LATEST VERSION: 1.10 - CHANGELOG
Pivotal Cloud Foundry v1.10

Managing Isolation Segments

Page last updated:

This topic describes how operators can isolate deployment workloads into dedicated resource pools called isolation segments.

Requirements

You must have the most recent version of the Cloud Foundry Command Line Interface (cf CLI) installed to manage isolation segments.

Target the API endpoint of your deployment with cf api and log in with cf login before performing the procedures in this topic. For more information, see the Identifying the API Endpoint for your Elastic Runtime Instance topic.

Overview

To enable isolation segments, an operator must install the PCF Isolation Segment tile by performing the procedures in the Installing PCF Isolation Segment topic. Installing the tile creates a single isolation segment.

After an admin creates a new isolation segment, the admin can then create and manage relationships between the orgs and spaces of a Cloud Foundry deployment and the new isolation segment object.

To manage the isolation segment, an operator uses cf CLI commands.

Operators can perform the following operations on isolation segments:

Create an Isolation Segment

Before you create an isolation segment in PCF, you must install the PCF Isolation Segment tile by performing the procedures in the Installing PCF Isolation Segment topic.

To register an isolation segment with Cloud Controller, use the cf CLI.

Note: The isolation segment name used in the cf CLI command must match the value specified in the Segment Name field of the PCF Isolation Segment tile. If the names do not match, PCF fails to place apps in the isolation segment when apps are started or restarted in the space assigned to the isolation segment.

The following command creates an isolation segment named my_segment:

$ cf create-isolation-segment my_segment

If successful, the command returns an OK message:

Creating isolation segment my_segment as admin...
OK

The command returns an error message if another isolation segment with the same name exists.

Retrieve Isolation Segment Information

The cf isolation-segments, cf org, and cf space commands retrieve information about isolation segments. The isolation segments you can see depends on your role, as follows:

  • Admins see all isolation segments in the system.
  • Other users only see the isolation segments that their orgs are entitled to.

List Isolation Segments

The following request returns a list of the isolation segments that are available to you:

$ cf isolation-segments

For example, the command returns results similar to the following:

Getting isolation segments as admin...
OK

name           orgs
my_segment     org1, org2

Display Isolation Segments Enabled for an Org

An admin can entitle an org to multiple isolation segments.

To view the isolation segments that are available to an org, use the cf org ORG-NAME command. For example:

$ cf org my-org

The command returns results similar to the following:

Getting info for org my-org as user@example.com...

name:                 my-org
domains:              example.com, apps.example.com
quota:                paid
spaces:               development, production, sample-apps, staging
isolation segments:   my_segment, my_other_segment

Show the Isolation Segment Assigned to a Space

Only one isolation segment can be assigned to a space.

To view the isolation segment assigned to a space, use the cf space SPACE-NAME command. For example:

$ cf space staging

The command returns results similar to the following:

name:                staging
org:                 my-org
apps:
services:
isolation segment:   my_segment
space quota:
security groups:     dns, p-mysql, p.mysql, pcf-redis, public_networks, rabbitmq, ssh-logging

Delete an Isolation Segment

Note: An isolation segment with deployed apps cannot be deleted.

Only admins can delete isolation segments.

The following command deletes an isolation segment:

$ cf delete-isolation-segment

If successful, the command returns an OK message:

Deleting isolation segment my_segment as admin...
OK

Manage Isolation Segment Relationships

The commands listed in the sections below manage the relationships between isolation segments, orgs, and spaces.

Enable an Org to Use Isolation Segments

Only admins can enable orgs to use isolation segments. The following command enables the use of an isolation segment.

$ cf enable-org-isolation ORG_NAME SEGMENT_NAME

For example:

$ cf enable-org-isolation org2 my_segment

If an org is entitled to use only one isolation segment, that isolation segment does not automatically become the default isolation segment for the org. You must explicitly set the default isolation segment of an org.

Disable an Org from Using Isolation Segments

Note: You cannot disable an org from using an isolation segment if a space within that org is assigned to the isolation segment. Additionally, you cannot disable an org from using an isolation segment if the isolation segment is configured as the default for that org.

The following command disables an org from using an isolation segment:

$ cf disable-org-isolation ORG_NAME SEGMENT_NAME

For example:

$ cf disable-org-isolation org1 my_segment

If successful, the command returns an OK message:

Removing entitlement to isolation segment my_segment from org org1 as admin...
OK

Set the Default Isolation Segment for an Org

Only admins and org managers can set the default isolation segment for an org.

When an org has a default isolation segment, new spaces created within the org are assigned to the default isolation segment unless specified otherwise.

You set the default isolation segment for an org by performing the following steps:

  1. Obtain the GUID of the isolation segment you wish to set as the default for the org.

    $ cf curl /v3/isolation_segments?names=ISO_SEG_NAME
    
    For example:
    $ cf curl /v3/isolation_segments?names=my_segment
    

  2. Use cf curl to send a request to the endpoint for the organization, and set its default_isolation_segment relationship to the GUID of the new default isolation segment.

    $ cf curl /v3/organizations/ORG_GUID/relationships/default_isolation_segment \
    -X PATCH -d '{ "data": { "guid": "ISO_SEG_GUID" } }'
    
    For example:
    $ cf curl \
    /v3/organizations/11223344-aabb-1122/relationships/default_isolation-segment \
    -X PATCH -d '{ "data": { "guid": "11223344-aabb-1122" } }' 
    

Assign an Isolation Segment to a Space

Admins and org managers can assign an isolation segment to a space. Apps in that space start in the specified isolation segment.

To assign an isolation segment to a space, you must first enable the space’s org to use the isolation segment. See Enable an Org to Use Isolation Segments

The following command assigns an isolation segment to a space:

$ cf set-space-isolation-segment SPACE_NAME SEGMENT_NAME

For example:

$ cf set-space-isolation-segment space1 my_segment

Reset the Isolation Segment Assignment for a Space

Admins can reset the isolation segment assigned to a space to use the org’s default isolation segment.

The following command assigns the default isolation segment for an org to a space:

$ cf reset-space-isolation-segment SPACE_NAME

For example:

$ cf reset-space-isolation-segment space1

Create a pull request or raise an issue on the source for this page in GitHub