[cf-dev] Understanding the external network access in Diego

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

[cf-dev] Understanding the external network access in Diego

Lev Berman
Hello, everyone!

I have a Diego application. From the app's Garden container I can access the Internet and establish connections with tcp services running on other VMs but I can't connect to a tcp service running on the same VM until I allow the container to access external networks via the Garden API - https://github.com/cloudfoundry-incubator/garden/blob/master/doc/garden-api.md#allow-a-container-to-access-external-networks-and-ports. Also, I've created CF security groups to allow tcp traffic for all VMs I am trying to connect to.

My questions are is this an expected functionality and what is the idea of the "allow the container to access external networks" API call since it only affects access to the same VM?

Thanks!

--
Lev Berman

Altoros - Cloud Foundry deployment, training and integration


_______________________________________________
cf-dev mailing list
[hidden email]
https://lists.cloudfoundry.org/mailman/listinfo/cf-dev
Reply | Threaded
Open this post in threaded view
|

Re: [cf-dev] Understanding the external network access in Diego

James Bayer
this setting is because we assume multi-tenant installations. it is strongly recommended that operators should have their cf configurations and application security group configurations setup to only allow outbound connectivity from in containers to other containers by going through the cf load balancer and not be directly connecting to other cell host/port mappings of application instances.

On Thu, May 14, 2015 at 1:52 AM, Lev Berman <[hidden email]> wrote:
Hello, everyone!

I have a Diego application. From the app's Garden container I can access the Internet and establish connections with tcp services running on other VMs but I can't connect to a tcp service running on the same VM until I allow the container to access external networks via the Garden API - https://github.com/cloudfoundry-incubator/garden/blob/master/doc/garden-api.md#allow-a-container-to-access-external-networks-and-ports. Also, I've created CF security groups to allow tcp traffic for all VMs I am trying to connect to.

My questions are is this an expected functionality and what is the idea of the "allow the container to access external networks" API call since it only affects access to the same VM?

Thanks!

--
Lev Berman

Altoros - Cloud Foundry deployment, training and integration


_______________________________________________
cf-dev mailing list
[hidden email]
https://lists.cloudfoundry.org/mailman/listinfo/cf-dev




--
Thank you,

James Bayer

_______________________________________________
cf-dev mailing list
[hidden email]
https://lists.cloudfoundry.org/mailman/listinfo/cf-dev