I want to to use an API gateway like Traefik to protect my apps deployed in CF. E.g. by only allowing requests from the internet to the gateway and restrict the apps behind to internal traffic only (probably via route configurations). Unfortunately, I could not find any guidance how such a setup could be achieved in CF.
Asked
Active
Viewed 171 times
0
-
1You should be able to download the binary, it's a Golang binary, and push it using the binary buildpack. You might need to include other stuff, like config (I'm not familiar with that software so I can't say for sure), it should all get pushed up. Set `-c` or `command` in the manifest.yml with the command to run the software. You should be able to map a public route to the server for incoming traffic, then map internal routes to your backend services (proxy can use these to talk to services). Lastly, add one or more network policies to allow traffic from your proxy to the backend services. – Daniel Mikusa Sep 27 '20 at 17:50
-
1A link for reference to my previous comment: https://docs.cloudfoundry.org/devguide/deploy-apps/routes-domains.html#internal-routes. If you get stuck, post details like your push command, manifest.yml, full output of `cf push` and output of `cf logs`. – Daniel Mikusa Sep 27 '20 at 17:50
-
Thanks Daniel for your explanations. I got stuck at creating the network policy due to lacking network.write scope. That's probably something only a admin can solve... I am only space developer. – Mahatma_Fatal_Error Oct 13 '20 at 10:53
-
Yes, that's correct. You'd need to have your Platform Ops team make some adjustments. There are two options: they can enable specifically for you (that would require they give you `network.write`), or allow all space devs to do it for their respective org/spaces. You can refer your ops team to here -> https://docs.cloudfoundry.org/devguide/deploy-apps/cf-networking.html#grant. – Daniel Mikusa Oct 13 '20 at 14:51