forked from pivotal-cf/docs-pcf-install
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy path_networking-master.html.md.erb
120 lines (104 loc) · 8.37 KB
/
_networking-master.html.md.erb
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
1. For **Router IPs** **HAProxy IPs**, see the following guidance:
* For **AWS**, **Azure**, and **GCP**, leave these fields blank. You do not need to complete these fields when deploying PCF on these infrastructures.
* For **OpenStack** and **vSphere** the values you enter in the **Router IPs** and **HAProxy IPs** fields depend on whether you are using HAProxy in your deployment. Use the table below to determine how to complete these fields.
<p class="note"><strong>Note:</strong> If you choose to assign specific IP addresses in either the <strong>Router IPs</strong> or <strong>HAProxy IPs</strong> field, ensure that these IP addresses are in the subnet that you configured for PAS in Ops Manager.</p>
<table border="1" class="nice" >
<tr>
<th><strong>Using HAProxy?</strong></th>
<th><strong>Router IPs Field</strong></th>
<th><strong>HAProxy IPs Field</strong></th>
</tr>
<tr>
<td>No</td>
<td><ol>
<li>Choose IP addresses from the subnet you configured in Ops Manager.</li>
<li>Enter these IP addresses in the <strong>Router IPs</strong> field. You should specify more than one IP address for high availability.</li>
<li>Configure your load balancer to forward requests for the domains that you have configured for your deployment to these IP addresses.</li>
</ol></td>
<td>Leave this field blank.</td>
</tr>
<tr>
<td>Yes</td>
<td>Leave this field blank.</td>
<td><ol>
<li>Choose IP addresses from the subnet you configured in Ops Manager.</li>
<li>Enter these IP addresses in the <strong>HAProxy IPs</strong> field. You should specify more than one IP address for high availability. </li>
<li>Configure your load balancer to forward requests for the domains you have configured for your deployment to these IP addresses.</li>
</ol>
</tr>
</table>
1. For **SSH Proxy IPs** and **TCP Router IPs**, see the following guidance:
* For **AWS**, **Azure**, and **GCP**, leave these fields blank. You do not need to complete these fields when deploying PCF on these infrastructures.
* For **OpenStack** and **vSphere**:
* (Optional) In **SSH Proxy IPs**, add the IP address for your Diego Brain, which will accept requests to SSH into application containers on port `2222`.
* (Optional) In **TCP Router IPs**, add the IP address(es) you would like assigned to the TCP Routers. You enable this feature at the bottom of this screen.
<p class='note'><strong>Note:</strong> If you have mutual TLS app identity verification enabled, app containers accept incoming communication only from the Gorouter. This disables TCP routing.</p>
1. <%= partial 'haproxy_router_cert_config' %>
1. <%= partial 'router_haproxy_ca' %>
1. <%= partial 'min_tls_version' %>
1. <%= partial 'ip_logging' %>
1. <%= partial 'xforwarded_client_cert_xfcc' %>
1. <%= partial 'haproxy_client_cert_validation' %>
1. <%= partial 'gorouter_client_cert_validation' %>
1. <%= partial 'tls_cipher_suites_router' %>
<p class='note'><strong>Note:</strong> AWS Classic Load Balancers do not support PCF's default cipher suites. See <a href="../adminguide/securing-traffic.html#default">TLS Cipher Suite Support by AWS Load Balancers</a>
for information about configuring your AWS load balancers and Gorouter.</p>
1. <%= partial 'tls_cipher_suites_haproxy' %>
1. <%= partial 'haproxy_router_tls_forward' %>
1. <%= partial 'haproxy_hsts_config_cloudform' %>
1. <%= partial 'ssl_verification' %>
1. <%= partial 'http_disable' %>
1. <%= partial 'insecure_cookies' %>
1. <%= partial 'zipkin_enable' %>
1. <%= partial 'enable_router_local_logs' %>
1. By default, the PAS routers handle traffic for applications deployed to an isolation segment created by the PCF Isolation Segment tile. To configure the PAS routers to reject requests for applications within isolation segments, select the **Routers reject requests for Isolation Segments** checkbox.
