Three Improvements to Cloud Foundry Routing: Security, Resiliency and Consistency

By: | February 27, 2018
Share

On behalf of Eric Malm, the Cloud Foundry Diego team and the Cloud Foundry Routing team, I am thrilled to announce three exciting improvements to Cloud Foundry, rolled up in one shiny feature, available now using this operations file with cf-deployment 1.15.0. If these sound valuable to you, please give it a try and send us your feedback.

  1. Increased security: Gorouter will encrypt traffic to application containers via TLS.
  2. Increased resiliency: Gorouter will ignore the TTL of app routes, keeping your apps available during failures in the routing control plane.
  3. Increased consistency: Gorouter will use the certificate presented in the TLS handshake to validate the identity of application instances before forwarding HTTP requests. Optimizing for availability increases the risk of misrouting, as a healthy Diego will continue recreating containers to keep your apps running and the probability of port reuse is statistically significant; this mechanism increases guarantees against misrouting.

All this without any additional burden on application developers! Cloud Foundry will automatically generate the necessary certificates for each container, rotate them periodically, and use them to transparently terminate TLS for traffic from Gorouter. This effort represents our first integration with Envoy, a feature-rich proxy developed at Lyft and recently contributed to the CNCF, laying a foundation for future Istio-driven polyglot service-mesh features in Cloud Foundry. When the feature is enabled, Cloud Foundry runs an Envoy proxy in each application container for terminating TLS and increases container resource quotas to avoid any impact to the application.

We’re currently rolling this feature out on Pivotal Web Services, where we’ll watch how the system performs for a bit before making this configuration the default in cf-deployment, eliminating the need for an operations file.

For details and configuration instructions, please see our documentation:

The original proposal for the feature can be found here.

In addition to replying to this announcement, feedback can be provided in the Cloud Foundry team Slack channels #diego and #routing.

Shannon Coen Profile Image

Shannon Coen, AUTHOR

SEE ALL ARTICLES