[英]Cloud Foundry back-end and public apps
In most solutions some apps should be public and some should be internal-only accessible. 在大多数解决方案中,某些应用程序应为公共应用程序,而某些应用程序应仅供内部访问。
Is there a proven configuration pattern of such a solution? 是否有经过验证的这种解决方案的配置模式?
The simple way to do this may be to create two CF spaces (in the same CF organization): 执行此操作的简单方法可能是创建两个CF空间(在同一CF组织中):
internal space
internal space
internal domain
(eg: *.my-internal-cf.cloud) that points the internal load-balancer
internal load-balancer
的internal domain
(例如:*。my-internal-cf.cloud) internal domain
is main shared domain internal domain
是主共享域 internal load-balancer
isn't accessible from the Internet, can be accessible only for apps from the Cloud Foundry internal load-balancer
无法从Internet访问,只能用于Cloud Foundry的应用程序 internal space
has access to the backing-services (cf security-groups) internal space
可以访问支持服务(请参阅安全组) public space
: public space
:
public domain
(eg: *.my-pub-cf.cloud) that points the public load-balancer
public load-balancer
的public domain
(例如:*。my-pub-cf.cloud) public load-balancer
is accessible from the Internet and passing only traffic to the public domains
public load-balancer
可从Internet访问,并且仅将流量传递到public domains
public space
has limited access to the backing-services or even has only access to apps from the internal space
(cf security-groups) public space
只能访问internal space
服务,甚至只能访问internal space
应用(请参阅安全组) Is this configuration secure? 此配置安全吗?
Can it be done more easily? 可以更轻松地完成吗?
The use of orgs & spaces here is irrelevant to an app being public/private. 这里的组织和空间的使用与应用程序是公开/私有无关。 Orgs & spaces are for internally organizing your apps and limiting access to those through the cf cli.
组织和空格用于内部组织您的应用程序,并限制通过cf cli对这些应用程序的访问。 You can use whatever structure makes sense for your team & company.
您可以使用适合您的团队和公司的任何结构。
For making an app public/private, it all depends on the use of routes. 为了使应用程序公开/私有,这完全取决于路由的使用。 If you want public access to an app, you bind a public route to the app (ie not an internal route).
如果要公共访问某个应用程序,则将一条公共路由绑定到该应用程序(即,不是内部路由)。 If you do not want an app to be public either bind an internal route or don't bind a route at all.
如果您不希望某个应用公开,请绑定内部路由或完全不绑定路由。 If you bind an internal route, you can use the platform's DNS-based discovery or bring your own, like Eureka or Consul.
如果绑定内部路由,则可以使用平台的基于DNS的发现 ,也可以使用自己的发现 ,例如Eureka或Consul。 If you don't bind a route you would communicate through a service, like a message broker.
如果不绑定路由,则可以通过服务(例如消息代理)进行通信。
You can even control the traffic between two apps on the container-to-container network via policies . 您甚至可以通过策略来控制容器到容器网络上两个应用之间的流量。 This allows you to allow or restrict traffic based on type & port.
这使您可以根据类型和端口来允许或限制流量。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.