Hi,

I have deployed two node.js (express) applications - App1 and App2 - on a CF local instance. App2 consumes a service exposed (REST API) by App1. When App2 receives a request, it needs to communicate with App1. It worked all good when I tested. Once they are deployed on CF, it didn't work.

It turned out that App2 got error 'connect ECONNREFUSED'. I thought it might be a security group rule issue that prevented outbound traffic to App1. So I added a security group allowing all outgoing traffic. But it didn't help. Now I think it may have to do with inbound traffic rule. I searched for documentation as to how inbound traffic rules can be added but couldn't find.

My questions are:
1) Is it possible at all to have 2 apps deployed on CF communication with each other over HTTP?
2) Is the security group given below correct? Its purpose is to allow all outgoing traffic.
3) Is there any way we can add inbound traffic 'allow' rules?

Please help.

Additional info:
- I have CF locally installed as a Vagrant devbox (host Ubuntu 14.04). I used NISE installer: https://github.com/yudai/cf_nise_installer
- I added the following security group to allow all outgoing traffic. I bound it to both staging and running security groups and finally restarted the apps so that the rules get applied.
[
{
"protocol":"tcp",
"destination":"0.0.0.0/0",
"ports":"1-65535"
},
{
"protocol":"udp",
"destination":"0.0.0.0/0",
"ports":"1-65535"
}
]

On Sat, Aug 8, 2015 at 2:33 AM, Ahmad Ferdous Bin Alam <
ahmadferdous(a)gmail.com> wrote:

Hi,

I have deployed two node.js (express) applications - App1 and App2 - on a
CF local instance. App2 consumes a service exposed (REST API) by App1. When
App2 receives a request, it needs to communicate with App1. It worked all
good when I tested. Once they are deployed on CF, it didn't work.

It turned out that App2 got error 'connect ECONNREFUSED'.

How are you trying to connect to App1 from App2? If you access App2's URL,
it should work? i.e. app-2.your-cf-domain.com

I thought it might be a security group rule issue that prevented outbound
traffic to App1. So I added a security group allowing all outgoing traffic.
But it didn't help. Now I think it may have to do with inbound traffic rule.

For inbound traffic, the restriction is HTTP, HTTPS & WebSockets. I don't
believe there are any further restrictions.

I searched for documentation as to how inbound traffic rules can be added
but couldn't find.

My questions are:
1) Is it possible at all to have 2 apps deployed on CF communication with
each other over HTTP?

Yes. If you deploy App2 and have it send a request to App1, that should
work as long as you use the URL for App1.

2) Is the security group given below correct? Its purpose is to allow all
outgoing traffic.

This is the group I've used to allow everything. What you've entered looks
OK too.

[
{
"destination": "0.0.0.0-255.255.255.255",
"protocol": "all"
}
]

Don't forget to bind the security group to your space or to the running /
staging groups. Also, I think you need to restart or restage your app so
it's container gets recreated with the new rules.

3) Is there any way we can add inbound traffic 'allow' rules?

Shouldn't be necessary.

Dan

Please help.

Additional info:
- I have CF locally installed as a Vagrant devbox (host Ubuntu 14.04). I
used NISE installer: https://github.com/yudai/cf_nise_installer
- I added the following security group to allow all outgoing traffic. I
bound it to both staging and running security groups and finally restarted
the apps so that the rules get applied.
[
{
"protocol":"tcp",
"destination":"0.0.0.0/0",
"ports":"1-65535"
},
{
"protocol":"udp",
"destination":"0.0.0.0/0",
"ports":"1-65535"
}
]

How to get destination address for bluemix.net can you suggest any command for getting destination address

actually i'm creating security group for abacus for that it needs destination address how can i get


command:
cf create-security-group abacus abacus_group.json

error:
Creating security group abacus as xxxx(a)xxxx.in
FAILED
Server error, status code: 403, error code: 10003, message: You are not authorized to perform the requested action

I'm afraid I don't really understand your questions or what you're trying
to accomplish.

Security groups intended to be managed by platform administrators so unless
you have admin access to your target environment, you will not be able to
create security groups.

If you're trying to access the cloud controller api or other applications,
you should be going through the front door (the external host names). The
security group rules should not be preventing you from doing that.

If you're trying to access something internal to the cloud foundry
deployment, you will need explicit support from the administrators.

--
Matthew Sykes
matthew.sykes(a)gmail.com

Hi Matthew Sykes,

Actually I'm trying to monitor usage of app in bluemix. for that i'm using cf-abacus in the example steps this command also there.

can u suggest how to monitor app usage using curl and cloudfoundary

--
Thanks
Naveen Asapu

The message indicates this problem is unrelated to security groups. You
would get something like "host not found" instead of "connection refused".

Which version of CF are you using?
Can you curl a url from app2 at all?

I'm using cf version 6.12.1

Containers have a default iptables rule for REJECT all traffic. If there is
not a security group configured to allow the traffic to the destination,
you'll get a connection refused.

Security groups can only be created and configured by admin users.

Your only option is probably to have one app connect to the other using the
public route bound to that app.

Joseph
CF Release Integration Team

On Wed, Sep 23, 2015 at 3:54 AM, Denilson Nastacio <dnastacio(a)gmail.com>
wrote:

The message indicates this problem is unrelated to security groups. You
would get something like "host not found" instead of "connection refused".

Which version of CF are you using?
Can you curl a url from app2 at all?

On Wed, Sep 23, 2015, 3:27 AM Naveen Asapu <asapu.naveen(a)gmail.com> wrote:

Hi Matthew Sykes,

Actually I'm trying to monitor usage of app in bluemix. for that i'm
using cf-abacus in the example steps this command also there.

can u suggest how to monitor app usage using curl and cloudfoundary

--
Thanks
Naveen Asapu