LATEST VERSION: 1.10 - CHANGELOG
Pivotal Cloud Foundry v1.10

Preparing Your Firewall for Deploying Pivotal Cloud Foundry

Page last updated:

This topic describes how to configure your firewall for Pivotal Cloud Foundry (PCF) and how to verify that PCF resolves DNS entries behind your firewall.

Configure Your Firewall for PCF

Ops Manager and Elastic Runtime require the following open TCP ports:

  • 25555: Routes from Ops Manager to the Ops Manager Director.
  • 443: Routes to HAProxy or, if configured, your own load balancer
  • 80: Routes to HAProxy or, if configured, your own load balancer
  • 22 (Optional): Only necessary if you want to connect using SSH

UDP port 123 must be open if you want to use an external NTP server.

For more information about required ports for additional installed products, refer to the product documentation.

The following example procedure uses iptables commands to configure a firewall.

Note: GATEWAY_EXTERNAL_IP is a placeholder. Replace this value with your PUBLIC_IP.

  1. Open /etc/sysctl.conf, a file that contains configurations for Linux kernel settings, with the command below:

    $ sudo vi /etc/sysctl.conf
    

  2. Add the line net.ipv4.ip_forward=1 to /etc/sysctl.conf and save the file.

  3. If you want to remove all existing filtering or Network Address Translation (NAT) rules, run the following commands:

    $ iptables --flush
    $ iptables --flush -t nat
    

  4. Add environment variables to use when creating the IP rules:

    $ export INTERNAL_NETWORK_RANGE=10.0.0.0/8
    $ export GATEWAY_INTERNAL_IP=10.0.0.1
    $ export GATEWAY_EXTERNAL_IP=203.0.113.242
    $ export PIVOTALCF_IP=10.0.0.2
    $ export HA_PROXY_IP=10.0.0.254
    

  5. Run the following commands to configure IP rules for the specified chains:

    • FORWARD:
    $ iptables -A FORWARD -i eth1 -j ACCEPT
    $ iptables -A FORWARD -o eth1 -j ACCEPT
    
    • POSTROUTING:
    $ iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
    $ iptables -t nat -A POSTROUTING -d $HA_PROXY_IP -s $INTERNAL_NETWORK_RANGE \
            -p tcp --dport 80 -j SNAT --to $GATEWAY_INTERNAL_IP
    $ iptables -t nat -A POSTROUTING -d $HA_PROXY_IP -s $INTERNAL_NETWORK_RANGE \
            -p tcp --dport 443 -j SNAT --to $GATEWAY_INTERNAL_IP
      
    • PREROUTING:
    $ iptables -t nat -A PREROUTING -d $GATEWAY_EXTERNAL_IP -p tcp --dport \
             25555 -j DNAT --to $PIVOTALCF_IP
    $ iptables -t nat -A PREROUTING -d $GATEWAY_EXTERNAL_IP -p tcp --dport \
             443 -j DNAT --to $HA_PROXY_IP
    $ iptables -t nat -A PREROUTING -d $GATEWAY_EXTERNAL_IP -p tcp --dport \
             80 -j DNAT --to $HA_PROXY_IP
    $ iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 8443 -j DNAT \
          --to $PIVOTALCF_IP:443
    $ iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT \
          --to $HA_PROXY_IP:80
    $ iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 8022 -j DNAT \
          --to $PIVOTALCF_IP:22
    $ iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 8080 -j DNAT \
          --to $PIVOTALCF_IP:80
      
  6. Run the following command to save the iptables:

    $ service iptables save
    

For more information about administering IP tables with iptables, refer to the iptables documentation.

Verify PCF Resolves DNS Entries Behind a Firewall

When you install PCF in an environment that uses a strong firewall, the firewall might block DNS resolution. For example, if you use xip.io to test your DNS configuration, the tests will fail without warning if the firewall prevents Elastic Runtime from accessing *.xip.io.

To verify that Elastic Runtime can correctly resolve DNS entries:

  1. SSH into the Pivotal Ops Manager VM.

    For more information, refer to the SSH into Ops Manager section of the Advanced Troubleshooting with the BOSH CLI topic.

  2. Run any of the following network administration commands with the IP address of the VM:

    • nslookup
    • dig
    • host
    • The appropriate traceroute command for your OS
  3. Review the output of the command and fix any blocked routes.

    If the output displays an error message, review the firewall logs to determine which blocked route or routes you need to clear.

  4. Repeat steps 1-3 with the Ops Manager Director VM and the HAProxy VM.

Create a pull request or raise an issue on the source for this page in GitHub