Re: Question about Application Security Group behavior

Nicholas Calugar

Hi noburou,

Interesting that you bring this up as I was involved in a similar
conversation today.

A1: Yes, ASGs bound to a space are only applied to the app running
containers, not staging.
A2: Not sure on the history, but we think we want to fix this. An app
always belongs to a space, so we could apply a different staging security
group to a space, affecting staging of all apps in that space.
A3: Yes, but not certain the priority.



On July 27, 2016 at 3:18:01 AM, Noburou TANIGUCHI (dev(a) wrote:


Recently I've come across a counter-intuitive behavior of Application
Security Group.

I've been thinking that an ASG bound to a space is effective for both
staging and running time. However, it seemed effective only for running

So I researched the source code of cloud_controller_ng and found those 2
sets of codes:

(for DEA)
(for Diego)

Both of them seem using just the Default Staging Security Groups as staging
time security groups and ASGs bound to the space where the target
application is finally deployed to seem ignored.

So my questions are:

Q1: Is my understanding (ASGs bound to a space is effective only for
time) correct?
Q2: Why is this design adopted? (My guess is because an application does
belong to any space when staging. Right?)
Q3: Is there any plan to make ASGs bound to a space effecitve for staging?
Because loosening the Default Staging Security Groups increases opportunity
for malicious attackers, we want an option to narrow users who get benefit
from loosened Staging Security Groups.

Thanks in advance.

I'm not a ...
noburou taniguchi
View this message in context:
Sent from the CF Dev mailing list archive at

Join { to automatically receive all group messages.