Installing Pivotal Isolation Segment

Page last updated:

This topic describes how to install the Pivotal Isolation Segment tile, which allows operators to isolate deployment workloads into dedicated resource pools called isolation segments.

Installing the tile installs a single isolation segment. However, you can install multiple isolation segments using the Replicator tool documented in Step 4.

After installing the tile, you must follow the procedure in Register an Isolation Segment in Managing Isolation Segments to create the isolation segment in the Cloud Controller database (CCDB). The topic also includes information about managing an isolation segment.

For more information about how isolation segments work, see Isolation Segments in PAS Security.

Step 1: (Optional) Configure Routing

By default, the Pivotal Application Service (PAS) Gorouter handles traffic for your isolation segment. However, you can deploy a dedicated Gorouter for your isolation segment instead. For information about configuring and managing routing for isolation segments, see Routing for Isolation Segments.

To deploy a dedicated Gorouter:

  1. Add a load balancer in front of the PAS Gorouter. The steps to do this depend on your IaaS, but the setup of the load balancer should mirror the setup of the load balancer for the PAS Gorouter that you configured in the PAS tile.

  2. Create a wildcard DNS entry for traffic routed to any app in the isolation segment. For example, *.iso.example.com.

  3. Attach the wildcard DNS entry to the load balancer you created.

Step 2: Install the Tile

To install the Pivotal Isolation Segment tile:

  1. Download the product file from the Pivotal Isolation Segment page of Pivotal Network.

  2. Navigate to your Ops Manager URL in a browser to log in to the Ops Manager Installation Dashboard.

  3. Click Import a Product and select the downloaded product file.

  4. Under Pivotal Isolation Segment in the left column, click the + icon.

Step 3: Configure the Tile

Click the orange Pivotal Isolation Segment tile to start the configuration process.

Assign AZs and Networks

In the Assign AZ and Networks pane, you assign jobs to your Availability Zones (AZs) and networks.

To configure the Assign AZ and Networks pane:

  1. Select Assign AZs and Networks.

  2. Select an AZ for your singleton jobs, and one or more AZs to balance other jobs in.

  3. Select a network. This network does not need to be the same network where you deployed PAS. For most deployments, operators should create unique networks in which to deploy the Pivotal Isolation Segment tile. These networks should maintain network reach-ability with the Diego components so that the Diego Cells can reach the Diego Brain and Diego Database VMs.

  4. Click Save.

Configure Networking

In the Networking pane, you configure security and routing services for your IaaS.

To configure the Networking pane:

  1. Select Networking.

  2. (Optional) Under Gorouter IPs, enter one or more static IP addresses for the Gorouters that handle this isolation segment. These IP addresses must be within the subnet CIDR block that you defined in the Ops Manager network configuration for your isolation segment. If you have a load balancer, configure it to point to these IP addresses.

    Note: Entering the static IP addresses is not necessary for deployments running on a public IaaS such as AWS, GCP, or Azure because users specify the IaaS load balancer in the Resource Config pane of the Pivotal Isolation Segment tile.

  3. If you want to use HAProxy for this isolation segment, enter at least one address in the HAProxy IPs field. You should specify more than one IP address for high availability. Then configure your load balancer to forward requests for the domains you have set up for your deployment to these IP addresses. For more information, see Configuring SSL/TLS Termination at HAProxy.

    Note: If you rely on HAProxy for a feature in PAS and you want isolated networking for this isolation segment, you may want to deploy the HAProxy provided by the Pivotal Isolation Segment tile.

  4. Under Certificates and private keys for the Gorouter and HAProxy, you must provide at least one certificate and private key name and certificate key pair for the Gorouter and HAProxy. The Gorouter and HAProxy are enabled to receive TLS communication by default. You can configure multiple certificates for the Gorouter and HAProxy.

    Note: When providing custom certificates, enter them in this order: wildcard, Intermediate, CA. For more information, see Creating a .pem File for SSL Certificate Installations in the DigiCert documentation.

