Page last updated:
This topic provides an overview of how container-to-container networking works in Pivotal Application Service (PAS).
The container-to-container networking feature enables app instances to communicate with each other directly. Container-to-container networking is always enabled in PAS. For more information about how to configure container-to-container networking, see Administering Container-to-Container Networking.
Note: Container-to-container networking is not available for apps hosted on Windows.
Container-to-container networking integrates with [Garden-runC] in a Diego deployment. The CF Networking Release includes several core components, as well as swappable components. For more information about Garden-runC, see Garden-runC in Garden. For more information about Diego, see Diego Components and Architecture. For more information about the CF Networking release, see CF Networking Release on GitHub.
To understand the components and how they work, see the diagram and tables below. The diagram highlights PAS components in blue and green. The diagram also highlights swappable components in red.
The container-to-container networking BOSH release includes the following core components:
|Policy Server||A central management node that:
|Garden External Networker||
A Garden-runC add-on deployed to every Diego Cell that:
|Silk CNI plugin
||A plugin that provides IP address management and network connectivity to app instances as follows:
|VXLAN Policy Agent
||Enforces network policy for traffic between apps as follows:
The diagram below illustrates how app instances communicate in a deployment with container-to-container networking enabled. In this example, the operator creates two policies to regulate the flow of traffic between App A, App B, and App C.
- Allow traffic from App A to App B
- Allow traffic from App A to App C
If traffic and its direction is not explicitly allowed, it is denied. For example, App B cannot send traffic to App C.
Container-to-container networking uses an overlay network to manage communication between app instances.
Overlay networks are not externally routable, and traffic sent between containers does not exit the overlay. You can use the same overlay network range for different PAS deployments in your environment.
The overlay network range defaults to
10.255.0.0/16. You can modify the default to any RFC 1918 range that meets the following requirements:
- The range is not used by services that app containers access.
- The range is not used by the underlying PAS infrastructure.
All Diego Cells in your PAS deployment share this overlay network. By default, each Diego Cell is allocated a /24 range that supports 254 containers per Diego Cell, one container for each of the usable IP addresses,
.254. To modify the number of Diego Cells your overlay network supports, see Overlay Network in Configuring Container-to-Container Networking.
PAS container networking is currently supported only on Linux.
Warning: The overlay network IP address range must not conflict with any other IP addresses in the network. If a conflict exists, Diego Cells cannot reach any endpoint that has a conflicting IP address.
Note: Traffic to app containers from the Gorouter or from app containers to external services uses Diego Cell IP addresses and NAT, not the overlay network.
Enabling container-to-container networking for your deployment allows you to create policies for communication between app instances. The container-to-container networking feature also provides a unique IP address to each app container and provides direct IP reachability between app instances.
The policies you create specify a source app, destination app, protocol, and port so that app instances can communicate directly without going through the Gorouter, a load balancer, or a firewall. Container-to-container networking supports UDP and TCP, and you can configure policies for multiple ports. These policies apply immediately without having to restart the app.
Additionally, policies use and and track the GUIDs of the apps. The policies continue to work when apps redeploy, or if they crash and Diego places them in a new container. Pushing a brand new app requires a new policy, but not updates to an existing app because an app always retains its GUID.
The PAS platform supports DNS-based service discovery that lets apps find each other’s internal addresses. For example, a front end app instance can use the service discovery mechanism to establish communications with a back end app instance. To set up and use app service discovery, see App Service Discovery in Configuring Container-to-Container Networking.
Container-to-container app service discovery does not provide client-side load balancing or circuit-breaking, and it does not apply to
cf marketplace services or require app binding. It just lets apps publish service endpoints to each other, unbrokered and unmediated.
The BOSH release that contains the container-to-container networking feature is composed of a pluggable network stack. Advanced users or third-party vendors can integrate a different network stack. For more information about third-party plugins, see 3rd Party Plugin Development for Container Networking in the CF Networking Release repository on GitHub.
Both app security groups (ASGs) and container-to-container networking policies affect traffic from app instances. The following table highlights differences between ASGs and container-to-container networking policies.
|ASGs||Container-to-Container Networking Policies|
|Policy granularity||From a space to an IP address range||From a source app to a destination app|
|Scope||For a space, org, or deployment||For app to app only|
|Traffic direction||Outbound control||Policies apply for incoming packets from other app instances|
|Source app||Is not known||Is identified because of direct addressability|
|Policies take affect||After app restart||Immediately|
TLS encapsulation for container-to-container traffic is disabled by default.
To secure communication between the source and destination containers on the overlay network, you can enable TLS encapsulation using either of the following options:
- Automatic: Use the automatic option when you only care that traffic between the containers cannot be sniffed on the overlay network.
- Manual: Use the manual option when your app also needs to use TLS capabilities for its operation. For example, the destination app can examine the client certificate and reject service for those that are not permitted.
Note: The source app can make use of its own platform-provisioned certificate when it opens a TLS connection to the destination container.
For more information about the TLS encapsulation options, see the following table:
|Automatic||Connect to port 61443 on the destination container.||
|Manual||Implement your own TLS termination in the app for the port provided.||Configure the destination app to implement its own TLS termination.|
Specific Cloud Foundry vendors might provide additional methods for securing container-to-container traffic.
For information about how the platform can encrypt public traffic to apps, see TLS to Apps and Other Back End Services in HTTP Routing.