答复: Re: one question about CF security


姜恩龙jiangenlong <jiangenlong at hxdi.com...>
 

Thanks for your instant reply.

For example, application need a database service, and the database service locates in the internet.

The application communicate with database service by NAT server, the NAT server will change the application’s internal ip into an external ip address.

In situation of pivotal public cloud, the using case of user-provided-service can exactly explain this case dialog.

This is my understanding, is it right?


发件人: Gwenn Etourneau [mailto:getourneau(a)pivotal.io]
发送时间: 2015年12月10日 12:58
收件人: Discussions about Cloud Foundry projects and the system overall.
主题: [cf-dev] Re: one question about CF security

Inbound is connexion initiate from external, in this case dialog between app and client is throught the LB / Gorouter

Outbound is connexion initiate from Internal that's mean your app want to connect to something ....

Not sure I am clear ...

On Thu, Dec 10, 2015 at 1:35 PM, 姜恩龙jiangenlong <jiangenlong(a)hxdi.com<mailto:jiangenlong(a)hxdi.com>> wrote:
[cid:image001.png(a)01D13351.59BC1140]
Hi,


• Inbound: From the load balancer through the router to the DEA, then from the DEA to the App Container.

• Outbound: From the App Container to the DEA, then to the gateway on the DEA virtual network interface.

• This gateway might be a NAT to external networks depending on your IaaS.

• -------- this is come from CloudFoundry official docs.





Do Load Balancer and NAT have the same ip? In other words, do the two appliance locate on one host( or VM)?



If not, client send a request , destination ip is LoadBalancer’s address, then client receive a response, source ip is NAT address.

I think, in this situation, client can not communicate with cloudfoundry.





Regards,

jiangenlong



来自华信咨询设计研究院有限公司友情提醒:
为确保邮件沟通畅通,如你不能投递到jiangenlong(a)hxdi.com<mailto:jiangenlong(a)hxdi.com>,
请临时将邮件地址中com变更为cn尝试投递,谢谢!

来自华信咨询设计研究院有限公司友情提醒:
为确保邮件沟通畅通,如你不能投递到jiangenlong(a)hxdi.com,
请临时将邮件地址中com变更为cn尝试投递,谢谢!

Join cf-dev@lists.cloudfoundry.org to automatically receive all group messages.