Pivotal recommends that you do the following:

  • Run PCC in its own network
  • Use a load balancer to block direct, outside access to the Gorouter

To allow PCC network access from apps, you must create application security groups that allow access on the following ports:

  • 1099
  • 8080
  • 40404
  • 55221

For more information, see the PCF Application Security Groups topic.

PCC works with the IPsec Add-on for PCF. For information about the IPsec Add-on for PCF, see Securing Data in Transit with the IPsec Add-on.


PCC service instances are created with three default GemFire user roles for interacting with clusters:

  • A cluster operator manages the GemFire cluster and can access region data.
  • A developer can access region data.
  • A gateway sender propagates region data to another PCC service instance.

All client apps, gfsh, and JMX clients must authenticate as one of these user roles to access the cluster.

The identifiers assigned for these roles are detailed in Create Service Keys.


Each user role is given predefined permissions for cluster operations. To accomplish a cluster operation, the user authenticates using one of the roles. Prior to initiating the requested operation, there is a verification that the authenticated user role has the permission authorized to do the operation. Here are the permissions that each user role has:

  • The cluster operator role has CLUSTER:MANAGE, CLUSTER:WRITE, CLUSTER:READ, DATA:MANAGE, DATA:WRITE, and DATA:READ permissions.
  • The developer role has CLUSTER:READ, DATA:WRITE, and DATA:READ permissions.
  • The gateway sender role has DATA:WRITE permission.

More details about these permissions are in the Pivotal GemFire manual under Implementing Authorization.