Managing Isolation Segments

Page last updated:

Warning: Pivotal Cloud Foundry (PCF) v2.5 is no longer supported because it has reached the End of General Support (EOGS) phase as defined by the Support Lifecycle Policy. To stay up to date with the latest software and security updates, upgrade to a supported version.

This topic describes how operators can isolate deployment workloads into dedicated resource pools called isolation segments.

Requirements

You must have the v.6.26.0 version or later of the Cloud Foundry Command Line Interface (cf CLI) installed to manage isolation segments.

Target the API endpoint of your deployment with cf api and log in with cf login before performing the procedures in this topic. For more information, see the Identifying the API Endpoint for your PAS Instance topic.

Overview

To enable isolation segments, an operator must install the PCF Isolation Segment tile by performing the procedures in the Installing PCF Isolation Segment topic. Installing the tile creates a single isolation segment.

After an admin creates a new isolation segment, the admin can then create and manage relationships between the orgs and spaces of a Pivotal Application Service (PAS) deployment and the new isolation segment.

Create an Isolation Segment

Before you create an isolation segment in PCF, you must install the PCF Isolation Segment tile by performing the procedures in the Installing PCF Isolation Segment topic.

To register an isolation segment with Cloud Controller, use the cf CLI.

Note: The isolation segment name used in the cf CLI command must match the value specified in the Segment Name field of the PCF Isolation Segment tile. If the names do not match, PCF fails to place apps in the isolation segment when apps are started or restarted in the space assigned to the isolation segment.

To create an isolation segment, run:

cf create-isolation-segment SEGMENT-NAME

Where SEGMENT-NAME is the name of the isolation segment.

If successful, the command returns an OK message:

Creating isolation segment SEGMENT-NAME as admin...
OK

Retrieve Isolation Segment Information

The cf isolation-segments, cf org, and cf space commands retrieve information about isolation segments. The isolation segments you can see depends on your role, as follows:

  • Admins see all isolation segments in the system.
  • Other users only see the isolation segments that their orgs are entitled to.

List Isolation Segments

To return a list of the isolation segments that are available to you, run:

cf isolation-segments

For example, the command returns results similar to:

Getting isolation segments as admin...
OK

name           orgs
SEGMENT-NAME     org1, org2

Display Isolation Segments Enabled for an Org

An admin can entitle an org to multiple isolation segments.

To view the isolation segments that are available to an org, run:

cf org ORG-NAME

Where ORG-NAME is the name of your org.

The command returns results similar to:

Getting info for org my-org as user@example.com...

name:                 ORG-NAME
domains:              example.com, apps.example.com
quota:                paid
spaces:               development, production, sample-apps, staging
isolation segments:   SEGMENT-NAME, SEGMENT-NAME-2

Show the Isolation Segment Assigned to a Space

Only one isolation segment can be assigned to a space.

To view the isolation segments that are available to a space, run:

cf org SPACE-NAME

Where SPACE-NAME is the name of your space.

The command returns results similar to:

name:                SPACE-NAME
org:                 ORG-NAME
apps:
services:
isolation segment:   SEGMENT-NAME
space quota:
security groups:     dns, p-mysql, p.mysql, public_networks, rabbitmq, ssh-logging

Delete an Isolation Segment

Note: An isolation segment with deployed apps cannot be deleted.

Only admins can delete isolation segments.

To delete an isolation segment, run:

cf delete-isolation-segment SEGMENT-NAME

Where SEGMENT-NAME is the name of the isolation segment.

If successful, the command returns an OK message.

For example:

$ cf delete-isolation-segment SEGMENT-NAME
Deleting isolation segment SEGMENT-NAME as admin...
OK

Manage Isolation Segment Relationships

The commands listed in the sections below manage the relationships between isolation segments, orgs, and spaces.

Enable an Org to Use Isolation Segments

Only admins can enable orgs to use isolation segments.

To enable the use of an isolation segment, run:

cf enable-org-isolation ORG-NAME SEGMENT-NAME

Where:

  • ORG-NAME is the name of your org.
  • SEGMENT-NAME is the name of the isolation segment.

If an org is entitled to use only one isolation segment, that isolation segment does not automatically become the default isolation segment for the org. You must explicitly set the default isolation segment of an org. For more information, see Set the Default Isolation Segment for an Org.

Disable an Org from Using Isolation Segments

Note: You cannot disable an org from using an isolation segment if a space within that org is assigned to the isolation segment. Additionally, you cannot disable an org from using an isolation segment if the isolation segment is configured as the default for that org.

To disable an org from using an isolation segment, run:

cf disable-org-isolation ORG-NAME SEGMENT-NAME

Where:

  • ORG-NAME is the name of your org.
  • SEGMENT-NAME is the name of the isolation segment.

If successful, the command returns an OK message:

Removing entitlement to isolation segment SEGMENT-NAME from ORG-NAME as admin...
OK

Set the Default Isolation Segment for an Org

This section requires cf CLI v6.29.0 or later.

Only admins and org managers can set the default isolation segment for an org.

When an org has a default isolation segment, apps in its spaces belong to the default isolation segment unless you assign them to another isolation segment. You must restart running apps to move them into the default isolation segment.

To set the default isolation segment for an org, run:

cf set-org-default-isolation-segment ORG-NAME SEGMENT-NAME

Where:

  • ORG-NAME is the name of your org.
  • SEGMENT-NAME is the name of the isolation segment.

For example:

$ cf set-org-default-isolation-segment ORG-NAME SEGMENT-NAME
Setting isolation segment SEGMENT-NAME to default on ORG-NAME as admin...
OK

To display the default isolation segment for an org, use the cf org command.

Assign an Isolation Segment to a Space

Admins and org managers can assign an isolation segment to a space. Apps in that space start in the specified isolation segment.

To assign an isolation segment to a space, you must first enable the space’s org to use the isolation segment. For more information, see Enable an Org to Use Isolation Segments.

To assign an isolation segment to a space, run:

cf set-space-isolation-segment SPACE-NAME SEGMENT-NAME

Where:

  • SPACE-NAME is the name of the space.
  • SEGMENT-NAME is the name of the isolation segment.

Reset the Isolation Segment Assignment for a Space

Admins can reset the isolation segment assigned to a space to use the org’s default isolation segment.

To assign the default isolation segment for an org to a space, run:

cf reset-space-isolation-segment SPACE-NAME

Where SPACE-NAME is the name of the space.