cf-dev@lists.cloudfoundry.org | public proxy and access control

Home Messages Hashtags Subgroups

Date Date 1 - 2 of 2

public proxy and access control

James Bayer #702 i have not used the terraform installer, so take that with a grain of salt. because apps.54.2.3.4.xip.io will always resolve to 54.2.3.4, all calls using that domain will go out through the aws "front-door". you can have separate system domains and app domains. i see that the system domain seems to be used here: https://github.com/cloudfoundry-community/terraform-aws-cf-install/blob/master/provision/prepare-provision#L53 perhaps open an issue on the repo to see if you can get some help customizing the domains with terraform values? one thing you could do is lock CF down by default is to use a private IP only accessible from within your AWS vpc (e.g. 10.10.x.y.xip.io). now all system components will make calls that do not leave the VPC (other than to resolve the 10.10.x.y address with a DNS lookup). then later you could add an ELB that points to the CF routers that resolves to a public domain you want to allow for apps. you could use a security group to restrict the IPs you allow in. the CF API endpoint would only be accessible from within your VPC with this approach. On Wed, Jul 8, 2015 at 1:56 PM, Matthias Ender <Matthias.Ender(a)sas.com> wrote: I recently used this terraform project to create a AWS cf install: https://github.com/cloudfoundry-community/terraform-aws-cf-install I uses the floating ipaddress of the public proxy as its default domain (i.e. apps.54.2.3.4.xip.io). I would like to limit access to my project to a certain range of ip addresses. When I restrict the main cf security group (change the 0.0.0.0/0 incoming sources to my ip address), cf stops working, because all internal calls between the services use the public proxy (e.g. api.apps.1.2.3.4.xip.io. That doesn’t seem right. Why would the cf services use the external ip address to talk to each other? Can I modify the security in my deployment to make it restrict access only to certain ip addresses? If so, how? Or do need to redeploy cf with a different default domain? And how would I do that? thanks, Matthias Ender _______________________________________________ cf-dev mailing list cf-dev(a)lists.cloudfoundry.org https://lists.cloudfoundry.org/mailman/listinfo/cf-dev -- Thank you, James Bayer attachment.html
More All Messages By This Member
Matthias Ender <Matthias.Ender@...> #695 I recently used this terraform project to create a AWS cf install: https://github.com/cloudfoundry-community/terraform-aws-cf-install I uses the floating ipaddress of the public proxy as its default domain (i.e. apps.54.2.3.4.xip.io). I would like to limit access to my project to a certain range of ip addresses. When I restrict the main cf security group (change the 0.0.0.0/0 incoming sources to my ip address), cf stops working, because all internal calls between the services use the public proxy (e.g. api.apps.1.2.3.4.xip.io. That doesn't seem right. Why would the cf services use the external ip address to talk to each other? Can I modify the security in my deployment to make it restrict access only to certain ip addresses? If so, how? Or do need to redeploy cf with a different default domain? And how would I do that? thanks, Matthias Ender attachment.html
More All Messages By This Member

1 - 2 of 2

1

Previous Topic Next Topic

Home Hashtags Subgroups Terms