Private egress
NOTICE: We do not currently offer isolation segments or private egress to customers. This document was part of previous exploratory work for this feature, but it was never completed and is no longer on our roadmap.
To provide customers access to services running on their private network, we provision dedicated isolation segments in separate networks that connect to customer networks over VPN.
To set up private egress for an organization:
- Create a new instance of the
isolation-segment
stack in https://github.com/18F/cg-provision - Update cloud config for the new isolation segment in https://github.com/18F/cg-deploy-bosh
- See https://github.com/18F/cg-deploy-bosh/pull/290 for an example
- Create a new instance group of diego cells with the appropriate placement tag in https://github.com/18F/cg-deploy-cf
- See https://github.com/18F/cg-deploy-cf/pull/366 for an example
-
Create an isolation segment in Cloud Foundry and associate with customer organization
cf create-isolation-segment $segment_name cf enable-org-isolation $org_name $segment_name cf set-org-default-isolation-segment $org_name $segment_name
-
Create an application security group to allow egress to customer network and associate with customer organization
[ { "protocol": "all", "destination": "$private_egress_cidr" } ]
cf create-security-group $asg_name /path/to/asg.json cf bind-security-group $asg_name $org_name
Remaining technical work:
- Update and merge https://github.com/18F/cg-provision/pull/468
- Decide whether isolation segments should be scoped to VPCs or subnets
- Allow ingress to isolation segment from Cloud Foundry control plane
- Add terraform configuration for Virtual Private Gateway, VPN Connection, Customer Gateway
- Automate (or document) setup of isolation segments and association with orgs and spaces
- https://github.com/mevansam/terraform-provider-cf/pull/125
- Automate (or document) setup of application security groups