US flag signifying that this is a United States Federal Government website An official website of the United States government

Private egress

Private egress

This page is primarily for the cloud.gov team. It's public so that you can learn from it. For help using cloud.gov, see the user docs.

To provide customers access to services running on their private network, we provision dedicated isolation segments in separate networks that connect to customer networks over VPN.

To set up private egress for an organization: * Create a new instance of the isolation-segment stack in https://github.com/18F/cg-provision * Update cloud config for the new isolation segment in https://github.com/18F/cg-deploy-bosh * See https://github.com/18F/cg-deploy-bosh/pull/290 for an example * Create a new instance group of diego cells with the appropriate placement tag in https://github.com/18F/cg-deploy-cf * See https://github.com/18F/cg-deploy-cf/pull/366 for an example * Create an isolation segment in Cloud Foundry and associate with customer organization

    cf create-isolation-segment $segment_name
    cf enable-org-isolation $org_name $segment_name
    cf set-org-default-isolation-segment $org_name $segment_name
  • Create an application security group to allow egress to customer network and associate with customer organization

    [
      {
        "protocol": "all",
        "destination": "$private_egress_cidr"
      }
    ]
    
    cf create-security-group $asg_name /path/to/asg.json
    cf bind-security-group $asg_name $org_name
    

Remaining technical work: * Update and merge https://github.com/18F/cg-provision/pull/468 * Decide whether isolation segments should be scoped to VPCs or subnets * Allow ingress to isolation segment from Cloud Foundry control plane * Add terraform configuration for Virtual Private Gateway, VPN Connection, Customer Gateway * Automate (or document) setup of isolation segments and association with orgs and spaces * https://github.com/mevansam/terraform-provider-cf/pull/125 * Automate (or document) setup of application security groups