/
cf-networking.html.md.erb
232 lines (160 loc) · 8.67 KB
/
cf-networking.html.md.erb
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
---
title: Configuring container-to-container networking
owner: CF for VMs Networking
---
The container-to-container networking feature, also known as CF Networking, allows direct network traffic between apps. For an overview of how container-to-container networking works, see [Container-to-container networking](../../concepts/understand-cf-networking.html).
<p class="note important">
<span class="note__title"><strong>Important</strong></span>
Container-to-container networking is not available for apps hosted on Microsoft Windows.</p>
<%= vars.app_traffic_logging %>
<% if vars.platform_code == "CF" %>
<%= partial 'c2c_oss_enable' %>
<% end %>
<% if vars.platform_code == "CF" %>
<%= partial 'c2c_oss_overlay' %>
<% else %>
<%= partial "/pcf/core/c2c_overlay" %>
<% end %>
<% if vars.platform_code == "CF" %>
<%= partial 'c2c_oss_logging' %>
<% end %>
## <a name="create-policies"></a> Create and manage networking policies
This section describes how to create and edit container-to-container networking policies using the Cloud Foundry Command Line Interface (cf CLI).
<%= vars.app_man_network %>
### <a name="prereq"></a> Prerequisites
Ensure that you are using cf CLI v6.42 or later:
<pre class="terminal">
$ cf version
</pre>
For more information about updating the cf CLI, see [Installing the cf CLI](../../cf-cli/install-go-cli.html).
<% if vars.platform_code == "CF" || vars.platform_code == "PCF" %>
### <a name="grant"></a> Grant permissions
Cloud Foundry admins use the following UAA scopes to grant specific users or groups permissions to configure network policies:
<table class="table">
<thead><tr>
<th>UAA Scope</th>
<th>Suitable for…</th>
<th>Allows users to create policies…</th>
</tr></thead>
<tr>
<td><code>network.admin</code></td>
<td>operators</td>
<td>for any apps in the Cloud Foundry deployment</td>
</tr>
<tr>
<td><code>network.write</code></td>
<td>space developers</td>
<td>for apps in spaces that they can access</td>
</tr>
</table>
If you are a Cloud Foundry admin, you already have the `network.admin` scope. An admin can also grant the `network.admin` scope to a space developer.
<%= vars.uaa_cli %>
To grant all Space Developers permissions to configure network policies, <%= vars.grant_devs_c2c %>.
By default, Space Developers can add a maximum of 150 network policies per
source app.
<% end %>
<% if vars.platform_code == "PCF" %>
Operators can increase this limit by changing the **Maximum number of network
policies per app source** property in the **App Developer Controls** tab.
<% end %>
<% if vars.platform_code == "CF" %>
Operators can change this limit by changing the `max_policies_per_app_source` property in the policy-server job in
the Cloud Foundry deployment manifest.
<% end %>
<% if vars.platform_code == "CF" || vars.platform_code == "PCF" %>
This limit does not apply to users with the network.admin scope.
<% end %>
### <a name="add-policy"></a> Add a network policy
To add a policy that allows direct network traffic from one app to another, run:
```
cf add-network-policy SOURCE-APP DESTINATION-APP -s DESTINATION-SPACE-NAME -o DESTINATION-ORG-NAME --protocol (tcp | udp) --port RANGE
```
Where:
* `SOURCE-APP` is the name of the app that sends traffic.
* `DESTINATION-APP` is the name of the app that receives traffic.
* `DESTINATION-SPACE-NAME` is the space of the destination app. The default is the targeted space.
* `DESTINATION-ORG-NAME` is the org of the destination app. The default is the targeted org.
* `PROTOCOL` is either: `tcp` or `udp`.
* `RANGE` contains the ports at which to connect to the destination app. The allowed range is from `1` to `65535`. You can specify a single port, such as `8080`, or a range of ports, such as `8080-8090`. Port 61443 is used for TLS communication.
Use the `add-network-policy` command to allows access from the `frontend` app to the `backend` app over TCP at port 8080. Here is an example:
<pre class="terminal">
$ cf add-network-policy frontend backend --protocol tcp --port 8080
Adding network policy to app frontend in org my-org / space dev as admin...
OK
</pre>
<%= vars.network_policy_quota %>
This limit does not apply to users with the `network.admin` scope.
