Reputation: 424
Understanding container-to-container security for application instances in CloudFoundry
I refer to the articles about container-to-container security at https://ict.swisscom.ch/2018/05/container-networking-with-cloud-foundry/ and https://docs.cloudfoundry.org/concepts/understand-cf-networking.html
This helps to define direct inter-application conncectivity. What I still try to find out is how the connectivity between application instances is working, i.e. when scaling up an application to 2 instances, how do those 2 instances see each other via the network? I tried to solve this question for a long time, as this would be very important for cluster based interactions, such as Hazelcast, using broadcast mechanisms to identify cluster members.
Is that (intra-application instance connectivity) documented somewhere?
Upvotes: 0
Views: 307
Answers (1)
Reputation: 15051
Is that (intra-application instance connectivity) documented somewhere?
It is the same as app to app communication. Everything is just an instance connected to the container to container network. AppA & AppB, or AppA instance #1 and AppA instance #2. They're all on the container to container network.
All Diego cells in your Cloud Foundry deployment share this overlay network. By default, each cell is allocated a /24 range that supports 254 containers per cell, one container for each of the usable IP addresses, .1 through .254.
From: https://docs.cloudfoundry.org/concepts/understand-cf-networking.html#overlay-network
Just remember that all traffic is blocked by default, so you need to add a network policy to allow traffic over the C2C network. For talking between two apps, the cf add-network-policy syntax makes sense. You have a source and destination app. For app containers within the same app, the command is a little confusing because there's only one app, not a source and destination. That said, it should work just fine if you make the source and destination the same.
Ex: cf add-network-policy my-cluster-app --destination-app my-cluster-app --protocol tcp --port 9990-10000
Hope that helps!
Upvotes: 2
Related Questions
- what is a container? and gVisor?
- How to establish an communication between two application containers
- Moving from Docker Containers to Cloud Foundry containers
- cloudfoundry on openstack iaas - understanding the stack
- Swisscom Application Cloud: Docker volumes
- kubernetes: intra-cluster isolation of applications
- Securing docker containers
- cloud foundry intra-application communication
- Cloud Foundry Infrastructure Level Security?
- Security in cloudfoundry