IPsec Add-on for PCF
Page last updated:
Note: IPSec Add-on for PCF v1.7 is no longer supported. The support period for v1.7 has expired. To stay up-to-date with the latest software and security updates, upgrade to a supported version.
This guide describes the IPsec Add-on for PCF, which secures data transmissions inside Pivotal Cloud Foundry (PCF). Topics covered in this guide include IPsec Add-on for PCF installation and configuration, troubleshooting, and certificate rotation.
Your organization may require IPsec if you transmit sensitive data.
The IPsec Add-on for PCF provides security to the network layer of the OSI model with a strongSwan implementation of IPsec. The IPsec Add-on provides a strongSwan job to each BOSH-deployed virtual machine (VM).
IPsec encrypts IP data flow between hosts, between security gateways, and between security gateways and hosts. The IPsec Add-on for PCF secures network traffic within a Cloud Foundry deployment and provides internal system protection if a malicious actor breaches your firewall.
The following table provides version and version-support information about the IPsec Add-on for PCF.
|Release date||August 24, 2017|
|Compatible Ops Manager version(s)||v1.10.x, v1.11.x, v1.12.x, v2.0.x, and v2.1.x|
|Compatible Elastic Runtime version(s)||v1.10.x, v1.11.x, and v1.12.x|
|Compatible Pivotal Application Service (PAS)* version(s)||v2.0.x and 2.1.x|
|IaaS support||vSphere, GCP, AWS, Azure, and Openstack|
IPsec Add-on for PCF has the following limitations:
Due to a known issue in Windows Server OS, apps hosted on PAS for Windows cannot route traffic when deployed with the IPsec add-on for PCF.
Pivotal recommends configuring IPsec to use a self-signed certificate to sign instance certs. Using a certificate signed by a public or third-party CA is not recommended.