<%= vars.network_policy_quota_config %>
### <a name="list-policies"></a> List policies
You can list all the policies in your space, or just the policies for which a single app is the source:
* To list the all the policies in your space, run `cf network-policies`.
<pre class="terminal">
$ cf network-policies
</pre>
* To list the policies for an app, run `cf network-policies --source MY-APP`. Replace `MY-APP` with the name of your app.
<pre class="terminal">
$ cf network-policies --source example-app
</pre>
The following example of the `network-policy` command lists policies for the app `frontend`:
<pre class="terminal">
$ cf network-policies --source frontend
Listing network policies in org my-org / space dev as admin...
source destination protocol ports destination space destination org
frontend backend tcp 8080 example-space example-org
</pre>
### <a name="rm-policy"></a> Remove a network policy
To remove a policy that allows direct network traffic from an app, run:
```
cf remove-network-policy SOURCE-APP DESTINATION-APP -s DESTINATION-SPACE-NAME -o DESTINATION-ORG-NAME --protocol PROTOCOL --port RANGE
```
Where:
* `SOURCE-APP` is the name of the app that sends traffic.
* `DESTINATION-APP` is the name of the app that receives traffic.
* `DESTINATION-SPACE-NAME` is the space of the destination app. The default is the targeted space.
* `DESTINATION-ORG-NAME` is the org of the destination app. The default is the targeted org.
* `PROTOCOL` is either `tcp` or `udp`.
* `PORTS` are the ports connecting the apps. The allowed range is from `1` to `65535`. You can specify a single port, such as `8080`, or a range of ports, such as `8080-8090`.
The `remove-network-policy` command deletes the policy that allows the `frontend` app to communicate with the `backend` app over TCP on port 8080. Here is an example:
<pre class="terminal">
$ cf remove-network-policy frontend backend --protocol tcp --port 8080
Removing network policy to app frontend in org my-org / space dev as admin...
OK
</pre>
### <a name="disable-policy"></a> Deactivate network policy enforcement
You can deactivate Silk network policy enforcement between apps. Deactivating network policy enforcement allows all apps to send network traffic to all other apps in the foundation despite no policy specifically allowing it.
To deactivate network policy enforcement between apps:
<% if vars.platform_code == "CF" %>
1. To target your BOSH deployment, run:
<pre>
bosh target -e MY-ENV -d MY-DEPLOYMENT
</pre>
Where:
- `MY-ENV` is the alias you set for your BOSH Director.
- `MY-DEPLOYMENT` is your deployment name. You can see your deployment name by running `bosh -e MY-ENV deployments`.
2. To download and save the BOSH manifest, run:
<pre>
bosh -e MY-ENV -d MY-DEPLOYMENT manifest > MY-MANIFEST.yml
</pre>
Where `MY-MANIFEST.yml` is the name you choose for the saved manifest.
3. In your BOSH manifest, change the `disable_container_network_policy` value to `false`.
4. To redeploy BOSH using the edited BOSH manifest, run:
<pre>
bosh -e MY-ENV -d MY-DEPLOYMENT deploy MY-MANIFEST.yml
</pre>
<% else %>
<%= partial "/pcf/core/disable_network_policy_enforcement" %>
<% end %>
## <a name="discovery"></a> App service discovery
With app service discovery, apps pushed to <%= vars.app_runtime_abbr %> can establish container-to-container communications through a known route served by internal BOSH DNS. This allows front end apps to easily connect with back end apps.
<%= vars.internal_domain_config %>
To establish container-to-container communications between a front end and back end app, a developer:
1. Runs a back end app that publishes a local endpoint.
1. Maps a named route to the endpoint.
1. Creates a network policy that allows direct traffic from the front end to the back end app.
1. Run the front end app.
See [Cats and Dogs with Service Discovery](https://github.com/cloudfoundry/cf-networking-examples/blob/master/docs/c2c-with-service-discovery.md) in GitHub for an example, written in Go, that demonstrates communication between front end and back end apps.
To use TLS developer adds a network policy for port 61443. After that the front end app can reach the back end app using HTTPS, `https://backend-app.apps.internal:61443`, for example.
<% if vars.platform_code == "CF" %>
### <a name="enable-discovery"></a> Activate app service discovery
To activate app service discovery, <%= vars.enable_c2c_discovery %>.
<% end %>