Pivotal Cloud Foundry v1.10

Administering Container-to-Container Networking

This topic describes how to enable and use the Container-to-Container Networking feature. For an overview of how Container-to-Container Networking works, see the Understanding Container-to-Container Networking topic.

Enable Container-to-Container Networking

This section explains how to enable container-to-container networking in PCF. You enable container-to-container networking as an Advanced Feature in the Ops Manager Elastic Runtime tile. Container-to-Container networking is currently in beta; it is not supported and not guaranteed to work as expected when running with all possible combinations of PCF services.

  1. In Ops Manager, navigate to the Installation Dashboard > Elastic Runtime tile.

  2. Click Advanced Features.

  3. In the Advanced Features pane, select Enable Container-to-Container Networking.

    Enable Container-to-Container Networking

  4. Click Save.

  5. Return to the Installation Dashboard.

Create Policies for Container-to-Container Networking

This section describes how to create and modify Container-to-Container Networking policies using a plugin for the CF CLI.

To use the plugin, you must have the network.admin UAA scope. This scope gives you the right to create a policy between any two apps in your CF deployment. Depending on the security structure of your organization, you can either assign this scope to developers so that they can create their own policies or you can have your developers send you requests. For more information, see Creating and Managing Users with the UAA CLI (UAAC).

Install the Plugin

Follow these steps to download and install the Network Policy plugin for the CF CLI:

  1. Download the network-policy-plugin for your operating system from the Container-to-Container Networking Release repository.

  2. To change the permissions of the plugin file and complete the installation, enter the following commands:

    $ chmod +x ~/Downloads/network-policy-plugin
    $ cf install-plugin ~/Downloads/network-policy-plugin

Create a Policy

To create a policy that allows direct network traffic from one app to another, enter the following command:

$ cf allow-access SOURCE-APP DESTINATION-APP --protocol PROTOCOL --port PORT

Replace the placeholders in the above command as follows:

  • SOURCE-APP is the name of the app that will be sending traffic.
  • DESTINATION-APP is the name of the app that will be receiving traffic.
  • PROTOCOL is one of the following: tcp or udp.
  • PORT is the port at which to connect to the destination app. The allowed range is 1 to 65535.

The following example command allows access from the frontend app to the backend app over TCP at port 8080:

$ cf allow-access frontend backend --protocol tcp --port 8080
Allowing traffic from frontend to backend as admin...

List Policies

You can list all the policies in your deployment or just the policies for which a single app is either the source or the destination:

  • To list the all the policies in your deployment, enter the following command:

    $ cf list-access
  • To list the policies for an app, enter the following command:

    $ cf list-access --app MY-APP

    The following example command lists policies for the app frontend:

    $ cf list-access --app frontend
    Listing policies as admin...
    Source    Destination    Protocol    Port
    frontend  backend        tcp         8080

Delete a Policy

To delete a policy that allows direct network traffic from one app to another, enter the following command:

$ cf remove-access SOURCE-APP DESTINATION-APP --protocol PROTOCOL --port PORT

For example,

$ cf remove-access frontend backend --protocol tcp --port 8080
Denying traffic from frontend to backend as admin...

Create a pull request or raise an issue on the source for this page in GitHub