-
Notifications
You must be signed in to change notification settings - Fork 121
/
asg.html.md.erb
474 lines (335 loc) · 18.7 KB
/
asg.html.md.erb
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
---
title: App security groups in Cloud Foundry
owner: Security
---
App Security Groups (ASGs) are a collection of egress rules that enable you to specify the protocols,
ports, and IP address ranges where app or task instances send traffic.
ASGs define **allow** rules, and their order of evaluation is unimportant when multiple ASGs apply to the same space or deployment. The platform sets up rules to filter and log outbound network traffic
from app and task instances. ASGs apply to both buildpack-based and Docker-based apps and tasks.
## <a id='staging-running'></a> Staging and running ASGs
Admins can define a `staging` ASG for app and task staging, and a `running` ASG for app and task runtime.
When apps or tasks begin staging, they require traffic rules permissive enough to allow
them to pull resources from the network. A running app or task no longer needs to pull resources,
so traffic rules can be more restrictive and secure.
To distinguish between these two security requirements, you can define a `staging` ASG for app and task
staging with more permissive rules, and a `running` ASG for app and task runtime with less permissive rules.
### <a id='types'></a> Platform wide and space scoped ASGs
To provide granular control when securing a deployment, you can assign platform-wide ASGs that apply
to all app and task instances for the entire deployment, or space-scoped ASGs that apply only to apps and tasks in a particular space.
In environments with both platform-wide and space-specific ASGs, the ASGs for a particular space are combined with the platform ASGs to determine the effective rules for that space. Any of the
permitted traffic in the set of applicable ASGs is then effectively permitted for that app.
### <a id='dynamic-asgs'></a> Dynamic ASGs
Dynamic ASGs allow ASGs to be applied to apps without the need for an application restart. Containers using the [Silk CNI](https://github.com/cloudfoundry/silk-release) or NSX-T update their ASGs dynamically; Windows apps and apps using other CNIs do not support Dynamic ASGs at this time.
Dynamic ASGs are enabled with cf deployment v20.0.0 and higher through <a href="https://github.com/cloudfoundry/cf-networking-release/releases/tag/3.0.0">cf-networking-release 3.0.0</a>. It is recommended to use Dynamic ASGs with capi-release v1.126.0 or later for improved
performance on the /v3/security_groups APIs.
To deactivate Dynamic ASGs: use the ops file `operations/disable-dynamic-asgs.yml` from <a href="https://github.com/cloudfoundry/cf-deployment/releases/tag/v20.0.0">cf-deployment v20.0.0</a> or higher.
### <a id='simplifying'></a> Simplifying ASGs with a services subnet
ASGs can be complicated to configure correctly, especially when the specific IP addresses listed in a group change.
To simplify securing a deployment while still allowing apps reach external services, operators can deploy the services into a subnet that is separate from their <%= vars.app_runtime_abbr %> deployment, then create ASGs
for the apps that allow those service subnets, while denying access to any VM hosting other apps.
For examples of typical ASGs, see [Typical ASGs](#typical-groups).
<% if vars.platform_code == 'CF' %>
### <a id='default-asg'></a> Default ASGs
<%= partial "default_asg_oss" %>
<% end %>
<% if vars.platform_code == "PCF" %>
### <a id='default-asg'></a> Default ASGs
<%= partial "/core/default_asg" %>
<% end %>
### <a id="asg-sets"></a> ASG sets
ASGs are applied by configuring ASG sets differentiated by _scope_, platform-wide or space specific, and _lifecycle_, staging or running.
Currently, the following ASG sets exist in <%= vars.app_runtime_abbr %>:
* Platform-wide staging ASG set, also called "default-staging"
* Platform-wide running ASG set, also called "default-running"
* Space-scoped staging ASG set
* Space-scoped running ASG set
In environments with both platform-wide and space-specific ASG sets, combine the ASG sets for a
particular space with the platform ASG sets to determine the rules for that space.
The following table indicates the differences between the four sets:
| When an ASG is bound to the... | the ASG rules are applied to... |
| ------------------------------ | ------------------------------- |
| Platform-wide staging ASG set | the staging lifecycle for all apps and tasks. |
| Platform-wide running ASG set | the running lifecycle for all app and task instances. |
| Space-scoped staging ASG set | the staging lifecycle for apps and tasks in a particular space. |
| Space-scoped running ASG set | the running lifecycle for app and task instances in a particular space. |
Typically, ASGs applied during the staging lifecycle are more permissive than the ASGs applied during the running lifecycle. This is because staging often requires access to different resources, such as dependencies.
You use different commands to apply an ASG to each of the four sets.