    1. Click Add to add a name for the certificate chain and its private key pair. This certificate is the default used by the Gorouter and HAProxy. You can either provide a certificate signed by a Certificate Authority (CA) or click on the Generate RSA Certificate link to generate a certificate generated by the Ops Manager CA. For the values to use, see Providing a Certificate for Your TLS Termination Point.

      Note: If you configured Ops Manager Front End without a certificate, you can use this new certificate to complete Ops Manager configuration. To configure your Ops Manager Front End certificate, see Configure Front End in Preparing to Deploy Ops Manager on GCP Manually.

    2. If you want to configure multiple certificates for the Gorouter and HAProxy, click Add and fill in the appropriate fields for each additional certificate key pair. For details about generating certificates in Ops Manager for your wildcard system domains, see Providing a Certificate for Your TLS Termination Point.

      Note: Ensure that you add any certificates that you generate in this pane to your infrastructure load balancer.

  5. (Optional) When validating client requests using mutual TLS, the Gorouter trusts multiple certificate authorities (CAs) by default. To configure HAProxy to trust the same CAs as the Gorouter, enter your CA certificates under Certificate Authorities trusted by the Gorouter and HAProxy. All CA certificates should be appended together into a single collection of PEM-encoded entries.

  6. In the Minimum version of TLS supported by the Gorouter and HAProxy field, select the minimum version of TLS to use in Gorouter and HAProxy communications. The Gorouter and HAProxy use TLS v1.2 by default. If you need to accommodate clients that use an older version of TLS, select a lower minimum version. For a list of TLS ciphers supported by the Gorouter, see TLS Cipher Suite Support in Securing Traffic into PAS.

  7. (Optional) Under Balancing algorithm used by the Gorouter, select your load balancing algorithm for the Gorouter. Pivotal recommends the default option of Round robin for most use cases. Some use cases, such as those where apps have long-lived connections, may benefit from the least connection algorithm. For more information, see HTTP Routing.

  8. Configure Logging of client IPs in the Gorouter. The Log client IPs option is set by default. To comply with the General Data Protection Regulation (GDPR), select one of these options to disable logging of client IP addresses:

    • If your load balancer exposes its own source IP address, select Disable logging of X-Forwarded-For header only.
    • If your load balancer exposes the source IP of the originating client, select Disable logging of both source IP and X-Forwarded-For header.

  9. Under TLS termination point, configure how PAS handles x-forwarded-client-cert (XFCC) HTTP headers based on where TLS is terminated for the first time in your deployment. The table below indicates which option to choose based on your deployment configuration:

    Deployment Configuration TLS Option Additional Notes
    • The load balancer is terminating TLS, and
    • The load balancer is configured to put the client certificate from a mutual authentication TLS handshake into the X-Forwarded-Client-Cert HTTP header
    Infrastructure load balancer Both HAProxy and the Gorouter forward the XFCC header when included in the request.
    • The load balancer is configured to pass through the TLS handshake through TCP to the instances of HAProxy, and
    • HAProxy instance count is more than 0
    HAProxy HAProxy sets the XFCC header with the client certificate received in the TLS handshake. The Gorouter forwards the header.

    Breaking Change: If you select the The Gorouter does not request client certificates option in the Gorouter behavior for client certificate validation field, the XFCC header cannot be delivered to apps.

    • The load balancer is configured to pass through the TLS handshake through TCP to instances of the Gorouter
    Gorouter The Gorouter strips the XFCC header if it is included in the request and forwards the client certificate received in the TLS handshake in a new XFCC header.

    If you have deployed instances of HAProxy, app traffic bypasses those instances in this configuration. If you have also configured your load balancer to route requests for SSH directly to the Diego Brain, consider reducing HAProxy instances to 0.

    Breaking Change: If you select the The Gorouter does not request client certificates option in the Gorouter behavior for client certificate validation field, the XFCC header cannot be delivered to apps.


    For a description of the behavior of each configuration option, see Forward Client Certificate to Apps in HTTP Routing.

