forked from pivotal-cf/docs-pcf-install
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy path_networking-cloudform.html.md.erb
89 lines (88 loc) · 6.74 KB
/
_networking-cloudform.html.md.erb
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
<ol>
<li>Select <strong>Networking</strong>.</li>
<li>Leave the <strong>Router IPs</strong>, <strong>SSH Proxy IPs</strong>, <strong>HAProxy IPs</strong>, and
<strong>TCP Router IPs</strong> fields blank. You do not need to complete these fields
when deploying PCF to AWS with Elastic Load Balancers (ELBs).<p class="note"><strong>Note</strong>: You specify load balancers in the <strong>Resource Config</strong> section of Pivotal Application Service (PAS) later in the installation process. See the <a href="#config-elb">Configure Router to Elastic Load Balancer</a>
section of this topic for more information.</p></li>
<li><%= partial 'haproxy_router_cert_config' %></li>
<li><%= partial 'router_haproxy_ca' %></li>
<li><%= partial 'min_tls_version' %></li>
<li><%= partial 'ip_logging' %></li>
<li><%= partial 'xforwarded_client_cert_xfcc' %></li>
<li><%= partial 'haproxy_client_cert_validation' %></li>
<li><%= partial 'gorouter_client_cert_validation' %></li>
<li>In the <strong>TLS Cipher Suites for Router</strong> field, review the TLS cipher suites for TLS handshakes between Gorouter and front-end clients such as load balancers or HAProxy. The default value for this field is <code>ECDHE-RSA-AES128-GCM-SHA256:TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384</code>.
<p class='note'><strong>Note:</strong> AWS Classic Load Balancers do not support PCF's default cipher suites.
See <a href="../adminguide/securing-traffic.html#default">TLS Cipher Suite Support by AWS Load Balancers</a>
for information about configuring your AWS load balancers and Gorouter.</p>
If you want to modify the default configuration,
use an ordered, colon-delimited list of Golang-supported TLS cipher suites in the OpenSSL format.
<br> Operators should verify that the ciphers are supported by any clients or front-end components that will initiate TLS handshakes with Gorouter. For a list of TLS ciphers supported by Gorouter, see <a href="../adminguide/securing-traffic.html#ciphers">Securing Traffic into Cloud Foundry</a>.
<%= image_tag 'networking_tls_router.png' %>
Verify that every client participating in TLS handshakes with Gorouter has at least one cipher suite in common with Gorouter.
<p class="note"><strong>Note</strong>: Specify cipher suites that are supported by the versions configured in the <strong>Minimum version of TLS supported by HAProxy and Router</strong> field.</p></li>
<li><%= partial 'tls_cipher_suites_haproxy' %> </li>
<li><%= partial 'haproxy_router_tls_forward' %></li>
<li><%= partial 'haproxy_hsts_config_cloudform' %></li>
<li><%= partial 'ssl_verification' %></li>
<li><%= partial 'http_disable' %></li>
<li><%= partial 'insecure_cookies' %> </li>
<li><%= partial 'zipkin_enable' %></li>
<li><%= partial 'enable_router_local_logs' %></li>
<li>By default, the PAS routers handle traffic for applications deployed to an isolation segment created by the PCF Isolation Segment tile. To configure the PAS routers to reject requests for applications within isolation segments, select the <b>Routers reject requests for Isolation Segments</b> checkbox.
<%= image_tag 'isolate-network.png' %>
Do not enable this option without deploying routers for each isolation segment. See the following topics for more information:
<ul>
<li><a href="../customizing/installing-pcf-is.html">Installing PCF Isolation Segment</a></li>
<li><a href="../adminguide/routing-is.html#sharding-routers-isolation-segment">Sharding Routers for Isolation Segments</a></li>
</ul></li>
<li><%= partial 'enable-proxy-support' %></li>
<li><%= partial 'route_services' %></li>
<li><%= partial 'max_connections_backend' %></li>
<li><%= partial 'keepalive_connections' %></li>
<li><%= partial 'router_timeout_backend' %></li>
<li><%= partial 'frontend_idle_timeout' %></li>
<li><%= partial 'lb_unhealthy_threshold' %> </li>
<li><%= partial 'lb_healthy_threshold' %></li>
<img alt="LB Healthy Threshold Field" src="images/router_lb_thresholds.png">
<li><%= partial 'http_headers_to_log' %></li>
<img alt="Http Headers to Log" src="images/headers_to_log.png">
<li><%= partial 'haproxy_request_max_buffer' %></li>
<li><%= partial 'protected_domains' %></li>
<li>For Loggregator Port, you must enter <code>4443</code> In AWS deployments, port 4443 forwards SSL traffic that supports WebSockets from the ELB. Do not use the default port of <code>443</code></li>
<li>
For <b>Container Network Interface Plugin</b>, ensure <b>Silk</b> is selected and review the following fields:
<%= image_tag 'images/cni-silk.png' %>
<p class="note"><strong>Note</strong>: The <b>External</b> option exists to support NSX-T integration for vSphere deployments.</p>
<ol>
<li><%= partial 'app_mtu' %> </li>
<li><%= partial 'c2c-overlay' %></li>
<li><%= partial 'c2c-vxlan' %></li>
<%= partial 'log-app-traffic-enable' %>
</ol>
</li>
<li>For <b>DNS Search Domains</b>, enter DNS search domains as a comma-separated list. Your containers append these search domains to hostnames to resolve them into full domain names.
<%= image_tag 'images/dns-search-domains.png' %>
</li>
<li><%= partial 'networking_database_timeout' %></li>
<li>(Optional) TCP Routing is disabled by default. You should enable this feature if your DNS sends TCP traffic through a load balancer rather than directly to a TCP router. To enable TCP routing:
<ol>
<li>Select <strong>Enable TCP Routing</strong> </li>
<li>For <b>TCP Routing Ports</b>, enter a single port or a range of ports for the load balancer to forward to. If you <a href="../om/aws/prepare-env-manual.html">configured AWS for PCF manually</a>, enter <code>1024-1123</code> which corresponds to the rules you created for <code>pcf-tcp-elb</code>.
<ul>
<li>To support multiple TCP routes, Pivotal recommends allocating multiple ports.</li>
<li>To allocate a list of ports rather than a range:
<ol>
<li>Enter a single port in the <b>TCP Routing Ports</b> field.</li>
<li>After deploying PAS, follow the directions in <a href="https://docs.pivotal.io/pivotalcf/2-3/pcf-release-notes/runtime-rn.html#tcp-port-config">Configuring a List of TCP Routing Ports</a> to add TCP routing ports using the cf CLI.</li>
</ol>
</li>
</ul>
</li>
<li>For AWS, you also need to specify the name of a TCP ELB in the <strong>LOAD BALANCER</strong> column of TCP Router job of the <code>Resource Config</code> screen. You configure this later on in PAS. For more information, see the <a href="#config-elb">Configure Router to Elastic Load Balancer</a> topic.</li>
</ol>
<%= image_tag 'images/ert_tcp_routing_enable.png' %>
</li>
<li><%= partial 'tcp_routing_disable' %></li>
<li>Click <strong>Save</strong></li>
</ol>