Installing PCF Isolation Segment
Page last updated:
This topic describes how to install the PCF Isolation Segment tile, which allows operators to isolate deployment workloads into dedicated resource pools called isolation segments. Installing the tile installs a single isolation segment.
After installing the tile, you must perform the steps in the Create an Isolation Segment section of the Managing Isolation Segments topic to create the isolation segment in the Cloud Controller Database (CCDB). The topic also includes information about managing an isolation segment.
For more information about how isolation segments work, see the Isolation Segments section of the Understanding Cloud Foundry Security topic.
By default, the Elastic Runtime Router handles traffic for your isolation segment. However, you can deploy a dedicated router for your isolation segment instead.
To deploy a dedicated router, perform the following steps:
- Add a load balancer in front of the Elastic Runtime Router. The steps to do this depend on your IaaS, but the setup of the load balancer should mirror the setup of the load balancer for the Elastic Runtime Router that you configured in the Elastic Runtime tile.
- Create a wildcard DNS entry for traffic routed to any app in the isolation segment. For example,
- Attach the wildcard DNS entry to the load balancer you created.
Perform the following steps to install the PCF Isolation Segment tile:
Download the product file from Pivotal Network.
Click Import a Product and select the downloaded product file.
Under PCF Isolation Segment in the left column, click the plus sign.
Perform the following steps to configure the PCF Isolation Segment tile:
Click the orange PCF Isolation Segment tile to start the configuration process.
Click Assign AZs and Networks.
Select an availability zone for your singleton jobs, and one or more availability zones to balance other jobs in.
Select a network. This network does not need to be the same network where you deployed Elastic Runtime. For most deployments, operators should create unique networks in which to deploy the Isolation Segment tile. These networks should maintain network reachability with the Diego components so that the cells can reach the Diego Brain and Diego Database VMs.
Click Application Containers.
(Optional): Under Private Docker Insecure Registry Whitelist, enter one or more private Docker image registries that are secured with self-signed certificates. Use a comma-delimited list in the format
Under Segment Name, enter the name of your isolation segment. This name must be unique across your PCF deployment. You use this name when performing the steps in the Create an Isolation Segment section of the Managing Isolation Segments topic to create the isolation segment in the Cloud Controller Database (CCDB).
(Optional): Under Router IPs, enter one or more static IP addresses for the routers that handles this isolation segment. These IP addresses must be within the subnet CIDR block that you defined in the Ops Manager network configuration. If you have a load balancer, configure it to point to these IP addresses.
(Optional): Under Applications Subnet, enter a CIDR subnet mask specifying the range of available IP addresses to assign to your app containers. This must be different from the network used by the system VMs. Only modify the default value if you need to avoid address collision with a third-party service on the same subnet.
(Optional): Under Applications Network Maximum Transmission Unit, change the Maximum Transmission Unit (MTU). The default is
Under TLS Termination Certificates, select one of the following options:
- Forward SSL to Isolation Segment Router with provided certificates: Select this option if your deployment uses an external load balancer that can forward encrypted traffic to the Elastic Runtime Router for the isolation segment, or if you are running a development environment that does not require load balancing. Complete the fields for the Router SSL Termination Certificate and Private Key and Router SSL Ciphers.
- Forward SSL to Isolation Segment Router with ERT Router certificates: Select this option to inherit the certificates provided to the Elastic Runtime Router when you configured the Elastic Runtime tile. This option assumes an external load balancer is configured to forward encrypted traffic.
- Forward unencrypted traffic to Elastic Runtime Router: Select this option if your deployment uses an external load balancer that cannot forward encrypted traffic to the Elastic Runtime Router, or for a development environment that does not require load balancing.
(Optional): Edit the configurations in Advanced Features as desired.
If you are using a dedicated router for your isolation segment, click Resource Config and enter the wildcard DNS entry attached to your load balancer into the Router row under Load Balancers.
(Optional): Edit the Stemcell configuration as desired.
Perform the steps in the Create an Isolation Segment section of the Managing Isolation Segments topic to create the isolation segment in the Cloud Controller Database (CCDB).
Return to the Ops Manager Installation Dashboard and click Apply Changes to deploy the tile.
After the tile finishes deploying, see the Managing Isolation Segments topic for more information about managing an isolation segment.