  10. To configure HAProxy to handle client certificates, select one of the following options in the HAProxy behavior for client certificate validation field:

    • HAProxy does not request client certificates: This option requires mutual authentication, which makes it incompatible with TLS termination point option HAProxy. HAProxy does not request client certificates, so the client does not provide them and no validation occurs. This is the default configuration.
    • HAProxy requests but does not require client certificates: The HAProxy requests client certificates in TLS handshakes and validates them when presented, but does not require them. This option is required if you want to enable mutual TLS app identity verification and TLS is terminated for the first time at HAProxy.

      Warning: Upon upgrade, PAS fails to receive requests if your load balancer is configured to present a client certificate in the TLS handshake with HAProxy but HAProxy has not been configured with the certificate authority used to sign it. To mitigate this issue, select HAProxy does not request client certificates or configure the HAProxy with the appropriate CA.

  11. To configure Gorouter behavior for handling client certificates, select one of the following options in the Gorouter behavior for client certificate validation field:

    • The Gorouter does not request client certificates: Client certificates are not requested, so the client does not provide them and validation of client certificates does not occur. This option is incompatible with the TLS termination point options HAProxy and Gorouter because these options require mutual authentication.
    • The Gorouter requests but does not require client certificates: The Gorouter requests client certificates in TLS handshakes and validates them when presented, but does not require them. This is the default configuration.
    • The Gorouter requires client certificates: The Gorouter validates that the client certificate is signed by a Certificate Authority that the Gorouter trusts. If the Gorouter cannot validate the client certificate, the TLS handshake fails.

      Warning: Requests to the platform fail upon upgrade if your load balancer is configured with client certificates and the Gorouter does not have the CA. To mitigate this issue, select The Gorouter does not request client certificates.

  12. In the TLS cipher suites for the Gorouter field, review the TLS cipher suites for TLS handshakes between the Gorouter and front end clients such as load balancers or HAProxy. The default value for this field is ECDHE-RSA-AES128-GCM-SHA256:TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384.

    To modify the default configuration, use an ordered, colon-separated list of Golang-supported TLS cipher suites in the OpenSSL format. This field does not apply to TLS v1.3. For TLS v1.3, the Gorouter only uses a set of default ciphers, and this is not configurable.

    Operators should verify that the ciphers are supported by any clients or front end components that initiate TLS handshakes with the Gorouter. For a list of TLS ciphers supported by the Gorouter, see TLS Cipher Suite Support in Securing Traffic into PAS.

    Verify that every client participating in TLS handshakes with the Gorouter has at least one cipher suite in common with the Gorouter.

    Note: Specify cipher suites that are supported by the versions configured in the Minimum version of TLS supported by the Gorouter and HAProxy field.

  13. In the TLS cipher suites for HAProxy field, review the TLS cipher suites for TLS handshakes between HAProxy and front end clients such as load balancers and the Gorouter. The default value for this field is:
    DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384

    To modify the default configuration, use an ordered, colon-separated list of TLS cipher suites in the OpenSSL format. Operators should verify that the ciphers are supported by any clients or front end components that initiate TLS handshakes with HAProxy.
    Verify that every client participating in TLS handshakes with HAProxy has at least one cipher suite in common with HAProxy.

    Note: Specify cipher suites that are supported by the versions configured in the Minimum version of TLS supported by the Gorouter and HAProxy field.

  14. Under HAProxy forwards all requests to the Gorouter over TLS, select Enable or Disable based on your deployment layout.

    • To enable communication between HAProxy and the Gorouter:
      1. Leave Enable selected.
      2. In the Certificate Authority for HAProxy back end field, provide the CA that signed the certificate you configured in the Certificates and private keys for the Gorouter and HAProxy field.

        Note: If you used the Generate RSA Certificate link to generate a certificate, then the CA to specify is the Ops Manager CA, which you can locate at the /api/v0/certificate_authorities endpoint in the Ops Manager API.

      3. Make sure that the Gorouter and HAProxy have TLS cipher suites in common in the TLS cipher suites for the Gorouter and TLS cipher suites for HAProxy fields.
        For more information, see Terminating TLS at the Load Balancer and Gorouter in Securing Traffic into PAS, Providing a Certificate for Your TLS Termination Point, and Using the Ops Manager API.
    • To use non-encrypted communication between HAProxy and the Gorouter:
      1. Select Disable.
      2. If you are not using HAProxy, set the number of HAProxy job instances to 0 in the Resource Config pane. For more information, see Scale Down and Disable Resources.
        For more information, see Terminating TLS at the Gorouter Only and Terminating TLS at the Load Balancer Only in Securing Traffic into PAS.

