Re: CloudFoundry PCI-DSS compliance issue?
|
Daniel Jones
Hi Sze,
toggle quoted messageShow quoted text
Application Security Groups are implemented via iptables on the host Cell VMs, and not in the containers. Network traffic coming from processes in each container is filtered before leaving the VM. Apps on the same VM will not be able to communicate directly (unless you're using the Container Networking <https://docs.cloudfoundry.org/concepts/understand-cf-networking.html> feature which is quite new, and a totally different topic) and all traffic between them should be routed via the GoRouter. Because all traffic goes via the GoRouter, it is not possible to restrict access from one app to another at the network level without using the Container Networking feature. You may also like to look at the forthcoming Isolation Segments <https://lists.cloudfoundry.org/archives/list/cf-dev(a)lists.cloudfoundry.org/thread/GHN7SB2UWX7PPHVW2XEIMHIB6KRENGL7/> feature which may help you combine CDE apps with non-CDE apps. Regards, Daniel Jones - CTO +44 (0)79 8000 9153 @DanielJonesEB <https://twitter.com/DanielJonesEB> *EngineerBetter* Ltd <http://www.engineerbetter.com> - UK Cloud Foundry Specialists
On 3 April 2017 at 22:33, Sze Siong Teo <szesiong(a)gmail.com> wrote:
It seems this mailing list system don't show up newly post instantly.
|
|
|