forked from pivotal-cf/docs-pcf-install
-
Notifications
You must be signed in to change notification settings - Fork 0
/
_networking-is.html.md.erb
59 lines (48 loc) · 3.8 KB
/
_networking-is.html.md.erb
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
Perform the following steps to configure the PCF Isolation Segment tile:
1. Click **Networking**.
<%= image_tag('router-ha-ip.png') %>
1. (Optional): Under **Router IPs**, enter one or more static IP addresses for the routers that handle this isolation segment. These IP addresses must be within the subnet CIDR block that you defined in the Ops Manager network configuration for your Isolation Segment. If you have a load balancer, configure it to point to these IP addresses.
<p class="note"><strong>Note</strong>: Entering the static IP addresses is not necessary for deployments running on a public IaaS such as AWS, GCP, or Azure because PCF users specify the IaaS load balancer in the <strong>Resource Config</strong> section of the <strong>PCF Isolation Segment</strong> tile.</p>
1. If you want to use HAProxy for this isolation segment, enter at least one address in the **HAProxy IPs** field. You should specify more than one IP address for high availability. Then configure your load balancer to forward requests for the domains you have set up for your deployment to these IP addresses. For more information, see <a href="../opsguide/ssl-term-haproxy.html">Configuring SSL/TLS Termination at HAProxy</a>.</td>
<p class="note"><strong>Note</strong>: If you rely on HAProxy for a feature in Elastic Runtime and you want isolated networking for this isolation segment, you may want to deploy the HAProxy provided by the Isolation Segment tile.</p>
1. <%= partial '../customizing/haproxy_router_cert_config' %>
1. <%= partial '../customizing/min_tls_version' %>
1. <%= partial '../customizing/tls_cipher_suites_router' %>
1. <%= partial '../customizing/tls_cipher_suites_haproxy' %>
1. <%= partial '../customizing/haproxy_router_tls_forward' %>
1. <%= partial 'ssl_verification' %>
1. <%= partial '../customizing/http_disable' %>
1. <%= partial 'insecure_cookies' %>
1. <%= partial 'zipkin_enable' %>
1. <%= partial 'xforwarded_client_cert_xfcc' %>
1. <%= partial 'max_connections_backend' %>
1. Enter a value for **Router Max Idle Keepalive Connections**. See [Considerations for Configuring max\_idle\_connections](../adminguide/routing-keepalive.html#considerations).
<%= image_tag 'images/keepalive.png' %>
1. <%= partial 'router_timeout_backend' %>
1. <%= partial 'frontend_idle_timeout' %>
1. <%= partial 'lb_unhealthy_threshold' %>
1. <%= partial 'lb_healthy_threshold' %>
<%= image_tag 'images/router_lb_thresholds.png' %>
1. <%= partial 'http_headers_to_log' %>
![Http Headers to Log](images/headers_to_log.png)
1. <%= partial 'haproxy_request_max_buffer' %>
1. <%= partial '../customizing/protected_domains' %>
1. (Optional): Under **Applications Network Maximum Transmission Unit**, change the Maximum Transmission Unit (MTU). The default is `1454` bytes.
1. (Optional): Enter a UDP port number in the **VXLAN Tunnel Endpoint Port** box. If you do not set a custom port, PCF Isolation Segment uses <code>4789</code>.
<%= image_tag('isolation-segment/ert-c2c-vxlan-port.png') %>
1. <%= partial 'log-app-traffic-enable' %>
1. Select a sharding mode in the **Router Sharding Mode** field. The options are explained below. For more information, see [Sharding Routers for Isolation Segments](../adminguide/routing-is.html#sharding-routers-isolation-segment).
![Sharding options](router-sharding-options.png)
<table>
<th>Option Name</th>
<th>Description</th>
<tr>
<td>Isolation Segment Only</td>
<td>The routers for the tile acknowledge requests only from apps deployed within the cells of the tile. All other requests fail.</td>
</tr>
<tr>
<td>No Isolation Segment</td>
<td>The routers for the tile reject requests for any isolation segment. Choose this option to add a group of routers for the Elastic Runtime tile, such as when you want a private point of entry for the system domain.</td>
</tr>
</table>
1. Click **Save**.