What?

Application Security Groups are a collection of egress (outbound) rules that specify the protocols, ports, and IP ranges where application containers can send traffic. Security groups define rules that allow traffic instead of omitting it, which means that the order of evaluation for security groups that apply to the same space, org, or deployment is unimportant. Application containers use these rules to filter and log outbound network traffic.

When applications begin staging, they need traffic rules permissive enough to allow them to pull resources from the network. After an application is running, the traffic rules can be more restrictive and secure. To distinguish between these two security requirements, administrators can define different security groups for staging containers versus runtime containers.

To provide granular control when securing a deployment, an administrator can also assign security groups to apply across a CF deployment, or to specific spaces or orgs within a deployment.

How?

  1. Check that you are signed in as the admin user
  2. View the list of security groups by running cf security-groups
  3. View the security groups assigned to staging containers by running cf staging-security-groups
  4. View the security groups assigned to running containers by running cf running-security-groups
  5. View the specific rules of each group using cf security-group GROUP-NAME

Note: If you ended up having to follow a slightly different process to get your PCF Dev environment to cooperate, you may see different security groups. This does not necessarily mean you did anything wrong.

Expected Result

If you’re working with PCF Dev, you should see three security groups, one of which is named all_pcfdev and opens all egress traffic. Because of the all_pcfdev security group, any other group would be redundant.

Conversely, if you’ve deployed a full Cloud Foundry on GCP you should have two security groups applied to both staging and running apps: public_networks and dns.

Run cf security-group public_networks to see that it allows traffic on all ports with all protocols on all IPs, save four gaps that correspond to private IPv4 address spaces and the APIPA reserved range. The dns security group allows access to any IP, but only on port 53. The combination of the two groups is that private IPs can be accessed only on port 53, and all other IPs have all ports open.

Resources

Application Security Groups Documentation Typical Application Security Groups “Taking Security to the Next Level—Application Security Groups” by Abby Kearns “Making sense of Cloud Foundry security group declarations” by Sadique Ali