forked from pivotal-cf/docs-pcf-install
-
Notifications
You must be signed in to change notification settings - Fork 0
/
_networking-cloudform.html.md.erb
72 lines (71 loc) · 5.97 KB
/
_networking-cloudform.html.md.erb
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
<ol>
<li>Select <strong>Networking</strong>.</li>
<li>Leave the <strong>Router IPs</strong>, <strong>SSH Proxy IPs</strong>, <strong>HAProxy IPs</strong>, and
<strong>TCP Router IPs</strong> fields blank. You do not need to complete these fields
when deploying PCF to AWS with Elastic Load Balancers (ELBs).<p class="note"><strong>Note</strong>: You specify load balancers in the <strong>Resource Config</strong> section of Pivotal Application Service (PAS) later in the installation process. See the <a href="#config-elb">Configure Router to Elastic Load Balancer</a>
section of this topic for more information.</p></li>
<li><%= partial 'haproxy_router_cert_config' %></li>
<li><%= partial 'router_haproxy_ca' %></li>
<li><%= partial 'min_tls_version' %></li>
<li><%= partial 'xforwarded_client_cert_xfcc' %></li>
<li><%= partial 'gorouter_client_cert_validation' %></li>
<li>In the <strong>TLS Cipher Suites for Router</strong> field, review the TLS cipher suites for TLS handshakes between Gorouter and front-end clients such as load balancers or HAProxy. The default value for this field is <code>ECDHE-RSA-AES128-GCM-SHA256:TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384</code>.
<p class='note'><strong>Note:</strong> AWS Classic Load Balancers do not support PCF's default cipher suites.
See <a href="../adminguide/securing-traffic.html#default">TLS Cipher Suite Support by AWS Load Balancers</a>
for information about configuring your AWS load balancers and Gorouter.</p>
If you want to modify the default configuration,
use an ordered, colon-delimited list of Golang-supported TLS cipher suites in the OpenSSL format.
<br> Operators should verify that the ciphers are supported by any clients or front-end components that will initiate TLS handshakes with Gorouter. For a list of TLS ciphers supported by Gorouter, see <a href="../adminguide/securing-traffic.html#ciphers">Securing Traffic into Cloud Foundry</a>.
<%= image_tag 'networking_tls_router.png' %>
Verify that every client participating in TLS handshakes with Gorouter has at least one cipher suite in common with Gorouter.
<p class="note"><strong>Note</strong>: Specify cipher suites that are supported by the versions configured in the <strong>Minimum version of TLS supported by HAProxy and Router</strong> field.</p></li>
<li><%= partial 'tls_cipher_suites_haproxy' %> </li>
<li><%= partial 'haproxy_router_tls_forward' %></li>
<li><%= partial 'haproxy_hsts_config_cloudform' %></li>
<li><%= partial 'ssl_verification' %></li>
<li><%= partial 'http_disable' %></li>
<li><%= partial 'insecure_cookies' %> </li>
<li><%= partial 'zipkin_enable' %></li>
<li><%= partial 'enable_router_local_logs' %></li>
<li>By default, the PAS routers handle traffic for applications deployed to an isolation segment created by the PCF Isolation Segment tile. To configure the PAS routers to reject requests for applications within isolation segments, select the <b>Routers reject requests for Isolation Segments</b> checkbox.
<%= image_tag 'isolate-network.png' %>
Do not enable this option without deploying routers for each isolation segment. See the following topics for more information:
<ul>
<li><a href="../customizing/installing-pcf-is.html">Installing PCF Isolation Segment</a></li>
<li><a href="../adminguide/routing-is.html#sharding-routers-isolation-segment">Sharding Routers for Isolation Segments</a></li>
</ul></li>
<li><%= partial 'enable-proxy-support' %></li>
<li><%= partial 'route_services' %></li>
<li><%= partial 'max_connections_backend' %></li>
<li><%= partial 'keepalive_connections' %></li>
<li><%= partial 'router_timeout_backend' %></li>
<li><%= partial 'frontend_idle_timeout' %></li>
<li><%= partial 'lb_unhealthy_threshold' %> </li>
<li><%= partial 'lb_healthy_threshold' %></li>
<img alt="LB Healthy Threshold Field" src="images/router_lb_thresholds.png">
<li><%= partial 'http_headers_to_log' %></li>
<img alt="Http Headers to Log" src="images/headers_to_log.png">
<li><%= partial 'haproxy_request_max_buffer' %></li>
<li><%= partial 'protected_domains' %></li>
<li>For Loggregator Port, you must enter <code>4443</code> In AWS deployments, port 4443 forwards SSL traffic that supports WebSockets from the ELB. Do not use the default port of <code>443</code></li>
<li>
For <b>Container Network Plugin Interface</b>, ensure <b>Silk</b> is selected and review the following fields:
<%= image_tag 'images/cni-silk.png' %>
<p class="note"><strong>Note</strong>: The <b>External</b> option exists to support NSX-T integration for vSphere deployments.</p>
<ol>
<li><%= partial 'app_mtu' %> </li>
<li><%= partial 'c2c-overlay' %></li>
<li><%= partial 'c2c-vxlan' %></li>
<%= partial 'log-app-traffic-enable' %><li><%= partial 'dns-servers' %></li>
</ol>
</li>
<li>TCP Routing is disabled by default. To enable this feature, perform the following steps:
<ol>
<li>Select <strong>Enable TCP Routing</strong> </li>
<li>In <strong>TCP Routing Ports</strong> enter a range of ports to be allocated for TCP Routes. If you <a href="./pcf-aws-manual-config.html">configured AWS for PCF manually</a>, enter <code>1024-1123</code> which corresponds to the rules you created for <code>pcf-tcp-elb</code> Configuration of this field is only applied on the first deploy, and update updates to the port range are made using the cf CLI. For details about modifying the port range, see the <a href="../adminguide/enabling-tcp-routing.html#router-groups">Router Groups</a> topic.
<%= image_tag 'images/ert_tcp_routing_enable.png' %> </li>
<li>For AWS, you also need to specify the name of a TCP ELB in the <strong>LOAD BALANCER</strong> column of TCP Router job of the <code>Resource Config</code> screen. You configure this later on in PAS. For more information, see the <a href="#config-elb">Configure Router to Elastic Load Balancer</a> topic.</li>
</ol></li>
<li><%= partial 'tcp_routing_disable' %></li>
<li>Click <strong>Save</strong></li>
</ol>