1. Cf-Dev
  2. Topics

Route integrity on Windows

Aaron Huber
 

We have been waiting for some time for a solution for route integrity support on Windows and I wanted to check on the status and compare notes on what others are doing.

 

We are still using the Windows 2012 R2 stack because we require IPSec encryption of the HTTP traffic between the router and the instance.  Overall CF has made great progress on removing all non-encrypted traffic across the platform and the last two places where encryption is missing are nats which is finally underway, and route integrity on Windows.  Once we close those two gaps we’ll finally be able to stop using IPSec on the platform, but until then, since Windows 2019 still doesn’t support IPSec along with NAT in containers, we are stuck with the older stack.

 

There are a few options that we know of:

 

  • Use the experimental route integrity ops file using Nginx instead of envoy – is anyone using this successfully in production?
  • Wait for Envoy support on Windows – this has been in progress for a while and Microsoft still seems to be actively working on it, but once it becomes available will support for it be added to Cloud Foundry?
  • Wait for Kubernetes support to be fully production ready – hopefully the new platform will be fully encrypted from the beginning

 

What are other platform operators that offer Windows support doing for now?

 

 

Aaron Huber

Intel Corporation
Matthew Horan <hmatthew@...>
 

Hi Aaron,

As you've discovered, the experimental route integrity ops file exists and is a stopgap until Envoy Windows porting work is complete. This experimental ops file uses nginx in place of Envoy, and should be suitable for most usage. It is still considered experimental because we have not received much feedback on it, however we have been using it internally at VMware with no issues for some time now.

VMware and Microsoft are actively working on porting Envoy to Windows, as you noted. This work is ongoing, and no delivery date is available at this time. We are currently working to address performance issues due to the eventing model on Windows specifically, with Microsoft is leading those efforts.

I would recommend trying out the experimental ops file to see if it suits your needs. Please feel free to engage with us if you discover issues, as we would love the feedback and look to improve the experience.

Best,
Matt

From: cf-dev@... <cf-dev@...> on behalf of Aaron Huber <aaron.m.huber@...>
Sent: Friday, June 12, 2020 5:32 PM
To: cf-dev@... <cf-dev@...>
Subject: [cf-dev] Route integrity on Windows
 

We have been waiting for some time for a solution for route integrity support on Windows and I wanted to check on the status and compare notes on what others are doing.

 

We are still using the Windows 2012 R2 stack because we require IPSec encryption of the HTTP traffic between the router and the instance.  Overall CF has made great progress on removing all non-encrypted traffic across the platform and the last two places where encryption is missing are nats which is finally underway, and route integrity on Windows.  Once we close those two gaps we’ll finally be able to stop using IPSec on the platform, but until then, since Windows 2019 still doesn’t support IPSec along with NAT in containers, we are stuck with the older stack.

 

There are a few options that we know of:

 

  • Use the experimental route integrity ops file using Nginx instead of envoy – is anyone using this successfully in production?
  • Wait for Envoy support on Windows – this has been in progress for a while and Microsoft still seems to be actively working on it, but once it becomes available will support for it be added to Cloud Foundry?
  • Wait for Kubernetes support to be fully production ready – hopefully the new platform will be fully encrypted from the beginning

 

What are other platform operators that offer Windows support doing for now?

 

 

Aaron Huber

Intel Corporation

1 - 2 of 2