  15. (Optional) To force browsers to use HTTPS when making requests to HAProxy, select Enable under HAProxy support for HSTS and complete these optional configuration steps: This image depicts the HSTS configuration fields for HAProxy. Under the text 'HAProxy support for HSTS', there is a selected radio button labeled 'Enable' Under this option is a field labeled 'Maximum age', with a red asterisk to denote that it is a required field, containing the text '31536000'. Under this field are two disabled checkboxes labeled 'Include subdomains' and 'Enable preload'. Under these checkboxes is another radio button labeled 'Disable'.

    • Enter a Maximum age in seconds for the HSTS request. HAProxy forces HTTPS requests from browsers for the duration of this setting. The maximum age is one year, or 31536000 seconds.
    • Enable the Include subdomains checkbox to force browsers to use HTTPS requests for all component subdomains.
    • Select the Enable preload checkbox to force instances of Google Chrome, Firefox, and Safari that access your HAProxy to refer to their built-in lists of known hosts that require HTTPS, of which HAProxy is one. This ensures that the first contact a browser has with your HAProxy is an HTTPS request, even if the browser has not yet received an HSTS header from HAProxy.

  16. If you are not using SSL encryption or if you are using self-signed certificates, select the Disable SSL certificate verification for this environment checkbox. Selecting this checkbox also disables SSL verification for route services and disables mutual TLS app identity verification.

    Note: For production deployments, Pivotal does not recommend disabling SSL certificate verification.

  17. (Optional) If you want the Gorouter or HAProxy to reject any HTTP (non-encrypted) traffic, select the Disable HTTP on the Gorouter and HAProxy checkbox. When selected, the Gorouter and HAProxy do not listen on port 80.

  18. (Optional) Select the Disable insecure cookies on the Gorouter checkbox to turn on the secure flag for cookies generated by the Gorouter.

  19. (Optional) To disable the addition of Zipkin tracing headers on the Gorouter, deselect the Enable Zipkin tracing headers on the Gorouter checkbox. Zipkin tracing headers are enabled by default. For more information about using Zipkin trace logging headers, see HTTP Headers for Zipkin Tracing in HTTP Routing.

  20. (Optional) The Enable the Gorouter to write access logs locally checkbox is selected by default. Pivotal recommends disabling this checkbox for high-traffic deployments, since logs may not be rotated fast enough and can fill up the disk.

  21. (Optional) By default, Gorouter support for the PROXY protocol is disabled. To enable the PROXY protocol, select the Enable support for PROXY protocol in the Gorouter checkbox. When enabled, client-side load balancers that terminate TLS but do not support HTTP can pass along information from the originating client. Enabling this option may impact Gorouter performance. For more information about enabling the PROXY protocol in the Gorouter, see the About HTTP Header Forwarding sections in Securing Traffic into PAS.

  22. Bypass security checks for route service lookup has potential security concerns, but may be needed for backwards compatibility. For more information, see Route Services.

  23. (Optional) If you want to limit the number of app connections to the back end, enter a value in the Maximum connections per back end field. You can use this field to prevent a poorly behaving app from all the connections and impacting other apps. No value or a value of 0 sets no limit.

    To choose a value for this field, review the peak concurrent connections received by instances of the most popular apps in your deployment. You can determine the number of concurrent connections for an app from the httpStartStop event metrics emitted for each app request.

    If your deployment uses Pivotal Platform Metrics, you can also obtain this peak concurrent connection information from the Network Metrics in Monitoring and Troubleshooting Apps with Pivotal Platform Metrics. The default value is 500.

  24. Under Keep-alive connections for the Gorouter, select Enable or Disable. Keep-alive connections are enabled by default. For more information, see Keep-Alive Connections in HTTP Routing.

  25. (Optional) To accommodate larger uploads over connections with high latency, increase the number of seconds in the Gorouter timeout to back ends field.

