On-Demand Service Architecture

Warning: MySQL for Pivotal Cloud Foundry v2.3 is no longer supported because it has reached the End of General Support (EOGS) phase. To stay up to date with the latest software and security updates, upgrade to a supported version.

This topic describes the architecture for on-demand MySQL for Pivotal Cloud Foundry (PCF).

For information about architecture of the older, pre-provisioned service, see the Architecture topic for MySQL for PCF v1.10.

Service Network Requirement

When you deploy Pivotal Cloud Foundry, you must create a statically defined network to host the component virtual machines that constitute the MySQL for Pivotal Cloud Foundry infrastructure.

Pivotal Cloud Foundry components, like the Cloud Controller and UAA, run on this infrastructure network. On-demand Pivotal Cloud Foundry services may require that you host them on a network that runs separately from this network. You can also deploy tiles on separate service networks to meet your own security requirement.

Pivotal Cloud Foundry v2.0 and Earlier

In Pivotal Cloud Foundry v2.0 and earlier, cloud operators pre-provision service instances from Pivotal Operations Manager. For each service, Ops Manager allocates and recovers static IP addresses from a pre-defined block of addresses.

To enable on-demand services in Pivotal Cloud Foundry v2.0 and earlier, operators must create a service networks in BOSH Director and select the Service Network checkbox. Operators then can select the service network to host on-demand service instances when they configure the tile for that service.

Pivotal Cloud Foundry v2.1 and Later

Pivotal Cloud Foundry v2.1 and later include dynamic networking. In Pivotal Cloud Foundryv2.1 and later, operators can use dynamic networking with asynchronous service provisioning to define dynamically-provisioned service networks. For more information, see Default Network and Service Network.

In Pivotal Cloud Foundry v2.1 and later, on-demand services are enabled by default on all networks. Operators can create separate networks to host services in BOSH Director, but doing so is optional. Operators select which network hosts on-demand service instances when they configure the tile for that service.

Default Network and Service Network

On-demand MySQL for PCF services use BOSH to dynamically deploy VMs and create single-tenant service instances in a dedicated network. On-demand services use the dynamically-provisioned service network to host single-tenant worker VMs. These worker VMs run as service instances within development spaces.

This on-demand architecture has the following advantages:

  • Developers can provision IaaS resources for their services instances when the instances are created. This removes the need for operators to pre-provision a fixed amount of IaaS resources when they deploy the service broker.
  • Service instances run on a dedicated VM and do not share VMs with unrelated processes. This removes the “noisy neighbor” problem, where an app monopolizes resources on a shared cluster.
  • Single-tenant services can support regulatory compliances where sensitive data must be separated across different machines.

An on-demand service separates operations between the default network and the service network. Shared service components, such as executive controllers and databases, Cloud Controller, UAA, and other on-demand components, run on the default network. Worker pools deployed to specific spaces run on the service network.

The diagram below shows worker VMs in an on-demand service instance running on a separate services network, while other components run on the default network.

View a larger version of this image

Required Networking Rules for On-Demand Services

Before deploying a service tile that uses the on-demand service broker (ODB), you must create networking rules to enable Pivotal Cloud Foundry components to communicate with ODB. For instructions for creating networking rules, see the documentation for your IaaS.

The following table lists key components and their responsibilities in the on-demand architecture.

Key Components Component Responsibilities
BOSH Director Creates and updates service instances as instructed by ODB.
BOSH Agent Adds an agent on every VM that it deploys. The agent listens for instructions from the BOSH Director and executes those instructions. The agent receives job specifications from the BOSH Director and uses them to assign a role or job to the VM.
BOSH UAA Issues OAuth2 tokens for clients to use when they act on behalf of BOSH users.
Pivotal Application Service Contains the apps that consume services.
ODB Instructs BOSH to create and update services. Connects to services to create bindings.
Deployed service instance Runs the given service. For example, a deployed MySQL service instance runs the MySQL service.

Regardless of the specific network layout, the operator must ensure network rules are set up so that connections are open as described in the table below.

This component… Must communicate with… Default TCP Port Communication direction(s) Notes
BOSH Agent BOSH Director 4222 Two-way The BOSH Agent runs on every VM in the system, including the BOSH Director VM. The BOSH Agent initiates the connection with the BOSH Director.
The default port is not configurable.
Broker and Service Instances Doppler on PAS 8082 One-way This port is for metrics.
Deployed Apps on PAS MySQL Service Instances 3306 One-way This port is for general use, app-specific tasks. In addition to configuring your IaaS, create a security group for the MySQL service instance.
Leader VM Follower VM 8443
Two-way This port is needed if leader-follower is enabled. For information, see Configure a Leader-Follower Service Plan.
  • BOSH Director
  • 25555
  • 8443
One-way The default ports are not configurable.
ODB MySQL service instances 3306 One-way This connection is for administrative tasks. Avoid opening general use, app-specific ports for this connection.
ODB PAS 8443 One-way The default port is not configurable.
PAS ODB 8080 One-way This port allows PAS to communicate with the ODB component.
Deployed apps on PAS Runtime CredHub 8844 One-way This port is needed if secure service instance credentials are enabled. For information, see Configure Security.