forked from pivotal-cf/docs-pcf-install
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy path_networking-is.html.md.erb
56 lines (47 loc) · 3.29 KB
/
_networking-is.html.md.erb
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
Perform the following steps to configure the PCF Isolation Segment tile:
1. Click **Networking**.
<%= image_tag('router-ha-ip.png') %>
1. (Optional): Under **Router IPs**, enter one or more static IP addresses for the routers that handle this isolation segment. These IP addresses must be within the subnet CIDR block that you defined in the Ops Manager network configuration for your Isolation Segment. If you have a load balancer, configure it to point to these IP addresses.
<p class="note"><strong>Note</strong>: Entering the static IP addresses is not necessary for deployments running on a public IaaS such as AWS, GCP, or Azure because PCF users specify the IaaS load balancer in the <strong>Resource Config</strong> section of the <strong>PCF Isolation Segment</strong> tile.</p>
1. If you want to use HAProxy for this isolation segment, enter at least one address in the **HAProxy IPs** field. You should specify more than one IP address for high availability. Then configure your load balancer to forward requests for the domains you have set up for your deployment to these IP addresses. For more information, see <a href="../opsguide/ssl-term-haproxy.html">Configuring SSL/TLS Termination at HAProxy</a>.</td>
<p class="note"><strong>Note</strong>: If you rely on HAProxy for a feature in Pivotal Application Service (PAS) and you want isolated networking for this isolation segment, you may want to deploy the HAProxy provided by the Isolation Segment tile.</p>
1. <%= partial 'haproxy_router_cert_config' %>
1. <%= partial 'router_haproxy_ca' %>
1. <%= partial 'min_tls_version' %>
1. <%= partial 'xforwarded_client_cert_xfcc' %>
1. <%= partial 'gorouter_client_cert_validation' %>
1. <%= partial 'tls_cipher_suites_router' %>
1. <%= partial 'tls_cipher_suites_haproxy' %>
1. <%= partial 'haproxy_router_tls_forward' %>
1. <%= partial 'ssl_verification' %>
1. <%= partial 'http_disable' %>
1. <%= partial 'insecure_cookies' %>
1. <%= partial 'zipkin_enable' %>
1. <%= partial 'enable_router_local_logs' %>
1. <%= partial 'route_services' %>
1. <%= partial 'max_connections_backend' %>
1. <%= partial 'keepalive_connections' %>
1. <%= partial 'router_timeout_backend' %>
1. <%= partial 'frontend_idle_timeout' %>
1. <%= partial 'lb_unhealthy_threshold' %>
1. <%= partial 'lb_healthy_threshold' %>
<%= image_tag 'images/router_lb_thresholds.png' %>
1. <%= partial 'http_headers_to_log' %>
1. <%= partial 'haproxy_request_max_buffer' %>
1. <%= partial 'protected_domains' %>
1. Select a sharding mode in the **Router Sharding Mode** field. The options are explained below. For more information, see [Sharding Routers for Isolation Segments](../adminguide/routing-is.html#sharding-routers-isolation-segment).
<table>
<th>Option Name</th>
<th>Description</th>
<tr>
<td>Isolation Segment Only</td>
<td>The routers for the tile acknowledge requests only from apps deployed within the cells of the tile. All other requests fail.</td>
</tr>
<tr>
<td>No Isolation Segment</td>
<td>The routers for the tile reject requests for any isolation segment. Choose this option to add a group of routers for the PAS tile, such as when you want a private point of entry for the system domain.</td>
</tr>
</table>
1. Click **Save**.