  26. (Optional) Increase the value of Load balancer unhealthy threshold to specify the amount of time, in seconds, that the Gorouter continues to accept connections before shutting down. During this period, health checks may report the Gorouter as unhealthy, which causes load balancers to failover to other Gorouters. Set this value to an amount greater than or equal to the maximum time it takes your load balancer to consider a Gorouter instance unhealthy, given repeated failed health checks.

  27. (Optional) Modify the value of Load balancer healthy threshold. This field specifies the amount of time, in seconds, to wait until declaring the Gorouter instance started. This allows an external load balancer time to register the Gorouter instance as healthy.

  28. (Optional) If app developers in your organization want certain HTTP headers on HTTP Requests to appear in their app logs with information from the Gorouter, specify them in the HTTP headers to log field with a comma-separated list. For example, to support app developers that deploy Spring apps to PAS, you can enter Spring-specific HTTP headers.

  29. If you expect requests larger than the default maximum of 16.384 KB, enter a new value in bytes for HAProxy request maximum buffer size. You may need to do this, for example, to support apps that embed a large cookie or query string values in headers. Requests larger than the maximum value result in a gateway error.

  30. If your PAS deployment uses HAProxy and you want it to receive traffic only from specific sources, configure these fields:

    • HAProxy protected domains: Enter a comma-separated list of domains to protect from unknown source requests.
    • (Optional) HAProxy trusted CIDRs: Enter a space-separated list of CIDRs to limit which IP addresses from the HAProxy protected domains can send traffic to PAS.

  31. For DNS search domains, enter DNS search domains as a comma-separated list. Your containers append these search domains to hostnames to resolve them into full domain names.

  32. The Enable Silk policy enforcement checkbox is selected by default. To disable Silk network policy enforcement between apps, deselect the checkbox. Disabling network policy enforcement allows all apps to send network traffic to all other apps in the foundation despite no policy specifically allowing it.

  33. (Optional) For additional security, enter headers that you want the Gorouter to remove from app responses in Remove specified HTTP response headers.

  34. Click Save.

Configure App Containers

In the App Containers pane, you enable microservice frameworks, private Docker registries, and other services that support your apps at the container level.

To configure the App Containers pane:

  1. Select App Containers.

  2. Choose how the Gorouter verifies app identity to enable encryption and prevent misrouting under Gorouter app identity verification:

    • The Gorouter uses TLS to verify app identity: enables the Gorouter to verify app identity using TLS. This is the default option.
    • The Gorouter and apps use mutual TLS to verify each other’s identity: enables your apps and the Gorouter to verify each other’s identity using mutual TLS (mTLS). This option disables TCP routing because app containers accept incoming communication only from the Gorouter.

    For more information, see Preventing Misrouting in HTTP Routing.

    Note: This feature does not work if the Disable SSL certificate verification for this environment checkbox is enabled in the Networking pane.

    Note: If you are using PASW, you can enable app identification using TLS or mTLS in the Advanced Features pane of PASW. For more information, see TLS Connections from the Gorouter to Apps (Beta)

  3. (Optional) You can configure PAS to run app instances in Docker containers by provided a comma-separated list of their IP address ranges in the Private Docker insecure registry allow list field. For more information, see Using Docker Registries.

  4. Select your preference for Docker images disk cleanup scheduling on Diego Cell VMs. If you choose Clean up disk space once usage fills disk, enter a value in MB for Reserved disk space for other jobs. This is the amount of space the garbage collection algorithm should keep free for other jobs. For more information about the configuration options and how to configure a reserved amount, see Configuring Diego Cell Disk Cleanup Scheduling.

  5. The Enable containerd delegation checkbox governs whether or not Garden delegates container create and destroy operations to the containerd tool. By default, this option is enabled and Garden uses containerd. Disable this option by disabling the checkbox. For more information about the containerd tool, see containerd.

  6. Under NFSv3 volume services, select Enable or Disable. NFS volume services allow app developers to bind existing NFS volumes to their apps for shared file access. For more information, see Enabling Volume Services.

