Skip to main content

Pivotal Cloud Foundry Developer Certification - Application Security Groups


What is an application security group (ASG)? What does it do?Application Security Groups (ASGs) are a collections of egress rules that specify the protocols, ports, and IP address ranges where app or task instances send traffic. The platform sets up rules to filter and log outbound network traffic from app and task instances. ASGs apply to both buildpack-based and Docker-based apps and tasks.

Types of ASG's:
  Default : public_networks, dns
  Staging vs Staging
  Platform-wide vs Space Scope

Typical ASG's:
ASGFor access to
dnsDNS, either public or private
public-networksPublic networks, excluding IaaS metadata endpoints
private-networksPrivate networks in accordance with RFC-1918
load-balancersThe internal Cloud Foundry load balancer and others
internal-proxiesInternal proxies
internal-databasesInternal databases

How do you define one?
cf create-security-group SECURITY-GROUP PATH-TO-RULES-FILE

RULES file eg.
[
  {
    "protocol": "icmp",
    "destination": "0.0.0.0/0",
    "type": 0,
    "code": 0
  },
  {
    "protocol": "tcp",
    "destination": "10.0.11.0/24",
    "ports": "80,443",
    "log": true,
    "description": "Allow http and https traffic from ZoneA"
  }
]

To bind an ASG to the platform-wide staging ASG set
cf bind-staging-security-group SECURITY-GROUP

What can an ASG apply to?

ASG can be applied to 
1. platform wide running or staging ASG set
2. space scoped running or staging set

What is the difference between white and black listing? Which do you use when defining an ASG?
ASG uses white list. White list defines permit-able set of addresses.

Comments

Post a Comment

Popular posts from this blog

Pivotal Cloud Foundry Developer Certification - Managed and User-Provided Services

1. What is a service? Can you name some examples? Services are cloud native apps dependencies. Consider S ervice as a factory that delivers service instances. Two types: 1. Managed services Cloud Foundry offers a marketplace of services, from which users can provision reserved resources on-demand. Examples of resources services provide include databases on a shared or dedicated server, or accounts on a SaaS application.  Example: my-sql, rabbitmq, redis etc... 2. User provided services User provided services provides the metadata to connect to the system outside the cloud. These services are not available in market place. This are custom services i.e. connecting to your own external DB or any other service outside the cloud i.e. erp etc.. Command to list the service instances in your space: cf services To see details of particular service cf service SERVICE_INSTANCE_NAME What is the “marketplace”? Does it show all services?  The Pivotal Cloud F...
7 comments
Read more

Pivotal Cloud Foundry Developer Certification - Cloud Foundry Architecture

Can you name the main components running inside Cloud Foundry? Do you know what  each of them does? Main components are: Router :  routes incoming traffic to cloud controller or the hosted application in diego cell. It periodically queries the Diego bulletin board system to determine which cells and containers each application currently runs on. Using this router recomputes new routing table based on IP addresses of each cell VM and the host side port number for the cell's container. Oauth2 Server(UAA) and Login server work together to provide the identity management. Cloud controller and Diego brain: CC is responsible for application life-cycle and deployment. It directs the diego brain through CC Bridge component to coordinate individual Diego cells to stage and run applications. CC also maintains record of orgs, spaces, user roles and services. nsync : recieves the message from CC when user scales an app. It writes number of instances into a desiredLRP s...
7 comments
Read more

Pivotal Cloud Foundry Developer Certification - Cloud Foundry Overview - Concepts

Cloud Foundry Concepts Cloud Foundry is the cloud native platform or PaaS i.e. Platform-as-a-service infrastructure which is basically PCF(Runtime & Middleware) + IaaS, where you just manage your application and data. Below diagram will help understanding it more. Deploying an application in IaaS vs PaaS IaaS deployment: 1. Provision a VM 2. Install application runtime 3. Deploy application 4. Configure load balancer 5. Configure SSL termination 6. Configure Service connectivity 7. Configure Firewall PaaS deployment: 1. cf push (CLI command), which will push your application and you do not need to take care of IaaS deployment steps. Scaling an application in IaaS vs PaaS IaaS: Same steps as deployment PaaS: cf scale Cloud Foundry is the open source platform that you can deploy to run your apps on your own computing infrastructure, or deploy on IaaS like AWS, vSphere, or OpenStack. How cloud foundry works CF has subsystems that perform speciali...
3 comments
Read more