forked from cloudfoundry/docs-cloudfoundry-concepts
-
Notifications
You must be signed in to change notification settings - Fork 0
/
_default_asg_oss.html.md.erb
41 lines (34 loc) · 1.43 KB
/
_default_asg_oss.html.md.erb
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
Cloud Foundry preconfigures two ASGs: `public_networks` and `dns`.
Unless you modify these before your initial deployment, these ASGs are applied by default to all containers in your deployment.
- `public_networks`: This group allows access to public networks, and blocks access to private networks and link-local addresses.
Cloud Foundry blocks outgoing traffic to the following IP address ranges by specifically allowing traffic to all other addresses.
- 10.0.0.0 - 10.255.255.255
- 169.254.0.0 - 169.254.255.255
- 172.16.0.0 - 172.31.255.255
- 192.168.0.0 - 192.168.255.255
- `dns`: This group allows access to DNS on port 53 for any IP address.
The default ASGs are defined in the [cf.yml](https://github.com/cloudfoundry/cf-release/blob/master/templates/cf.yml) file as follows:
<pre>
default_security_group_definitions:
- name: public_networks
rules:
- protocol: all
destination: 0.0.0.0-9.255.255.255
- protocol: all
destination: 11.0.0.0-169.253.255.255
- protocol: all
destination: 169.255.0.0-172.15.255.255
- protocol: all
destination: 172.32.0.0-192.167.255.255
- protocol: all
destination: 192.169.0.0-255.255.255.255
- name: dns
rules:
- protocol: tcp
destination: 0.0.0.0/0
ports: '53'
- protocol: udp
destination: 0.0.0.0/0
ports: '53'
</pre>
You should modify the default ASGs to block outbound traffic as necessary for your installation.