    Note: In a fresh install, NFSv3 volume services is enabled by default. In an upgrade, NFSv3 volume services is set to the same setting as it was in the previous deployment.

  7. (Optional) To configure LDAP for NFSv3 volume services:

    • For LDAP service account user, enter the username of the service account in LDAP that manages volume services.
    • For LDAP service account password, enter the password for the service account.
    • For LDAP server host, enter the hostname or IP address of the LDAP server.
    • For LDAP server port, enter the LDAP server port number. If you do not specify a port number, Ops Manager uses 389.
    • For LDAP user search base, enter the location in the LDAP directory tree from which any LDAP user search begins. The typical LDAP search base matches your domain name.
      For example, a domain named cloud.example.com typically uses the following LDAP user search base: ou=Users,dc=example,dc=com.
    • (Optional) For LDAP server CA certificate, you can enter a certificate if your LDAP server supports TLS and you want to enable TLS connections from the NFS driver to your LDAP server. Paste in the root certificate from your CA certificate or your self-signed certificate.

      Note: UAA can only parse one certificate entered into this field. If you enter multiple certificates, UAA only uses the first one you entered and ignores the rest. You only need to include one root certificate or self-signed certificate.

  8. Click Save.

Configure System Logging

In the System Logging pane, you can configure system logging in PAS to forward log messages from PAS component VMs to an external service. Pivotal recommends forwarding logs to an external service for use in troubleshooting. If you do not fill these fields, platform logs are not forwarded but remain available on the component VMs and for download through Ops Manager.

To configure the System Logging pane:

  1. Select System Logging.

  2. Select an option under Configure syslog for system components?. No is selected by default. This setting only affects Diego Cell, Gorouter, and HAProxy components within the isolation segment. This setting does not affect shared PAS system components.

  3. To use syslog, select Yes.

  4. Enter the address of your external syslog aggregation service in the Address field. The address can be a hostname or IP address.

  5. Enter a port number in the Port field.

  6. Select a protocol from the Transport protocol menu. This is the protocol the system uses to transmit logs to syslog.

  7. (Optional) To transmit logs over TLS, select the Enable TLS checkbox.

  8. Enter a Permitted peer.

  9. Paste the certificate for your TLS certificate authority (CA) in the TLS CA certificate field.

  10. (Optional) Enable the Use TCP for file forwarding local transport checkbox to transmit logs over TCP. This prevents log truncation, but may cause performance issues.

  11. (Optional) The Do not forward debug logs checkbox is enabled by default. To forward DEBUG syslog messages to an external service, disable the checkbox.

    Note: Some Pivotal Isolation Segment components generate a high volume of DEBUG syslog messages. Enabling the Do not forward debug logs checkbox prevents PAS components from forwarding the DEBUG syslog messages to external services. However, Pivotal Isolation Segment still writes the messages to the local disk.

  12. (Optional) To specify a custom syslog rule, enter it in the Custom rsyslog configuration field in RainerScript syntax. For more information about customizing syslog rules, see Customizing Syslog Rules. For more information about RainerScript, see the RainerScript documentation.

  13. Select the Enable system metrics checkbox to emit system-level metrics about all VMs in the deployment. For a list of the VM metrics that the System Metric Agent emits, see VM Metrics in GitHub. When you enable this checkbox, ensure that you open port 9100 for the isolation segment. For more information, see Configure Firewall Rules in Routing for Isolation Segments.

  14. Click Save.

Configure Advanced Features

The Advanced Features pane includes new functionality that may have certain constraints. Although these features are fully supported, Pivotal recommends caution when using them in production environments.

Diego Cell Memory and Disk Overcommit

If your apps do not use the full allocation of disk space and memory set in the Resource Config tab, you might want use this feature. These fields control the amount to overcommit disk and memory resources to each Diego Cell VM.

For example, you might want to use the overcommit if your apps use a small amount of disk and memory capacity compared to the amounts set in the Resource Config settings for Diego Cell.

Note: Due to the risk of app failure and the deployment-specific nature of disk and memory use, Pivotal has no recommendation for how much, if any, memory or disk space to overcommit.

