Restricting users to trusted IP ranges
You can configure cloud.gov to restrict users in a particular domain (e.g.,
agency.gov) from using cloud.gov services unless their requests originate from a trusted network location. You can use this feature to help your agency comply with the Trusted Internet Connections (TIC) Initiative while using cloud.gov. For more context, see Meeting TIC requirements.
This feature only limits requests to cloud.gov services, such as the cloud.gov API accessed via the command line and the cloud.gov dashboard. This feature does not restrict requests directly to applications that you run on cloud.gov, though you can do that on your own.
Contact support to configure restrictions for your domain
Note: As of October 2017, this feature is not yet available, pending FedRAMP approval. If you want to configure this feature, create a ticket and our team will let you know our estimated timeline for approval.
Create a support ticket specifying the IP address ranges that are valid for your domain. Because address restriction applies to all cloud.gov users from your email domain, we will request confirmation from your agency CIO before changing the configuration.
Grant roles only to users from your restricted domain
To fully limit access to your apps and services, you must ensure that all users with roles in your orgs and spaces are using email addresses within your email domain. For example, if your email domain is
agency.gov but you grant access to a contractor whose email address is
firstname.lastname@example.org, the contractor will not be limited to your configured IP address ranges. We recommend you give contractors an e-mail address within your domain like
email@example.com, and grant roles to them using only that address.
Restricting access to your own applications
Limiting or restricting access for both ingress and egress traffic from your applications is fairly straightforward through a feature called Application Security Groups, or ASGs. ASGs support white- and black-listing network traffic from given IPv4 ranges. For IPv6 and other more complex restriction cases, you can leverage a proxy application in a sidecar deployment pattern. We’ve published an example proxy application using the Nginx buildpack.
Application Security Groups (ASGs) support two types of scoping:
These scopes allow both operators and developers to have fine-grained access control. Platform-scoped ASGs are applied at the platform level, and would apply to all tenants of cloud.gov. The cloud.gov team does not apply platform-scoped ASGs as they can interrupt tenant operations unless they are needed to meet platform compliance requirements.
Space-scoped ASGs are specific to a given tenant’s space within their own organization. Tenants can create space-specific security groups that apply to all applications within a given space. To apply a space-scoped ASG to a single application, create a new space, assign the ASG, and then deploy the application in that space.
cloud.gov is preconfigured with two ASGs:
dns. These ASGs are applied by default to all containers in your deployment.
public_networks: This group allows access to public networks, and blocks access to private networks and link-local addresses. cloud.gov blocks outgoing traffic to private IP ranges through allowing all other address ranges.
dns: This group allows access to DNS on port 53 for any IP address.
If you need more information about Application Security Groups, the Cloud Foundry documentation goes into depth about ASGs and the various features they provide.