Re: Security group rules to allow HTTP communication between 2 apps deployed on CF


Daniel Mikusa
 

On Sat, Aug 8, 2015 at 2:33 AM, Ahmad Ferdous Bin Alam <
ahmadferdous(a)gmail.com> wrote:

Hi,

I have deployed two node.js (express) applications - App1 and App2 - on a
CF local instance. App2 consumes a service exposed (REST API) by App1. When
App2 receives a request, it needs to communicate with App1. It worked all
good when I tested. Once they are deployed on CF, it didn't work.

It turned out that App2 got error 'connect ECONNREFUSED'.

How are you trying to connect to App1 from App2? If you access App2's URL,
it should work? i.e. app-2.your-cf-domain.com


I thought it might be a security group rule issue that prevented outbound
traffic to App1. So I added a security group allowing all outgoing traffic.
But it didn't help. Now I think it may have to do with inbound traffic rule.

For inbound traffic, the restriction is HTTP, HTTPS & WebSockets. I don't
believe there are any further restrictions.


I searched for documentation as to how inbound traffic rules can be added
but couldn't find.

My questions are:
1) Is it possible at all to have 2 apps deployed on CF communication with
each other over HTTP?
Yes. If you deploy App2 and have it send a request to App1, that should
work as long as you use the URL for App1.


2) Is the security group given below correct? Its purpose is to allow all
outgoing traffic.
This is the group I've used to allow everything. What you've entered looks
OK too.

[
{
"destination": "0.0.0.0-255.255.255.255",
"protocol": "all"
}
]

Don't forget to bind the security group to your space or to the running /
staging groups. Also, I think you need to restart or restage your app so
it's container gets recreated with the new rules.

3) Is there any way we can add inbound traffic 'allow' rules?
Shouldn't be necessary.

Dan




Please help.

Additional info:
- I have CF locally installed as a Vagrant devbox (host Ubuntu 14.04). I
used NISE installer: https://github.com/yudai/cf_nise_installer
- I added the following security group to allow all outgoing traffic. I
bound it to both staging and running security groups and finally restarted
the apps so that the rules get applied.
[
{
"protocol":"tcp",
"destination":"0.0.0.0/0",
"ports":"1-65535"
},
{
"protocol":"udp",
"destination":"0.0.0.0/0",
"ports":"1-65535"
}
]

Join cf-dev@lists.cloudfoundry.org to automatically receive all group messages.