<%= image_tag 'isolate-network.png' %>
Do not enable this option without deploying routers for each isolation segment. See the following topics for more information:
* [Installing PCF Isolation Segment](../customizing/installing-pcf-is.html)
* [Sharding Routers for Isolation Segments](../adminguide/routing-is.html#sharding-routers-isolation-segment).
1. <%= partial 'enable-proxy-support' %>
1. <%= partial 'route_services' %>
1. <%= partial 'max_connections_backend' %>
1. <%= partial 'keepalive_connections' %>
1. <%= partial 'router_timeout_backend' %>
1. <%= partial 'frontend_idle_timeout' %>
1. <%= partial 'lb_unhealthy_threshold' %>
1. <%= partial 'lb_healthy_threshold' %>
<img alt="LB Healthy Threshold Field" src="images/router_lb_thresholds.png">
1. <%= partial 'http_headers_to_log' %>
<img alt="Http Headers to Log" src="images/headers_to_log.png">
1. <%= partial 'haproxy_request_max_buffer' %>
1. <%= partial 'protected_domains' %>
1. The **Loggregator Port** defaults to `443` if left blank. For AWS environments that are not using an Application Load Balancer, enter `4443`.
1. For **Container Network Interface Plugin**, select one of the following:
* **Silk**: This option is the default Container Network Interface (CNI) for PAS.
* **External**: Select this if you are deploying the [VMware NSX-T Container Plug-in for PCF](https://network.pivotal.io/products/vmware-nsx-t).
- If you select **External**, follow the instructions in [Deploying PAS with NSX-T Networking](https://network.pivotal.io/products/vmware-nsx-t) in addition to the PAS configuration instructions in this topic.
<p class='note warning'><strong>WARNING:</strong> The NSX-T integration only works for fresh installs of PCF. If your PAS is already deployed and running with Silk as its CNI, you cannot change the CNI plugin to NSX-T.</p>
<%= image_tag 'images/cni-silk.png' %>
1. If you selected **Silk** in the previous step, review the following fields:
<ol>
<li><%= partial 'app_mtu' %> </li>
<li><%= partial 'c2c-overlay' %></li>
<li><%= partial 'c2c-vxlan' %></li>
<%= partial 'log-app-traffic-enable' %>
<li> The <strong>Enable Silk Policy Enforcement</strong> checkbox is enabled by default. To disable Silk network policy enforcement between apps, disable the checkbox. Disabling network policy enforcement allows all apps to send network traffic to all other apps in the foundation despite no policy specifically allowing it.</li>
</ol>
</li>
1. For **DNS Search Domains**, enter DNS search domains for your containers as a comma-separated list. DNS on your containers appends these names to its host names, to resolve them into full domain names.
<%= image_tag 'images/dns-search-domains.png' %>
1. <%= partial 'networking_database_timeout' %>
1. <%= partial 'tcp_routing_enable' %><a id='tcp-routing-enable'></a>
* For GCP, you also need to specify the name of a GCP TCP load balancer in the **LOAD BALANCER** column of TCP Router job of the **Resource Config** screen. You configure this later on in PAS. See the [Configure Resources](#resources) section of this topic.</p>
* For AWS, you also need to specify the name of a TCP ELB in the **LOAD BALANCER** column of TCP Router job of the `Resource Config` screen. You configure this later on in PAS. For more information, see the [Configure Resources](#resources) section of this topic.
* For Azure, you also need to specify the name of Azure load balancer in the LOAD BALANCER column of TCP Router job of the **Resource Config** screen. You configure this later on in PAS. See the [Configure Resources](#resources) section of this topic.
* For OpenStack and vSphere: Return to the top of the **Networking** screen. In **TCP Router IPs** field, make sure you have entered IP addresses within your subnet CIDR block. These will be the same IP addresses you configured your load balancer with in [Pre-Deployment Steps](../adminguide/enabling-tcp-routing.html), unless you configured DNS to resolve the TCP domain name directly to an IP you've chosen for the TCP router.
1. <%= partial 'tcp_routing_disable' %>
1. <%= partial 'dynamic-egress' %>
1. Click **Save**.
## <a id='application-containers-config'></a> Application Containers
<%= partial 'application_container_config' %>
## <a id='appdevctrl-config'></a> Application Developer Controls
<%= partial 'application_developer_controls' %>
## <a id='app-security'></a> Application Security Groups
<%= partial 'application_security_group' %>