I need to leave only several ports open(e.g. 80 and 443). I've read about ASGs, created json file with rules. But when I try to create ASG through terminal - it says Server error, status code: 403, error code: 10003, message: You are not authorized to perform the requested action
. When I tried to found a solution - some sources said that I need to do it in web console - but I don't have such menu items. The questions are
- how I can manage ASGs ?
- do ASGs allow to fully control incoming and outgoing traffic ?
With Application Security Groups (ASG) you can only manage
egress
traffic i.e. you can manage what outside endpoints a cloud foundry foundation can talk to.You cannot manage
ingress
i.e. incoming traffic with ASGs.For
ingress
traffic you will have to manage it at the external router or HAProxy (if you implemented one) level. This will be outside of the PCF foundation.To manage orgs, quotas, users, and asgs, I would recommend using cf-mgmt tool.
I had similar need to manage ASGs for a prior client. So, I build a pipeline. The repo pcfdev-sec-groups is a concourse pipeline and will allow you to manage asgs across foundations, by changing
vars.yml
.Another option to control incoming traffic is to implement Route Service. This is programmatic solution to filtering request and need lot more work. Here is an example.