Managing Isolation Segments

In this topic:

This topic describes how operators can isolate deployment workloads into dedicated resource pools called isolation segments.

Requirements

You must have the v.6.26.0 version or later of the Cloud Foundry Command Line Interface (cf CLI) installed to manage isolation segments.

Target the API endpoint of your deployment with cf api and log in with cf login before performing the procedures in this topic. For more information, see the Identifying the API Endpoint for your Elastic Runtime Instance topic.

Overview

To enable isolation segments, an operator must install the PCF Isolation Segment tile by performing the procedures in the Installing PCF Isolation Segment topic. Installing the tile creates a single isolation segment.

After an admin creates a new isolation segment, the admin can then create and manage relationships between the orgs and spaces of a Cloud Foundry deployment and the new isolation segment.

To manage the isolation segment, an operator uses cf CLI commands.

Operators can perform the following operations on isolation segments:

Create an Isolation Segment

Before you create an isolation segment in PCF, you must install the PCF Isolation Segment tile by performing the procedures in the Installing PCF Isolation Segment topic.

To register an isolation segment with Cloud Controller, use the cf CLI.

Note: The isolation segment name used in the cf CLI command must match the value specified in the Segment Name field of the PCF Isolation Segment tile. If the names do not match, PCF fails to place apps in the isolation segment when apps are started or restarted in the space assigned to the isolation segment.

The following command creates an isolation segment named my_segment:

$ cf create-isolation-segment my_segment

If successful, the command returns an OK message:

Creating isolation segment my_segment as admin...
OK

Retrieve Isolation Segment Information

The cf isolation-segments, cf org, and cf space commands retrieve information about isolation segments. The isolation segments you can see depends on your role, as follows:

  • Admins see all isolation segments in the system.
  • Other users only see the isolation segments that their orgs are entitled to.

List Isolation Segments

The following request returns a list of the isolation segments that are available to you:

$ cf isolation-segments

For example, the command returns results similar to the following:

Getting isolation segments as admin...
OK

name           orgs
my_segment     org1, org2

Display Isolation Segments Enabled for an Org

An admin can entitle an org to multiple isolation segments.

Run cf org ORG-NAME command to view the isolation segments that are available to an org. Replace ORG-NAME with the name of your org.

For example:

$ cf org my-org

The command returns results similar to the following:

Getting info for org my-org as user@example.com...

name:                 my-org
domains:              example.com, apps.example.com
quota:                paid
spaces:               development, production, sample-apps, staging
isolation segments:   my_segment, my_other_segment

Show the Isolation Segment Assigned to a Space

Only one isolation segment can be assigned to a space.

Run cf space SPACE-NAME to view the isolation segment assigned to a space. Replace SPACE-NAME with the name of the space.

For example:

$ cf space staging

The command returns results similar to the following:

name:                staging
org:                 my-org
apps:
services:
isolation segment:   my_segment
space quota:
security groups:     dns, p-mysql, p.mysql, pcf-redis, public_networks, rabbitmq, ssh-logging

Delete an Isolation Segment

Note: An isolation segment with deployed apps cannot be deleted.

Only admins can delete isolation segments.

Run cf delete-isolation-segment SEGMENT-NAME to delete an isolation segment. Replace SEGMENT-NAME with the name of the isolation segment. If successful, the command returns an OK message.

For example:

$ cf delete-isolation-segment my_segment
Deleting isolation segment my_segment as admin...
OK

Manage Isolation Segment Relationships

The commands listed in the sections below manage the relationships between isolation segments, orgs, and spaces.

Enable an Org to Use Isolation Segments

Only admins can enable orgs to use isolation segments. Run cf enable-org-isolation ORG-NAME SEGMENT-NAME to enable the use of an isolation segment. Replace ORG-NAME with the name of your org, and SEGMENT-NAME with the name of the isolation segment.

For example:

$ cf enable-org-isolation org2 my_segment

If an org is entitled to use only one isolation segment, that isolation segment does not automatically become the default isolation segment for the org. You must explicitly set the default isolation segment of an org.

Disable an Org from Using Isolation Segments

Note: You cannot disable an org from using an isolation segment if a space within that org is assigned to the isolation segment. Additionally, you cannot disable an org from using an isolation segment if the isolation segment is configured as the default for that org.

Run cf disable-org-isolation ORG-NAME SEGMENT-NAME to disable an org from using an isolation segment. Replace ORG-NAME with the name of your org, and SEGMENT-NAME with the name of the isolation segment.

For example:

$ cf disable-org-isolation org1 my_segment

If successful, the command returns an OK message:

Removing entitlement to isolation segment my_segment from org org1 as admin...
OK

Set the Default Isolation Segment for an Org

This section requires cf CLI v6.29.0 or later.

Only admins and org managers can set the default isolation segment for an org.

When an org has a default isolation segment, apps in its spaces belong to the default isolation segment unless you assign them to another isolation segment. You must restart running applications to move them into the default isolation segment.

Run cf set-org-default-isolation-segment ORG-NAME SEGMENT-NAME to set the default isolation segment for an org. Replace ORG-NAME with the name of your org, and SEGMENT-NAME with the name of the isolation segment.

For example:

$ cf set-org-default-isolation-segment org1 my_segment
Setting isolation segment my_segment to default on org org1 as admin...
OK

To display the default isolation segment for an org, use the cf org command.

Assign an Isolation Segment to a Space

Admins and org managers can assign an isolation segment to a space. Apps in that space start in the specified isolation segment.

To assign an isolation segment to a space, you must first enable the space’s org to use the isolation segment. See Enable an Org to Use Isolation Segments

Run cf set-space-isolation-segment SPACE-NAME SEGMENT-NAME to assign an isolation segment to a space. Replace SPACE-NAME with the name of the space, and SEGMENT-NAME with the name of the isolation segment.

For example:

$ cf set-space-isolation-segment space1 my_segment

Reset the Isolation Segment Assignment for a Space

Admins can reset the isolation segment assigned to a space to use the org’s default isolation segment.

Run cf reset-space-isolation-segment SPACE-NAME to the assign the default isolation segment for an org to a space. Replace SPACE-NAME with the name of the space.

For example:

$ cf reset-space-isolation-segment space1

Create a pull request or raise an issue on the source for this page in GitHub