Thanks a lot. This answers my question now.

Because if iptables rules applied at VM level's intranet IP, then

filtering rules would have affected other apps on the same VM? Or it works
in some other different way?

In the "batteries included" implementation of cf-networking, policy
enforcement is still done with iptables on the host VM, but policies are
defined based on whitelist rules that allow AppA to reach AppB.

The way it works is that traffic leaving AppA is tagged with and ID using
an iptables mark rule.

On the destination VM, a corresponding allow rule is written to iptables
that allows traffic tagged with that ID.

Our main repo is here is you want to poke around more:

https://github.com/cloudfoundry-incubator/cf-networking-release

And as Daniel mentioned​, we can discuss the details more with you if you
have specific questions in our Slack channel (most of the team is in the
US/Pacific time zone).

Cheers,
Dave


On Apr 4, 2017 3:03 AM, "Daniel Jones" <daniel.jones(a)engineerbetter.com>
wrote:

Hi,

iptables is used when Container Networking is *not* available. If you're
using Container Networking, you might want to ask the folks that are
writing it on cloudfoundry.slack.com in the #container-networking channel.

Regards,
Daniel Jones - CTO
+44 (0)79 8000 9153 <+44%207980%20009153>
@DanielJonesEB <https://twitter.com/DanielJonesEB>
*EngineerBetter* Ltd <http://www.engineerbetter.com> - UK Cloud Foundry
Specialists

On 4 April 2017 at 09:07, Sze Siong Teo <szesiong(a)gmail.com> wrote:

Hi Daniel,

Application Security Groups are implemented via iptables on the host Cell

VMs, and not in the containers.

How does the scenario I've mentioned for AppA and AppB to work even if I
enable AppA and AppB to communicate via http://docs.cloudfoundry.org/d
evguide/deploy-apps/cf-networking.html? If iptables is used, I suppose
filtering between VM's NIC and VLAN NIC created by CF inside the VM?

Because if iptables rules applied at VM level's intranet IP, then
filtering rules would have affected other apps on the same VM? Or it works
in some other different way?

Hi,

iptables is used when Container Networking is *not* available. If you're
using Container Networking, you might want to ask the folks that are
writing it on cloudfoundry.slack.com in the #container-networking channel.

Regards,
Daniel Jones - CTO
+44 (0)79 8000 9153
@DanielJonesEB <https://twitter.com/DanielJonesEB>
*EngineerBetter* Ltd <http://www.engineerbetter.com> - UK Cloud Foundry
Specialists

Hi Daniel,

Application Security Groups are implemented via iptables on the host Cell VMs, and not in the containers.

How does the scenario I've mentioned for AppA and AppB to work even if I enable AppA and AppB to communicate via http://docs.cloudfoundry.org/devguide/deploy-apps/cf-networking.html? If iptables is used, I suppose filtering between VM's NIC and VLAN NIC created by CF inside the VM?

Because if iptables rules applied at VM level's intranet IP, then filtering rules would have affected other apps on the same VM? Or it works in some other different way?

Hi Sze,

Application Security Groups are implemented via iptables on the host Cell
VMs, and not in the containers. Network traffic coming from processes in
each container is filtered before leaving the VM. Apps on the same VM will
not be able to communicate directly (unless you're using the Container
Networking
<https://docs.cloudfoundry.org/concepts/understand-cf-networking.html>
feature which is quite new, and a totally different topic) and all traffic
between them should be routed via the GoRouter. Because all traffic goes
via the GoRouter, it is not possible to restrict access from one app to
another at the network level without using the Container Networking feature.

You may also like to look at the forthcoming Isolation Segments
<https://lists.cloudfoundry.org/archives/list/cf-dev(a)lists.cloudfoundry.org/thread/GHN7SB2UWX7PPHVW2XEIMHIB6KRENGL7/>
feature which may help you combine CDE apps with non-CDE apps.

Regards,
Daniel Jones - CTO
+44 (0)79 8000 9153
@DanielJonesEB <https://twitter.com/DanielJonesEB>
*EngineerBetter* Ltd <http://www.engineerbetter.com> - UK Cloud Foundry
Specialists

It seems this mailing list system don't show up newly post instantly. Eventual consistency DB?

Thanks, I've read that earlier actually.

Does anyone have more experience in about the firewall implementation for CloudFoundry instead of allowing everything between hosts in the private subnet?

Hi Alexander,

Thanks for the info. I've discovered that post earlier from Google search as well. In fact I'm looking into more specific at implementation level as the post about isolating CDE and non-CDE is a bit at higher level.

I understand that we can isolate the networks into different subnet to avoid internal servers from exposure to DMZ, but network at host level (VMs, not the garden container as I know we can apply ASG for containers) within the internal network have to allow each other open for all?

When we deploy an app, containers having our app will be spread across different VMs randomly so I suppose the firewall or iptables between between VMs have to open everything to each other in the same subnet to work properly?

Scenario like this could happen. Let's say we have App A (1 instances) and App B (2 instances)

VM 1: App1-1, AppB-1
VM 2: AppB-2

If AppA and AppB communicate with each other while AppB get load balanced so there is a possibility that AppB instance in VM2 tries to communicate with App1 in VM1. If there is network level firewall or iptables applied at VM level, then it will fail or is there anyway CF can manage iptables update on VM automatically?

Hey!

One of my colleague was involved in project with such requirements. You can find his experience in this article:

https://blog.altoros.com/cloud-foundry-security-achieving-pci-dss-compliance.html <https://blog.altoros.com/cloud-foundry-security-achieving-pci-dss-compliance.html>

Best wishes,
Alex L.

Hi,

Does anyone have experience deploying CloudFoundry in an environment that requires PCI-DSS compliance?

Would be great to hear from anyone regarding that like how to overcome the concern of firewall whitelisting of entire CF network subnet while complying with PCI DSS requirement.

Thanks in advance.