Re: Proposal: Improving Security for HTTP Ingress to CFAR Application Containers
Oh man, after re-reading your email it now makes sense. To be honest I didn't actually read the document you provided since it wasn't open for read to everyone so I just assumed what was in there instead. Sorry.
Typically in our environments we use network firewalls to force that ingress into the network zones holding CF instances only happen through Enterprise load balancers and only then to specific components, e.g. gorouter, ssh-proxy, tcp router, etc., and use security groups to stop apps talking directly to other containers. Though I imagine in the future we may deploy to environments with less strict network firewall setups. In such an environment this configuration option would be very useful and we probably would use it without TCP routing support if we had such a situation. But we don't currently.
Thanks for helping me through this email. :)