To apply a staging ASG to apps within a space, you must use
cf CLI v6.28.0 or later.
For more information, see [Managing ASGs with the cf CLI](#procedures).
### <a id='creating-groups'></a> Structure and attributes of ASGs
ASG rules are specified as a JSON array of ASG objects. An ASG object has the following attributes:
| Attribute | Description | Notes |
| --------- | ----------- | ----- |
| `protocol` | `tcp`, `udp`, `icmp`, or `all` | Required |
<% if vars.platform_code == 'CF' %>
| `destination` | A comma deliminated list of single IP addresses, IP address ranges like `192.0.2.0-192.0.2.50`, or CIDR blocks that can receive traffic | Destination lists became available in capi-release 1.180.0 and can be enabled by setting the `cc.security_groups.enable_comma_delimited_destinations` bosh property to true. |
<% end %>
<% if vars.platform_code == 'PCF' %>
| `destination` | A single IP address, an IP address range like `192.0.2.0-192.0.2.50`, or a CIDR block that can receive traffic | |
<% end %>
| `ports` | A single port, multiple comma-separated ports, or a single range of ports that can receive traffic. Examples: `443`, `80,8080,8081`, `8080-8081` | Only possible if `protocol` is `tcp` or `udp`. |
| `code` | ICMP code | Required when `protocol` is `icmp`. A value of `-1` allows all codes. |
| `type` | ICMP | Required when `protocol` is `icmp`. A value of `-1` allows all types.
| `log` | Set to `true` to enable logging. For more information about how to configure system logs to be sent to a syslog drain, see [Using Log Management Services](../devguide/services/log-management.html). | Logging is only supported with protocol type `tcp`. |
| `description` | An optional field for operators managing ASG rules | |
<% if vars.platform_code == "CF" || vars.platform_code == "PCF" %>
## <a id="process"></a> Managing ASGs
The following table outlines the flow of tasks that you implement over the lifecycle of ASGs.
For information about procedures for each of these tasks, see [Managing ASGs with cf CLI](#procedures).
| | Task | For more information, see: |
| ------ | ---- | -------------------------- |
| 1. | Review the existing ASGs. If this is a new deployment, these consist of only the default ASGs. | [View ASGs](#viewing) |
| 2. | Create new ASGs. | [Create ASGs](#asg-individual) |
| 3. | Update the existing ASGs. | [Update ASGs](#updating-groups) |
| 4. | Bind ASGs to an ASG set. | [Bind ASGs](#binding-groups) |
| 5. | If you need to delete an ASG, first unbind it, then delete it. | [Unbind ASGs](#unbinding-asgs) and [Delete ASGs](#deleting-groups) |
## <a id='procedures'></a> Managing ASGs with cf CLI
Learn about the commands you need to create and manage ASGs.
Many of the following procedures require the Cloud Foundry Command Line Interface (cf CLI).
To download the cf CLI, see [Installing the cf CLI](../cf-cli/install-go-cli.html).
### <a id='viewing'></a> Viewing ASGs
To view information about existing ASGs, run the following commands:
| Command | Output |
| ------- | ------ |
| `cf security-groups` | All ASGs |
| `cf staging-security-groups` | All ASGs applied to the platform-wide staging ASG set |
| `cf running-security-groups` | All ASGs applied to the platform-wide running ASG set |
| `cf security-group ASG` | All rules in the specified ASG, where `ASG` is the name of the ASG |
<%= vars.asg_note %>
### <a id='asg-individual'></a> Creating ASGs
To create an ASG:
1. Create a rules file: a JSON-formatted single array containing objects that describe the rules. See the
following example, which allows ICMP traffic of code `1` and type `0` to all destinations, and TCP traffic to `10.0.11.0/24` on ports `80` and `443`. For more information, see [The Structure and Attributes of ASGs](#creating-groups).
```
[
{
"protocol": "icmp",
"destination": "0.0.0.0/0",
"type": 0,
"code": 0
},
{
"protocol": "tcp",
<% if vars.platform_code == 'CF' %>
"destination": "10.0.11.0/24,8.8.8.8",
<% end %>
<% if vars.platform_code == 'PCF' %>
"destination": "10.0.11.0/24",
<% end %>
"ports": "80,443",
"log": true,
"description": "Allow http and https traffic to ZoneA"
}
]
```
1. Run:
```
cf create-security-group ASG PATH-TO-RULES-FILE.json
```
Where:
<ul>
<li><code>ASG</code> is the name of your ASG.</li>
<li><code>PATH-TO-RULES-FILE.json</code> is the absolute or relative path to a rules file.</li>
</ul>
In the following example, `EXAMPLE-ASG` is the name of an ASG, and `~/workspace/example-asg.json` is the path to a rules file:
<pre class="terminal">
cf create-security-group EXAMPLE-ASG ~/workspace/example-asg.json
</pre>
After the ASG is created, you must bind it to an ASG set before it takes effect. For more information, see [Bind ASGs](#binding-groups).
