Route integrity on Windows


Aaron Huber
 

We have been waiting for some time for a solution for route integrity support on Windows and I wanted to check on the status and compare notes on what others are doing.

 

We are still using the Windows 2012 R2 stack because we require IPSec encryption of the HTTP traffic between the router and the instance.  Overall CF has made great progress on removing all non-encrypted traffic across the platform and the last two places where encryption is missing are nats which is finally underway, and route integrity on Windows.  Once we close those two gaps we’ll finally be able to stop using IPSec on the platform, but until then, since Windows 2019 still doesn’t support IPSec along with NAT in containers, we are stuck with the older stack.

 

There are a few options that we know of:

 

  • Use the experimental route integrity ops file using Nginx instead of envoy – is anyone using this successfully in production?
  • Wait for Envoy support on Windows – this has been in progress for a while and Microsoft still seems to be actively working on it, but once it becomes available will support for it be added to Cloud Foundry?
  • Wait for Kubernetes support to be fully production ready – hopefully the new platform will be fully encrypted from the beginning

 

What are other platform operators that offer Windows support doing for now?

 

 

Aaron Huber

Intel Corporation

Join cf-dev@lists.cloudfoundry.org to automatically receive all group messages.