Skip to main content Skip to section navigation
U.S. flag

An official website of the United States government

Private egress

NOTICE: We do not currently offer isolation segments or private egress to customers. This document was part of previous exploratory work for this feature, but it was never completed and is no longer on our roadmap.

To provide customers access to services running on their private network, we provision dedicated isolation segments in separate networks that connect to customer networks over VPN.

To set up private egress for an organization:

  • Create a new instance of the isolation-segment stack in https://github.com/18F/cg-provision
  • Update cloud config for the new isolation segment in https://github.com/18F/cg-deploy-bosh
    • See https://github.com/18F/cg-deploy-bosh/pull/290 for an example
  • Create a new instance group of diego cells with the appropriate placement tag in https://github.com/18F/cg-deploy-cf
    • See https://github.com/18F/cg-deploy-cf/pull/366 for an example
  • Create an isolation segment in Cloud Foundry and associate with customer organization

      cf create-isolation-segment $segment_name
      cf enable-org-isolation $org_name $segment_name
      cf set-org-default-isolation-segment $org_name $segment_name
    
  • Create an application security group to allow egress to customer network and associate with customer organization

      [
        {
          "protocol": "all",
          "destination": "$private_egress_cidr"
        }
      ]
    
      cf create-security-group $asg_name /path/to/asg.json
      cf bind-security-group $asg_name $org_name
    

Remaining technical work:

  • Update and merge https://github.com/18F/cg-provision/pull/468
    • Decide whether isolation segments should be scoped to VPCs or subnets
    • Allow ingress to isolation segment from Cloud Foundry control plane
    • Add terraform configuration for Virtual Private Gateway, VPN Connection, Customer Gateway
  • Automate (or document) setup of isolation segments and association with orgs and spaces
    • https://github.com/mevansam/terraform-provider-cf/pull/125
  • Automate (or document) setup of application security groups

cloud.gov

An official website of the U.S. General Services Administration

Looking for U.S. government information and services?
Visit USA.gov