Sze Siong Teo <szesiong@...>
Thanks for the info. I've discovered that post earlier from Google search as well. In fact I'm looking into more specific at implementation level as the post about isolating CDE and non-CDE is a bit at higher level.
I understand that we can isolate the networks into different subnet to avoid internal servers from exposure to DMZ, but network at host level (VMs, not the garden container as I know we can apply ASG for containers) within the internal network have to allow each other open for all?
When we deploy an app, containers having our app will be spread across different VMs randomly so I suppose the firewall or iptables between between VMs have to open everything to each other in the same subnet to work properly?
Scenario like this could happen. Let's say we have App A (1 instances) and App B (2 instances)
VM 1: App1-1, AppB-1
VM 2: AppB-2
If AppA and AppB communicate with each other while AppB get load balanced so there is a possibility that AppB instance in VM2 tries to communicate with App1 in VM1. If there is network level firewall or iptables applied at VM level, then it will fail or is there anyway CF can manage iptables update on VM automatically?