Administering Container-to-Container Networking
WARNING: Container-to-Container Networking for PCF is currently in beta and is intended for evaluation and test purposes only. Do not use this product in a PCF production environment.
This topic describes how to enable and use the Container-to-Container Networking feature. For an overview of how Container-to-Container Networking works, see the Understanding Container-to-Container Networking topic.
This section explains how to enable Container-to-Container Networking in Pivotal Cloud Foundry (PCF). You enable Container-to-Container Networking as an Advanced Feature in the Ops Manager Elastic Runtime tile. Container-to-Container Networking is currently in beta, is not supported, and not guaranteed to work as expected when running with all possible combinations of PCF services.
In Ops Manager, navigate to the Installation Dashboard > Elastic Runtime tile.
Click Advanced Features.
In the Advanced Features pane, select Enable Container-to-Container Networking.
(Optional) Enter an IP range for the overlay network in the Network CIDR box. If you do not set a custom range, Ops Manager uses
(Optional) Enter a value in the Network Maximum Transmission Unit (MTU) box to override the default MTU setting.
Return to the Installation Dashboard.
This section describes how to create and modify Container-to-Container Networking policies using a plugin for the Cloud Foundry Command Line Interface (cf CLI).
To use the plugin, you must have either the
network.admin UAA scope.
|UAA Scope||Suitable for…||Allows users to create policies…|
||operators||for any apps in the CF deployment|
||space developers||for apps in spaces that they can access|
If you are a CF admin, you already have the
network.admin scope. An admin can also grant the
network.admin scope to a space developer.
For more information, see Creating and Managing Users with the UAA CLI (UAAC) and Orgs, Spaces, Roles, and Permissions.
Install the Plugin
Follow these steps to download and install the Network Policy plugin for the cf CLI:
network-policy-pluginfor your operating system from the Container-to-Container Networking Release repository.
To change the permissions of the plugin file and complete the installation, enter the following commands:
$ chmod +x ~/Downloads/network-policy-plugin $ cf install-plugin ~/Downloads/network-policy-plugin
Create a Policy
To create a policy that allows direct network traffic from one app to another, enter the following command:
$ cf allow-access SOURCE-APP DESTINATION-APP --protocol PROTOCOL --port PORT
Replace the placeholders in the above command as follows:
SOURCE-APPis the name of the app that will send traffic.
DESTINATION-APPis the name of the app that will receive traffic.
PROTOCOLis one of the following:
PORTis the port at which to connect to the destination app. The allowed range is from
The following example command allows access from the
frontend app to the
backend app over TCP at port 8080:
$ cf allow-access frontend backend --protocol tcp --port 8080 Allowing traffic from frontend to backend as admin... OK
You can list all the policies in your deployment or just the policies for which a single app is either the source or the destination:
To list the all the policies in your deployment, enter the following command:
$ cf list-access
To list the policies for an app, enter the following command:
cf list-access --app MY-APP
The following example command lists policies for the app
$ cf list-access --app frontend Listing policies as admin... OK Source Destination Protocol Port frontend backend tcp 8080
Delete a Policy
To delete a policy that allows direct network traffic from one app to another, enter the following command:
$ cf remove-access SOURCE-APP DESTINATION-APP --protocol PROTOCOL --port PORT
The following command deletes the policy that allowed the
frontend app to communicate with the
backend app over TCP on port 8080:
$ cf remove-access frontend backend --protocol tcp --port 8080 Denying traffic from frontend to backend as admin... OK