Administering Container-to-Container Networking

This topic describes how to configure the Container-to-Container Networking feature. For an overview of how Container-to-Container Networking works, see the Understanding Container-to-Container Networking topic.

Create Policies for Container-to-Container Networking

This section describes how to create and modify Container-to-Container Networking policies using the Cloud Foundry Command Line Interface (cf CLI).

Ensure that you are using cf CLI v6.30 or higher:

$ cf version
For more information about updating the cf CLI, see the Installing the cf CLI topic.

To use the commands, you must have either the network.write or network.admin UAA scope.

UAA Scope Suitable for… Allows users to create policies…
network.admin operators for any apps in the CF deployment
network.write space developers for apps in spaces that they can access

If you are a CF admin, you already have the network.admin scope. An admin can also grant the network.admin scope to a space developer.

For more information, see Creating and Managing Users with the UAA CLI (UAAC) and Orgs, Spaces, Roles, and Permissions.

Add a Network Policy

To add a policy that allows direct network traffic from one app to another, run the following command:

cf add-network-policy SOURCE_APP --destination-app DESTINATION_APP --protocol (tcp | udp) --port RANGE

Replace the placeholders in the above command as follows:

  • SOURCE_APP is the name of the app that sends traffic.
  • DESTINATION_APP is the name of the app that will receive traffic.
  • PROTOCOL is one of the following: tcp or udp.
  • RANGE are the ports at which to connect to the destination app. The allowed range is from 1 to 65535. You can specify a single port, such as 8080, or a range of ports, such as 8080-8090.

The following example command allows access from the frontend app to the backend app over TCP at port 8080:

$ cf add-network-policy frontend --destination-app backend --protocol tcp --port 8080
Adding network policy to app frontend in org my-org / space dev as admin...
OK

List Policies

You can list all the policies in your space, or just the policies for which a single app is the source:

  • To list the all the policies in your space, run cf network-policies.

    $ cf network-policies
    
  • To list the policies for an app, run cf network-policies --source MY-APP. Replace MY-APP with the name of your app.

    $ cf network-policies --source example-app
    

    The following example command lists policies for the app frontend:

    $ cf network-policies --source frontend
    Listing network policies in org my-org / space dev as admin...
    
    source      destination   protocol   ports
    frontend    backend       tcp        8080
    

Remove a Network Policy

To remove a policy that allows direct network traffic from an app, run the following command:

cf remove-network-policy SOURCE_APP --destination-app DESTINATION_APP --protocol PROTOCOL --port RANGE

Replace the placeholders in the above command to match an existing policy, as follows:

  • SOURCE_APP is the name of the app that sends traffic.
  • DESTINATION_APP is the name of the app that receives traffic.
  • PROTOCOL is either tcp or udp.
  • PORTS are the ports connecting the apps. The allowed range is from 1 to 65535. You can specify a single port, such as 8080, or a range of ports, such as 8080-8090.

The following command deletes the policy that allowed the frontend app to communicate with the backend app over TCP on port 8080:

$ cf remove-network-policy frontend --destination-app backend --protocol tcp --port 8080
Removing network policy to app frontend in org my-org / space dev as admin...
OK

Create a pull request or raise an issue on the source for this page in GitHub