To enable overcommit:

  1. Select Advanced Features.

  2. Enter in MB the total desired amount of Diego Cell memory in the Diego Cell memory capacity field. See the Diego Cell row in the Resource Config tab for the current Diego Cell memory capacity settings that this field overrides.

  3. Enter in MB the total desired amount of Diego Cell disk capacity in the Diego Cell disk capacity field. See the Diego Cell row in the Resource Config tab for the current Diego Cell disk capacity settings that this field overrides.

  4. Click Save.

Note: Entries made to each of these two fields set the total amount of resources allocated, not the overage.

SMB Volume Services

Enabling SMB volume services allows developers to bind existing SMB shares to their apps for shared file access.

To enable SMB volume services:

  1. Select Advanced Features.

  2. Select the Enable SMB volume services checkbox.

  3. Click Save.

  4. In the Errands pane of the PAS tile, set the SMB Broker Errand to On.

  5. Click Save.

For more information about SMB volume services, see Enabling Volume Services.

Configure Compute and Networking Isolation

In the Compute and Networking Isolation pane, you can enable or disable compute isolation and configure Gorouter sharding for isolation segments.

Compute isolation is when an app runs on compute resources, such as clusters, resource pools, and servers, that are isolated from other resources by a network partition or firewall.

Networking isolation, or Gorouter sharding, is when traffic to an app instance uses a dedicated route that is isolated from routes used by other app instances by a network partition or firewall rule.

In the Pivotal Isolation Segment tile, you cannot disable compute isolation and enable networking isolation at the same time. This is because networking isolation configures the route by which traffic goes to the Pivotal Isolation Segment tile. Both compute and networking isolation are enabled by default.

Options for Configuring Compute and Networking Isolation

The following table describes the three ways Pivotal recommends configuring the Compute and Networking Isolation pane and the Gorouters reject requests for isolation segments checkbox in the Networking pane of the PAS tile:

Use case Compute isolation Gorouter sharding mode Gorouters reject requests for isolation segments (PAS tile) Other requirements Scaling recommendations
Using compute isolation and network isolation Enabled Isolation segment only Enabled Pivotal Isolation Segment has its own load balancer and uses a different domain from PAS Apps in the isolation segment should have their own Diego Cells and Gorouters.
Using compute isolation and extra Pivotal Isolation Segment Gorouters Enabled Isolation segment only Disabled Pivotal Isolation Segment has its own load balancer and uses the same domain as PAS Apps in the isolation segment should have their own Diego Cells and Gorouters.
Using compute isolation only Enabled No isolation segment Disabled Pivotal Isolation Segment uses PAS load balancer and domain Scale Pivotal Isolation Segment Gorouters to 0.

The use cases in the table above are described below:

  • Use compute isolation and network isolation: The most common use case is to enable compute isolation, networking isolation, and the Gorouters reject requests for isolation segments checkbox in the Networking pane of the PAS tile. This configuration routes traffic between an isolation segment and a block of compute resources that is dedicated solely to that isolation segment. It also ensures that no traffic is routed through the PAS Gorouters.

  • Use compute isolation and extra Pivotal Isolation Segment Gorouters: To configure traffic for your isolated apps to pass through the Gorouters for both Pivotal Isolation Segment and PAS, enable compute isolation and networking isolation, and disable the Gorouters reject requests for isolation segments checkbox in PAS. You can also use either the same apps domain you configured in the Domains pane of the PAS tile, or a different domain that you configure with the DNS for the load balancer for the Pivotal Isolation Segment Gorouters. This configuration is useful if you want to configure isolated compute resources for your apps but do not have additional networking restrictions.

  • Use compute isolation only: To configure the PAS load balancer and apps domain route requests from your isolated apps, you can enable compute isolation, disable networking isolation, and disable the Gorouters reject requests for isolation segments checkbox in PAS. This configuration enables you to move Diego Cells out of PAS and into isolation segments, so you can upgrade PAS first and your Pivotal Isolation Segment tiles as time permits. This allows you to upgrade a large foundation in pieces, making it easier to upgrade within scheduled maintenance windows. This configuration is useful if your foundation has additional compute resource blocks, but no additional Gorouters for Pivotal Isolation Segment configured in the Resource Config pane.

