Egress Block List for Gorouter Route Services#537
Merged
geofffranks merged 1 commit intocloudfoundry:developfrom Mar 9, 2026
Merged
Conversation
Co-authored-by: <alexander.nicke@sap.com>
cf-foundation-community-automation
Bot
moved this to Inbox
in Application Runtime Platform Working Group
plowin
approved these changes
Mar 9, 2026
Contributor
plowin
left a comment
plowin
left a comment
There was a problem hiding this comment.
LGTM, @ameowlia / @geofffranks to cross-check/cut a release
github-project-automation
Bot
moved this from Inbox
to Pending Merge | Prioritized
in Application Runtime Platform Working Group
geofffranks
approved these changes
Mar 9, 2026
github-project-automation
Bot
moved this from Pending Merge | Prioritized
to Done
in Application Runtime Platform Working Group
Member
|
HI @Dariquest - I was belatedly looking over this PR. ❓ Can you please make a new PR and add template tests? |
Contributor
Author
Hi @ameowlia, sorry, I am on it. |
plowin
reviewed
Mar 18, 2026
| rsDialer := &net.Dialer{ | ||
| Timeout: cfg.EndpointDialTimeout, | ||
| KeepAlive: cfg.EndpointKeepAliveProbeInterval, | ||
| Control: RouteServiceDialControl(routeServiceConfig), |
Contributor
There was a problem hiding this comment.
FTR: this control hooks in before TCP connect
| Layer | Timing relative to Control |
|---|---|
| Socket creation | Before Control |
Control callback |
← here |
| TCP connect (SYN) | After Control |
| TLS handshake | After Control |
| HTTP request | After Control |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Egress Blocklist for Route Services
Operators will be enabled to provide a list of IP addresses, which can't be accessed via route services.
The list of blocked CIDRs for route services is configured in the Gorouter configuration property router.route_services.block_CIDRs. Route Service Requests to these CIDRs will be blocked with HTTP status code 502.
Custom Route Service Dialer enables callback to make decisions after DNS resolution and before the connection is established by providing a Control function. This function is used to abort the Dialer's connection to a particular target before it is opened based on the defined block list.
Backward Compatibility
Breaking Change? No