### <a id='binding-groups'></a> Binding ASGs
Binding an ASG does not affect started apps unless you have [Dynamic ASGs](#dynamic-asgs)
enabled. If deactivated, you need to run `cf restart` for each app. To restart all of the apps in an org or a space, use
the [app-restarter](https://github.com/cloudfoundry-incubator/app-restarter) cf CLI plug-in.
To apply an ASG, you must bind it to an ASG set.
#### Platform-wide staging ASG set
To bind an ASG to the platform wide staging ASG set:
1. Run:
```
cf bind-staging-security-group ASG
```
Where `ASG` is the name of your ASG.
#### Platform-wide running ASG set
To bind an ASG to the platform-wide running ASG set:
1. Run:
```
cf bind-running-security-group ASG
```
Where `ASG` is the name of your ASG.
#### Space-scoped running ASG set
To bind an ASG to a space-scoped running ASG set:
1. Run:
```
cf bind-security-group ASG ORG --space SPACE
```
Where:
<ul>
<li><code>ASG</code> is the name of your ASG.</li>
<li><code>ORG</code> is the name of the org where you want to bind the ASG set.</li>
<li><code>SPACE</code> is the name of the space where you want to bind the ASG set.</li>
</ul>
#### Space-scoped staging ASG set
To bind an ASG to a space scoped staging ASG set:
1. Run:
```
cf bind-security-group ASG ORG --space SPACE --lifecycle staging
```
Where:
<ul>
<li><code>ASG</code> is the name of your ASG.</li>
<li><code>ORG</code> is the name of the org where you want to bind the ASG set.</li>
<li><code>SPACE</code> is the name of the space where you want to bind the ASG set.</li>
</ul>
### <a id='updating-groups'></a> Update ASGs
<p> Updating an ASG does not affect started apps unless you have <a href="#dynamic-asgs">Dynamic ASGs</a>
activated. If deactivated, you need to restart the apps. To restart all of the apps in an org or a space,
use the <a href="https://github.com/cloudfoundry-incubator/app-restarter">app-restarter</a> cf CLI plug-in.</p>
To update an existing ASG:
1. Edit the ASG rules in the JSON file you created in [Create ASGs](#asg-individual).
1. Run:
```
cf update-security-group ASG PATH-TO-RULES-FILE.json
```
Where:
<ul>
<li><code>ASG</code> is name of the existing ASG you want to change.</li>
<li><code>PATH-TO-RULES-FILE.json</code> is the absolute or relative path to a rules file.</li>
</ul>
In the following example, `example-asg` is the name of an ASG, and `~/workspace/example-asg-v2.json` is the path to a rules file:
```
cf update-security-group example-asg ~/workspace/example-asg-v2.json
```
### <a id='unbinding-groups'></a> Unbind ASGs
<p> Unbinding an ASG does not affect started apps unless you have <a href="#dynamic-asgs">Dynamic ASGs</a>
enabled. If deactivated, you need to restart the apps. To restart all of the apps in an org or a space,
use the <a href="https://github.com/cloudfoundry-incubator/app-restarter">app-restarter</a> cf CLI plug-in.</p>
#### Platform-wide staging ASG set
To unbind an ASG from the platform-wide staging ASG set:
1. Run:
```
cf unbind-staging-security-group ASG
```
Where `ASG` is the name of your ASG.
#### Platform-wide running ASG set
To unbind an ASG from the platform-wide running ASG set:
1. Run:
```
cf unbind-running-security-group ASG
```
Where `ASG` is the name of your ASG.
#### Space-scoped ASG set
To unbind an ASG from a specific space:
1. Run:
```
cf unbind-security-group ASG ORG --space SPACE --lifecycle running
```
Where:
<ul>
<li><code>ASG</code> is the name of your ASG.</li>
<li><code>ORG</code> is the org where you want to unbind the ASG set.</li>
<li><code>SPACE</code> is the space where you want to unbind the ASG set.</li>
<li>To unbind from the staging ASG set, replace <code>running</code> with <code>staging</code>.</li>
</ul>
### <a id='deleting-groups'></a> Delete ASGs
<p> You can only delete unbound ASGs. To unbind ASGs, see <a href="#unbinding-groups">Unbind ASGs</a>.</p>
To delete an ASG:
1. Run:
```
cf delete-security-group ASG
```
Where `ASG` is the name of your ASG.
