PCF v2.1 Feature Highlights

This topic highlights important new features included in Pivotal Cloud Foundry (PCF) v2.1.

Ops Manager Highlights

Ops Manager v2.1 includes the following major features:

Stemcell Library

Use the new Stemcell Library to import stemcells, stage stemcells, and view the stemcell versions associated with each product. The Stemcell Library is centrally located for all products.

For more information, see Importing and Managing Stemcells.

AWS KMS Encryption Available for BOSH and Ops Manager VMs

Operators can specify a custom AWS Key Management Service (KMS) encryption key to encrypt all the Elastic Block Store (EBS) volumes in AWS for BOSH VMs and the Ops Manager VM. You can use this feature to meet data-at-rest encryption requirements or as a security best practice.

There is no performance penalty for using encrypted EBS volumes. Pivotal advises all users of PCF on AWS to enable encryption.

For more information about how to encrypt BOSH and Ops Manager VMs, see Configuring Amazon EBS Encryption.

Multiple Read-Only Users Can Be Logged in Simultaneously

Ops Manager users with Full View and Restricted View permissions can be logged in simultaneously. Previous to this change, only one user at a time could view Ops Manager.

Create a Custom Banner

From the Ops Manager settings, you can now create a custom banner to communicate important messages to operators. Your custom banner appears on each page of the Ops Manager UI or when an operator shells into Ops Manager. For more information about navigating Ops Manager settings, see Settings Page.

Configure an External BOSH CredHub Encryption Provider

You now have the option to select an external CredHub Encryption Provider to store your encryption keys in a secure hardware module. For Ops Manager v2.1, you only have the option to select Luna Hardware Security Module (HSM) as an external provider.

For more information about configuring your BOSH CredHub encryption provider, see Director Config Page.

GCS Blobstore Available for External File Storage

You now have the option to select a Google Cloud Storage (GCS) blobstore as your external file storage.

Integrate Azure Application Gateway Load Balancers

You can associate an Azure Application Gateway as your load balancer within an Azure configuration. The Azure Application Gateway offers layer 7 load balancing capabilities, which include a web application firewall and end-to-end SSL encryption.

To learn more about Azure Application Gateway, see Overview of Application Gateway in the Azure documentation.

To learn more about configuring your load balancer for Azure, see the Resource Config Page section of Configuring BOSH Director on Azure Manually.

Add Multiple Clusters to Availability Zones

You can now add multiple clusters to a vSphere Availability Zone (AZ). For more information about configuring AZs for your vSphere installation, see Create Availability Zone Page in the Configuring BOSH Director on vSphere topic.

Expand Your Network with Additional Subnets

Add additional subnets to your network. Now each AZ can have multiple subnets. Click Add Subnet in the Create Networks pane to create a new cluster of fields. You can also click the trash bin icon to delete your additional subnets. The first subnet of a network remains required.

This feature is only available if you have already deployed Ops Manager. For more information, see Expanding Your Network with Additional Subnets.

Associate AWS ALBs with Jobs

You can now associate an AWS Application Load Balancer (ALB) to a job in an AWS installation. ALBs support features like websockets and redirected traffic from HTTP to HTTPS.

For more information about ALBs, see What Is an Application Load Balancer? in the AWS documentation.

For more information about how to configure an ALB in your Ops Manager AWS installation, see Resource Config Page.


Pivotal Application Service (PAS) Highlights

Support for S3 Server-Side Encryption with AWS KMS

Operators can now configure PAS to use server-side encryption with AWS Key Management Service (KMS) for S3 blobstores. This configuration is optional. For more information, see Deploying PAS on AWS.

Increased Resiliency, Consistency, and Security for HTTP Routing

You can now configure Gorouter to use TLS for verifying app identity and communicating with app containers. This improves resiliency and consistency for app routes as well as increases security by encrypting data in flight from Gorouter to back ends.

For more information about the new feature, see TLS to Apps and Other Back-End Services, Preventing Misrouting, and PAS v2.1 Release Notes.

HSTS Support for HAProxy

You can now enable HTTP Strict Transport Security (HSTS) for HAProxy. HSTS headers force browsers to use HTTPS exclusively to contact HAProxy for a period of time you specify. This feature, which includes HSTS preloading, guarantees secure connections every time a browser contacts HAProxy by preventing protocol downgrade attacks and cookiejacking.

For more information, see Secure Apps Domain with HAProxy.

Container Metrics Included in Syslog Drains

Container metrics can now be delivered in create-user-provided-service (CUPS) Syslog Drain bindings.


Apps Manager Highlights

Apps Manager Introduces the Enter JSON Toggle

You can now use JSON for key-value entries in the Apps Manager UI. For information about managing apps and service instances in Apps Manager, see Managing Apps and Service Instances Using Apps Manager.

View and Scale Processes in Apps Manager

You can now view and scale processes in the Apps Manager UI.


PCF Isolation Segment Highlights

Increased Resiliency, Consistency, and Security for HTTP Routing

You can now configure Gorouter to use TLS for verifying app identity and communicating with app containers. This improves resiliency and consistency for app routes as well as increases security by encrypting data in flight from Gorouter to back ends.

For more information about the new feature, see TLS to Apps and Other Back-End Services, Preventing Misrouting, and PCF Isolation Segment v2.1 Release Notes.

HSTS Support for HAProxy

You can now enable HTTP Strict Transport Security (HSTS) for HAProxy. HSTS headers force browsers to use HTTPS exclusively to contact HAProxy for a period of time you specify. This feature, which includes HSTS preloading, guarantees secure connections every time a browser contacts HAProxy by preventing protocol downgrade attacks and cookiejacking.

For more information, see Secure Apps Domain with HAProxy.

Create a pull request or raise an issue on the source for this page in GitHub