Configure Pane

To configure the Compute and Networking Isolation pane:

  1. Select Compute and Networking Isolation.

  2. Under Compute isolation, enable or disable compute isolation:

    • To disable compute isolation, select Disable. Select this option if you do not require compute isolation and you are deploying the Pivotal Isolation Segment tile for the purpose of making upgrades more manageable. For example, if you have a PAS tile with a large volume of Diego Cells. This approach helps separate the upgrade of the PAS control plane from the upgrade of the Diego Cells. Further, it splits the upgrade of the Diego Cells into smaller groups.
    • To enable compute isolation, select Enable and enter a placement tag for your Diego Cells in the Segment name field. This placement tag identifies the Diego Cells that run in your isolation segment and must be unique across your Pivotal Platform deployment. You use this placement tag when following the steps in Register an Isolation Segment in Managing Isolation Segments to create the isolation segment in the CCDB.

      Note: If you disable compute isolation, you must set Gorouter sharding mode to No isolation segment. Otherwise, the Pivotal Isolation Segment tile fails to schedule the apps in your isolation segment.

  3. Under Gorouter sharding mode, enable or disable networking isolation by selecting a sharding mode. For more information, see Sharding Gorouters for Isolation Segments in Routing for Isolation Segments.

    • Isolation segment only: The Gorouters for the PAS tile acknowledge requests only for apps deployed within the Diego Cells of the tile. All other requests fail.
    • No isolation segment: The Gorouters for the PAS tile reject requests for any isolation segment. Choose this option to add a group of Gorouters for the PAS tile, such as when you want a private point of entry for the system domain or to configure a group of Gorouters to receive requests from your corporate intranet.

Configure Resources

In the Resource Config pane, you must associate load balancers with the VMs in your deployment to enable traffic.

To configure the Resource Config pane:

  1. Select Resource Config.

  2. If you are using a dedicated Gorouter for your isolation segment:

    Note: The configuration settings available in Resource Config vary depending on your IaaS.

    • If you have the Load Balancers column in your Resource Config:
      1. Enter the wildcard DNS entry attached to your load balancer into the Router row under Load Balancers.
    • If you do not have the Load Balancers column in your Resource Config:
      1. Navigate to the Networking pane.
      2. Specify Gorouter IPs.
      3. Attach the IP addresses to your load balancer manually.
  3. If you are not using HAProxy for this isolation segment, set the number of Instances to 0.

After Tile Configuration

After you configure the Pivotal Isolation Segment tile:

  1. Register the isolation segment in the CCDB by following the procedure in Register an Isolation Segment in Managing Isolation Segments.

  2. Return to the Ops Manager Installation Dashboard.

  3. Click Review Pending Changes, then Apply Changes to deploy the tile.

After the tile finishes deploying, see Managing Isolation Segments for more information about managing an isolation segment.

(Optional) Step 4: Copy the Tile

To create multiple isolation segments, you can copy the Pivotal Isolation Segment tile with the Replicator tool.

To create multiple isolation segments:

  1. Download the Replicator tool from the Pivotal Isolation Segment page of Pivotal Network.

  2. Navigate to the directory where you downloaded the Replicator tool.

  3. Replicate the tile by running:

    ./replicator \
        --name "TILE-NAME" \
        --path /PATH/TO/ORIGINAL.pivotal \
        --output /PATH/TO/COPY.pivotal
    

    Where:

    • TILE-NAME is a unique name you provide for the new Pivotal Isolation Segment tile. The name must be ten characters or less and only contain alphanumeric characters, dashes, underscores, and spaces.
    • /PATH/TO/ORIGINAL is the absolute path to the original Pivotal Isolation Segment tile you downloaded from Pivotal Network.
    • /PATH/TO/COPY is the absolute path for the copy that the Replicator tool produces.
  4. Follow the procedures in this topic using the new .pivotal file, starting with Step 1.

Upgrading Replicated Tiles

For information about upgrading replicated Pivotal Isolation Segment tiles, see Upgrading Replicated Tiles in Upgrading PAS and Other Pivotal Platform Products.