Installing PCF Isolation Segment

Page last updated:

This topic describes how to install the PCF Isolation Segment tile, which allows operators to isolate deployment workloads into dedicated resource pools called isolation segments.

Installing the tile installs a single isolation segment. However, you can install multiple isolation segments using the Replicator tool documented in Step 4.

After installing the tile, you must perform the steps in the Create an Isolation Segment section of the Managing Isolation Segments topic to create the isolation segment in the Cloud Controller Database (CCDB). The topic also includes information about managing an isolation segment.

For more information about how isolation segments work, see the Isolation Segments section of the Understanding Cloud Foundry Security topic.

Step 1: (Optional) Configure Routing

By default, the Elastic Runtime Router handles traffic for your isolation segment. However, you can deploy a dedicated router for your isolation segment instead. For information on how you can configure and manage routing for isolation segments, see the Routing for Isolation Segments topic.

To deploy a dedicated router, perform the following steps:

  1. Add a load balancer in front of the Elastic Runtime Router. The steps to do this depend on your IaaS, but the setup of the load balancer should mirror the setup of the load balancer for the Elastic Runtime Router that you configured in the Elastic Runtime tile.
  2. Create a wildcard DNS entry for traffic routed to any app in the isolation segment. For example, *.iso.example.com.
  3. Attach the wildcard DNS entry to the load balancer you created.

Step 2: Install the Tile

Perform the following steps to install the PCF Isolation Segment tile:

  1. Download the product file from Pivotal Network.

  2. Navigate to YOUR-OPSMAN-FQDN in a browser to log in to the Ops Manager Installation Dashboard.

  3. Click Import a Product and select the downloaded product file.

  4. Under PCF Isolation Segment in the left column, click the plus sign.

Step 3: Configure the Tile

Perform the following steps to configure the PCF Isolation Segment tile:

  1. Click the orange PCF Isolation Segment tile to start the configuration process.
    Pcf isolation segment

  2. Click Assign AZs and Networks.

    Az network

  3. Select an availability zone for your singleton jobs, and one or more availability zones to balance other jobs in.

  4. Select a network. This network does not need to be the same network where you deployed Elastic Runtime. For most deployments, operators should create unique networks in which to deploy the Isolation Segment tile. These networks should maintain network reachability with the Diego components so that the cells can reach the Diego Brain and Diego Database VMs.

  5. Click Save.

  6. Click Application Containers.

    App containers

  7. (Optional): Under Private Docker Insecure Registry Whitelist, enter one or more private Docker image registries that are secured with self-signed certificates. Use a comma-delimited list in the format IP:Port or Hostname:Port.

  8. Under Segment Name, enter the name of your isolation segment. This name must be unique across your PCF deployment. You use this name when performing the steps in the Create an Isolation Segment section of the Managing Isolation Segments topic to create the isolation segment in the Cloud Controller Database (CCDB).

  9. By default, containers use the same DNS servers as the host. If you want to override the DNS servers to be used in the containers in the isolation segment, enter a comma-separated list of servers in DNS Servers.

  10. Under Enabling NFSv3 volume services, select Enable or Disable. NFS volume services allow application developers to bind existing NFS volumes to their applications for shared file access. For more information, see the Enabling NFS Volume Services topic.

    Note: In a clean install of the PCF Isolation Segment tile, NFSv3 volume services will be enabled by default. In an upgrade, NFSv3 volume services will be set to the same setting as it was in the previous tile.

  11. Click Save.

  12. Click Networking.

    Isolation segment networking

  13. (Optional): Under Router IPs, enter one or more static IP addresses for the routers that handle this isolation segment. These IP addresses must be within the subnet CIDR block that you defined in the Ops Manager network configuration. If you have a load balancer, configure it to point to these IP addresses.

    Note: Entering the static IPs is not necessary for deployments running on a public IaaS because PCF users specify the IaaS load balancer in the Resource Config section of the PCF Isolation Segment tile.

  14. (Optional): Under Applications Network Maximum Transmission Unit, change the Maximum Transmission Unit (MTU). The default is 1454 bytes.

  15. Under TLS Termination Certificates, select one of the following options:

    • Forward SSL to Isolation Segment Router with provided certificates: Select this option if your deployment uses an external load balancer that can forward encrypted traffic to the Elastic Runtime Router for the isolation segment, or if you are running a development environment that does not require load balancing. Complete the fields for the Router SSL Termination Certificate and Private Key and Router SSL Ciphers.
    • Forward SSL to Isolation Segment Router with ERT Router certificates: Select this option to inherit the certificates provided to the Elastic Runtime Router when you configured the Elastic Runtime tile. This option assumes an external load balancer is configured to forward encrypted traffic.
    • Forward unencrypted traffic to Elastic Runtime Router: Select this option if your deployment uses an external load balancer that cannot forward encrypted traffic to the Elastic Runtime Router, or for a development environment that does not require load balancing. Networking2
  16. In the Minimum version of TLS supported by Router field, select the minimum version of TLS to use in Router communications. The Router uses TLS v1.2 by default. If you need to accommodate clients that use an older version of TLS, select a lower minimum version. For a list of TLS ciphers supported by the Gorouter, see Securing Traffic into Cloud Foundry.

  17. Under Configure the CF Router support for the X-Forwarded-Client-Cert header, configure how the Gorouter handles x-forwarded-client-cert (XFCC) HTTP headers. Networking xforwarded client cert xfcc The following table indicates which option to choose based on your deployment layout.

