securityserviceprivatecloud-foundrydiscovery

Cloud foundy - Discovering backend application without public route


I'd like to implement micro service architecture on CF (run.pivotal.io) and have problems with creating my private backend services.

As I see I have to options at deployment: with and without route.

  1. With route my services becomes public which is ok for my public site and my public REST API, but I don't want it for my backend services.

  2. Without route I don't see how should I do service discovery.

What I found already:

  1. Use VCAP_APPLICATION env variable and create my own service discovery (or use something like Eureka) based on that. Does this give me always a valid IP:PORT? No matter what DEA my app is running it is reachable on this IP:PORT by other apps on other DEAs?

  2. Register my backend app as a service and bind it, than use VCAP_SERVICES. I'd like to do this but only found documentation about registering services outside CF. Is there a simple way to bind my own app as a service?

So what would be really nice is to be able to mark an app as private but still assign a host and domain to it, so (only) my other apps could call it though CF load balancers but it would be protected from the public.


Solution

  • Answers inline...

    As I see I have to options at deployment: with and without route.

    This depends on the Cloud Foundry installation and how it's configured. On PWS, you cannot talk directly between application instances. It's a security restriction. You have to go through the router.

    With route my services becomes public which is ok for my public site and my public REST API, but I don't want it for my backend services.

    The best you can do here is to add application level (or container level, if you prefer) security to prevent unauthorized access.

    If you don't want to do password based authentication, you could do IP based filtering. On PWS, we just added a service with Statica. You can use that to send your outbound traffic through a proxy which will assign a static IP to that traffic. You could then restrict access to your app to only the Statica IPs.

    Without route I don't see how should I do service discovery.

    If you remove the route, you can't sent traffic to the app.

    Use VCAP_APPLICATION env variable and create my own service discovery (or use something like Eureka) based on that. Does this give me always a valid IP:PORT? No matter what DEA my app is running it is reachable on this IP:PORT by other apps on other DEAs?

    You'd probably need to use this enhancement. It was added to support this type of deployment. However this will only work on Cloud Foundry installation where the networking restrictions between application instances have been relaxed. Normally you cannot talk directly between instances.

    Register my backend app as a service and bind it, than use VCAP_SERVICES. I'd like to do this but only found documentation about registering services outside CF. Is there a simple way to bind my own app as a service?

    You can create a "user provided" service. Look at the cf cups command. It lets you create a service with an arbitrary set of parameters and data. This could contain the URLs for your services. Once you create the service, you can bind it to any number of apps.