## <a id='typical-groups'></a> Typical ASGs
The following table describes examples of typical ASGs. Configure your ASGs in accordance with your organization's network access policy for untrusted apps.
| ASG | For access to: |
| --- | ---
| `dns` | DNS, either public or private |
| `public-networks` | Public networks, excluding IaaS metadata endpoints |
| `private-networks` | Private networks in accordance with [RFC-1918](https://tools.ietf.org/html/rfc1918#section-3) |
| `load-balancers` | The internal <%= vars.app_runtime_abbr %> load balancer and others |
| `internal-proxies` | Internal proxies |
| `internal-databases` | Internal databases |
### <a id='dns-example'></a> DNS
To resolve hostnames to IP addresses, apps require DNS server connectivity, which typically use port 53. Admins must create or update a `dns` ASG with appropriate rules. Admins can further restrict the DNS servers to specific IP addresses or ranges of IP addresses.
The following is an example `dns` ASG:
```
[
{
"protocol": "tcp",
"destination": "0.0.0.0/0",
"ports": "53"
},
{
"protocol": "udp",
"destination": "0.0.0.0/0",
"ports": "53"
}
]
```
### <a id='public-networks-example'></a> Public networks
Apps often require public network connectivity to retrieve app dependencies, or to integrate with services available on public networks. Example app dependencies include public Maven repositories, NPM, RubyGems, and Docker registries.
<p> You must exclude IaaS metadata endpoints. For example, <code>169.254.169.254</code>, because the
metadata endpoint can expose sensitive environment information to untrusted apps. The following <code>public_networks</code> example accounts for this recommendation.</p>
The following is an example `public_networks` ASG:
```
[
{
"destination": "0.0.0.0-9.255.255.255",
"protocol": "all"
},
{
"destination": "11.0.0.0-169.253.255.255",
"protocol": "all"
},
{
"destination": "169.255.0.0-172.15.255.255",
"protocol": "all"
},
{
"destination": "172.32.0.0-192.167.255.255",
"protocol": "all"
},
{
"destination": "192.169.0.0-255.255.255.255",
"protocol": "all"
}
]
```
### <a id='private-networks-example'></a> Private networks
Network connections that are commonly allowable in private networks include endpoints such as proxy servers, Docker registries, load balancers, databases, messaging servers, directory servers, and file servers. Configure appropriate private network ASGs as appropriate. You might find it helpful to use a naming convention with `private_networks` as part of the ASG name, such as `private_networks_databases`.
<p> You must exclude any private networks and IP addresses that app and task instances must not have access to.</p>
The following is an example `private_networks` ASG:
```
[
{
"protocol": "tcp",
"destination": "10.0.0.0-10.255.255.255",
"ports": "443"
},
{
"protocol": "tcp",
"destination": "172.16.0.0-172.31.255.255",
"ports": "443"
},
{
"protocol": "tcp",
"destination": "192.168.0.0-192.168.255.255",
"ports": "443"
}
]
```
### <a id='marketplace-services'></a> ASGs and Performance on Windows
Each ASG bound to an app results in one or more network policy created on the
Host, depending on the number of destinations (ranges and CIDRs count as one
destination each). Windows apps with ASGs to many destinations will experience
increased latency when the app is starting. Windows apps with ASGs to more than
1000 destinations may fail to start.
### <a id='marketplace-services'></a> Marketplace Services
Each installed Marketplace Service requires its own set of ASG rules to function properly. To determine which
ASG rules it requires, see the installation instructions for each installed Marketplace Service. For more information about how to provision and integrate services, see [Services Overview](../devguide/services/index.html).
## <a id='asg-baseline'></a> About the ASG Creator tool
The ASG Creator is a command line tool that you can use to create JSON rules files. The ASG Creator lets you specify IP addresses, CIDRs, and IP address ranges that you want to disallow traffic to, as well as the addresses that you want to allow traffic to. Based on these disallow/allow (exclude/include) lists that you provide as input, the ASG Creator formulates a JSON file of allow rules.
In turn, the JSON file is the input for the `cf create-security-group` command that creates an ASG.
To download the latest release of the ASG Creator, see the [Cloud Foundry Incubator](https://github.com/cloudfoundry-incubator/asg-creator/releases/latest) repository on GitHub.
## <a id='logging'></a> ASG logging
For information about how you can use ASGs to correlate emitted logs back to an app, see [How to use Application Security Group (ASG) logging](https://community.pivotal.io/s/article/How-to-use-Application-Security-Group-ASG-Logging) in the Tanzu Support Hub.
<% end %>