    If your deployment is configured as follows: Then select the following option:
    • Load balancer is terminating TLS, and
    • Load balancer is configured to put the client certificate from a mutual authentication TLS handshake into the X-Forwarded-Client-Cert HTTP header, and
    • Requests to Gorouter are unencrypted (whether or not HAProxy is present.)
    Always forward the XFCC header in the request, regardless of whether the client connection is mTLS (default).
    • Load balancer is terminating TLS, and
    • Load balancer is configured to put the client certificate from a mutual authentication TLS handshake into the X-Forwarded-Client-Cert HTTP header, and
    • Requests to Gorouter are encrypted (whether or not HAProxy is present.)
    Forward the XFCC header received from the client only when the client connection is mTLS.
    • Load balancer is not terminating TLS (configured as pass through), and
    • Gorouter is terminating TLS
    Strip the XFCC header when present and set it to the client certificate from the mTLS handshake.

    For a description of the behavior of each configuration option, see Forward Client Certificate to Applications.

  18. (Optional) Use the Frontend Idle Timeout for Gorouter and HAProxy field to help prevent connections from your load balancer to Gorouter or HAProxy from being closed prematurely. The value you enter sets the duration, in seconds, that Gorouter or HAProxy maintains an idle open connection from a load balancer that supports keep-alive.

    In general, set the value higher than your load balancer’s backend idle timeout to avoid the race condition where the load balancer sends a request before it discovers that Gorouter or HAProxy has closed the connection.

    See the following table for specific guidance and exceptions to this rule:

    IaaS Guidance
    AWS AWS ELB has a default timeout of 60 seconds, so Pivotal recommends a value greater than 60.
    Azure By default, Azure load balancer times out at 240 seconds without sending a TCP RST to clients, so as an exception, Pivotal recommends a value lower than 240 to force the load balancer to send the TCP RST.
    GCP GCP has a default timeout of 600 seconds, so Pivotal recommends a value greater than 600.
    Other Set the timeout value to be greater than that of the load balancer’s backend idle timeout.

  19. To enable container-to-container networking, perform the following steps:

    1. Select the Enable button. Ert c2c enable
    2. (Optional): Enter an IP range for the overlay network in the Network CIDR box. If you do not set a custom range, PCF Isolation Segment uses 10.255.0.0/16.
    3. (Optional): Enter a UDP port number in the VXLAN Tunnel Endpoint Port box. If you do not set a custom port, PCF Isolation Segment uses 4789. Ert c2c vxlan port For more information about configuring container-to-container networking rules, see the Create Policies for Container-to-Container Networking section of the Administering Container-to-Container Networking topic.
  20. To disable container-to-container networking, perform the following steps:

    1. Select the Disable button. Disablec2c
    2. (Optional): Under Applications Subnet, enter a CIDR subnet mask specifying the range of available IP addresses to assign to your app containers. This must be different from the network used by the system VMs. Modify the default value only if you need to avoid address collision with a third-party service on the same subnet. If you do not set a custom range, PCF Isolation Segment uses 10.254.0.0/22.
  21. Click Save.

  22. (Optional): Edit the configurations in Advanced Features as desired.

  23. In the System Logging menu, select an option from the Do you want to configure syslog for system components? menu. No is selected by default. Iso logging no

  24. If you want to use syslog, select Yes. Iso logging yes

  25. Enter the address of your external syslog aggregation service in the Address field. The address can be a hostname or IP address.

  26. Enter a port number in the Port field.

  27. Select a protocol from the Transport Protocol menu. This is the protocol the sytem uses to transmit logs to syslog.

    1. (Optional) Select the Enable TLS option if you want to transmit logs over TLS.
    2. Enter a Permitted Peer.
    3. Paste the certificate for your TLS certificate authority (CA) in the TLS CA Certificate field.
    4. Click Save.
  28. (Optional): If you are using a dedicated router for your isolation segment, click Resource Config and enter the wildcard DNS entry attached to your load balancer into the Router row under Load Balancers. Resource config

    Note: Configuration settings available in Resource Config vary depending on your IaaS.

    If you do not have the Load Balancers column in your Resource Config, perform the following steps:

    1. Navigate to the Networking section of the PCF Isolation Segment tile.
    2. Specify Router IPs.
    3. Attach the IPs to your load balancer manually.
  29. (Optional): Edit the Stemcell configuration as desired.

  30. Perform the steps in the Create an Isolation Segment section of the Managing Isolation Segments topic to create the isolation segment in the Cloud Controller Database (CCDB).

  31. Return to the Ops Manager Installation Dashboard and click Apply Changes to deploy the tile.

After the tile finishes deploying, see the Managing Isolation Segments topic for more information about managing an isolation segment.

Step 4: (Optional) Copy the Tile

If you want to create multiple isolation segments, perform the following steps to copy the PCF Isolation Segment tile with the Replicator tool:

  1. Download the Replicator tool from the Pivotal Cloud Foundry Isolation Segment section of Pivotal Network.

  2. Navigate to the directory where you downloaded the Replicator tool.

  3. Replicate the tile:

    ./replicator \
        -name "YOUR-NAME" \
        -path /PATH/TO/ORIGINAL.pivotal \
        -output /PATH/TO/COPY.pivotal
    

    Replace the values above with the following:

    • YOUR-NAME: Provide a unique name for the new PCF Isolation Segment tile. The name must be ten characters or less and only contain alphanumeric characters, dashes, underscores, and spaces.
    • /PATH/TO/ORIGINAL: Provide the absolute path to the original PCF Isolation Segment tile you downloaded from Pivotal Network.
    • /PATH/TO/COPY: Provide the absolute path for the copy that the Replicator tool produces.
  4. Follow the procedures in this topic using the new .pivotal file, starting with Step 1.

Create a pull request or raise an issue on the source for this page in GitHub