Hi, there
I am using bosh to setup cloudfoundry in AWS, the default configuration is that the load balancer cfrouter could be accessed anywhere from internet.
From security consideration, I'd like to restrict public access to cfrouter load balancer, there is a
web security group attached to the load balancer defined as below:
HTTP (80) | TCP (6)
| 80 | |
HTTPS (443) | TCP (6) | 443 | |
Custom TCP Rule | TCP (6)
| 4443
| |
I tried to modify the web security group and change the
0.0.0.0/0 to my internal ip address, hoping that it could only be accessed from my internal ip address. in addition, I also add
10.10.0.0/16 which is the private ip address holding cf deployment. After modification, it looks like:
HTTP (80) | TCP (6)
| 80 | |
HTTPS (443) | TCP (6) | 443 | |
Custom TCP Rule | TCP (6)
| 4443
| |
HTTP (80) | TCP (6)
| 80 | xx.xx.xx.xx/32 |
HTTPS (443) | TCP (6) | 443 | xx.xx.xx.xx/32 |
Custom TCP Rule | TCP (6)
| 4443
| xx.xx.xx.xx/32 |
But when I tried to use cf to list the apps which works before the modification, it failed with following error, I am wondering what security group should I set to restrict public access, your help is greatly appreciated!!
paas1@paas1-OptiPlex-9020:~$ cf apps
VERSION:
BUILT_FROM_SOURCE
Getting apps in org test / space test as test...
REQUEST: [2015-03-31T16:30:13+08:00]
GET /v2/spaces/190be31c-e006-4478-aa66-ec1b31ccc9ab/summary HTTP/1.1
Host:
api.abc.comAccept: application/json
Authorization: [PRIVATE DATA HIDDEN]
Content-Type: application/json
User-Agent: go-cli BUILT_FROM_SOURCE / linux
RESPONSE: [2015-03-31T16:31:14+08:00]
HTTP/1.1 504 GATEWAY_TIMEOUT
Connection: keep-alive
FAILED
Server error, status code: 504, error code: 0, message:
FAILED
Server error, status code: 504, error code: 0, message: