简体繁体 English

Cloud Foundry后端和公共应用

[英]Cloud Foundry back-end and public apps

原文 2018-07-19 12:31:59 2 1 security/ microservices/ cloudfoundry/ pivotal-cloud-foundry/ 12factor

In most solutions some apps should be public and some should be internal-only accessible. 在大多数解决方案中，某些应用程序应为公共应用程序，而某些应用程序应仅供内部访问。

Is there a proven configuration pattern of such a solution? 是否有经过验证的这种解决方案的配置模式？

The simple way to do this may be to create two CF spaces (in the same CF organization): 执行此操作的简单方法可能是创建两个CF空间（在同一CF组织中）：

the internal space internal space
- apps in this space are binded to the internal domain (eg: *.my-internal-cf.cloud) that points the internal load-balancer 该空间中的应用程序绑定到指向internal load-balancer的internal domain （例如：*。my-internal-cf.cloud）
- the internal domain is main shared domain internal domain是主共享域
- the internal load-balancer isn't accessible from the Internet, can be accessible only for apps from the Cloud Foundry internal load-balancer无法从Internet访问，只能用于Cloud Foundry的应用程序
- the internal space has access to the backing-services (cf security-groups) internal space可以访问支持服务（请参阅安全组）
the public space : public space ：
- apps in this space are binded to the public domain (eg: *.my-pub-cf.cloud) that points the public load-balancer 该空间中的应用程序已绑定到指向public load-balancer的public domain （例如：*。my-pub-cf.cloud）
- the public load-balancer is accessible from the Internet and passing only traffic to the public domains public load-balancer可从Internet访问，并且仅将流量传递到public domains
- the public space has limited access to the backing-services or even has only access to apps from the internal space (cf security-groups) public space只能访问internal space服务，甚至只能访问internal space应用（请参阅安全组）

Is this configuration secure? 此配置安全吗？

Can it be done more easily? 可以更轻松地完成吗？

1 个解决方案

The use of orgs & spaces here is irrelevant to an app being public/private. 这里的组织和空间的使用与应用程序是公开/私有无关。 Orgs & spaces are for internally organizing your apps and limiting access to those through the cf cli. 组织和空格用于内部组织您的应用程序，并限制通过cf cli对这些应用程序的访问。 You can use whatever structure makes sense for your team & company. 您可以使用适合您的团队和公司的任何结构。

For making an app public/private, it all depends on the use of routes. 为了使应用程序公开/私有，这完全取决于路由的使用。 If you want public access to an app, you bind a public route to the app (ie not an internal route). 如果要公共访问某个应用程序，则将一条公共路由绑定到该应用程序（即，不是内部路由）。 If you do not want an app to be public either bind an internal route or don't bind a route at all. 如果您不希望某个应用公开，请绑定内部路由或完全不绑定路由。 If you bind an internal route, you can use the platform's DNS-based discovery or bring your own, like Eureka or Consul. 如果绑定内部路由，则可以使用平台的基于DNS的发现，也可以使用自己的发现，例如Eureka或Consul。 If you don't bind a route you would communicate through a service, like a message broker. 如果不绑定路由，则可以通过服务（例如消息代理）进行通信。

You can even control the traffic between two apps on the container-to-container network via policies . 您甚至可以通过策略来控制容器到容器网络上两个应用之间的流量。 This allows you to allow or restrict traffic based on type & port. 这使您可以根据类型和端口来允许或限制流量。