Pair of backend/frontend apps to demonstrate C2C networking in Pivotal Cloud Foundry
- PCF with container networking enabled (1.12 or later recommended)
- Spring cloud services with service registry
- Maven intalled (e.g.
brew install maven
)
This is a pair of apps, a backend and frontend that use Eureka's direct registration method to enable container-to-container networking.
The frontend simply prints out whatever the backend sends it, or an error if it cannot connect (e.g. the network is blocked).
Run the provided script build.sh
.
You require the network.write
permission in Cloud Foundry to make network changes. To do so:
$ gem install cf-uaac
$ uaac target uaa.sys.yourdomain.com
$ uaac token client get admin -s MyAdminPassword
You can find your admin password in Elastic Runtime -> Credentials -> Admin Client Credentials
$ uaac member add network.write myuser
Note: network.write
allows a user to modify networking on spaces where they are a developer, for foundation-wide network access use network.admin
instead.
Create a c2c service registry:
$ cf create-service p-service-registry standard c2c-registry
This may take some time to come up. On PWS I had to wait about 2-3 minutes.
Next push the backend and frontend apps:
$ pushd frontend && cf push && popd && pushd backend && cf push && popd
If you're using self-signed certificates, Eureka registration won't work by default. To enable it, add your API server to the trust store:
$ cf set-env c2c-backend TRUST_CERTS api.apps.mydomain.com
$ cf set-env c2c-frontend TRUST_CERTS api.apps.mydomain.com
Now restart the apps:
cf restart c2c-backend && cf restart c2c-frontend
Verify the backend app is working as intended by visiting it, for example:
$ curl http://c2c-backend-random.cfapps.io/ping
It should print a bit of information about itself:
Remote hello from c2c-backend (IP: 10.240.155.75:8080)
Now check the frontend:
$ curl http://c2c-frontend-random.cfapps.io/ping
It should return an error like this:
Could not reach backend (networking problem?)
Enable C2C networking between the apps:
cf add-network-policy c2c-frontend --destination-app c2c-backend
It may take a couple of seconds to work, but repeating the frontend request should now show it's connected to the backend directly:
Remote hello from c2c-backend (IP: 10.240.155.75:8080)
You can be sure it's working properly by removing the route from the backend app:
cf unmap-route c2c-backend mydomain --hostname c2c-backend-random
You can then disable the policy again if you like:
cf remove-network-policy c2c-frontend --destination-app c2c-backend --port 8080 --protocol tcp
There is a basic website available on the frontend component that allows a bit more advanced testing.
You can initiate requests from the frontend or backend to arbitrary URLs. This can be used to test CNI integration from 3rd parties.
For example, a lower level CNI policy may forbid the frontend app from accessing an external IP, but allow the backend to do so. This will allow you to test/verify.