Application Security Groups (ASGs) are a collections of egress rules that specify the protocols, ports, and IP address ranges where app or task instances send traffic. The platform sets up rules to filter and log outbound network traffic from app and task instances. ASGs apply to both buildpack-based and Docker-based apps and tasks.
Types of ASG's:
Default : public_networks, dns
Staging vs Staging
Platform-wide vs Space Scope
Typical ASG's:
| ASG | For access to |
|---|---|
dns | DNS, either public or private |
public-networks | Public networks, excluding IaaS metadata endpoints |
private-networks | Private networks in accordance with RFC-1918 |
load-balancers | The internal Cloud Foundry load balancer and others |
internal-proxies | Internal proxies |
internal-databases | Internal databases |
How do you define one?
cf create-security-group SECURITY-GROUP PATH-TO-RULES-FILERULES file eg.
[
{
"protocol": "icmp",
"destination": "0.0.0.0/0",
"type": 0,
"code": 0
},
{
"protocol": "tcp",
"destination": "10.0.11.0/24",
"ports": "80,443",
"log": true,
"description": "Allow http and https traffic from ZoneA"
}
]cf bind-staging-security-group SECURITY-GROUP
What can an ASG apply to?
ASG can be applied to
1. platform wide running or staging ASG set
2. space scoped running or staging set
What is the difference between white and black listing? Which do you use when defining an ASG?
ASG uses white list. White list defines permit-able set of addresses.
No comments:
Post a Comment