Re: CloudFoundry PCI-DSS compliance issue?


Daniel Jones
 

Hi Sze,

Application Security Groups are implemented via iptables on the host Cell
VMs, and not in the containers. Network traffic coming from processes in
each container is filtered before leaving the VM. Apps on the same VM will
not be able to communicate directly (unless you're using the Container
Networking
<https://docs.cloudfoundry.org/concepts/understand-cf-networking.html>
feature which is quite new, and a totally different topic) and all traffic
between them should be routed via the GoRouter. Because all traffic goes
via the GoRouter, it is not possible to restrict access from one app to
another at the network level without using the Container Networking feature.

You may also like to look at the forthcoming Isolation Segments
<https://lists.cloudfoundry.org/archives/list/cf-dev(a)lists.cloudfoundry.org/thread/GHN7SB2UWX7PPHVW2XEIMHIB6KRENGL7/>
feature which may help you combine CDE apps with non-CDE apps.

Regards,
Daniel Jones - CTO
+44 (0)79 8000 9153
@DanielJonesEB <https://twitter.com/DanielJonesEB>
*EngineerBetter* Ltd <http://www.engineerbetter.com> - UK Cloud Foundry
Specialists

On 3 April 2017 at 22:33, Sze Siong Teo <szesiong(a)gmail.com> wrote:

It seems this mailing list system don't show up newly post instantly.
Eventual consistency DB?

Join cf-dev@lists.cloudfoundry.org to automatically receive all group messages.