exclude/include) lists that you provide as
input, the ASG Creator formulates a JSON file of allow rules.
In turn, the JSON file is the input for the `cf create-security-group` command
that creates an ASG.
You can download the latest release of the ASG Creator from the Cloud Foundry incubator repository on Github: [https://github.com/cloudfoundry-incubator/asg-creator/releases/latest](https://github.com/cloudfoundry-incubator/asg-creator/releases/latest)
## <a id='logging'></a> ASG Logging
The KB article [How to use Application Security Group (ASG) logging](https://discuss.pivotal.io/hc/en-us/articles/115005916027) describes how you can use ASGs to correlate emitted logs back to an app.
<% end %>