forked from pivotal-cf/docs-pcf-install
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy path_networking-cloudform.html.md.erb
23 lines (17 loc) · 3.16 KB
/
_networking-cloudform.html.md.erb
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
1. Select **Networking**.
<%= image_tag 'networking-config.png' %>
1. Leave the **Router IPs** and **HAProxy IPs** fields blank.
1. Under **Configure the point-of-entry to this environment**, choose one of the following:
* **External Load Balancer with Encryption**: Select this option if your deployment uses an external load balancer that can forward encrypted traffic to the Elastic Runtime Router, or for a development environment that does not require load balancing. Complete the fields for the **Router SSL Termination Certificate and Private Key** and **Router SSL Ciphers**.
* **External Load Balancer without Encryption**: Select this option if your deployment will terminate SSL connection and forward unencrypted traffic to the Elastic Runtime Router, or for a development environment that does not require load balancing. <%= vars.aws_network_elb %>
* **HAProxy**: Select this option to use HAProxy as your first point of entry. Complete the fields for **SSL Certificate and Private Key**, and **HAProxy SSL Ciphers**. Select **Disable HTTP traffic to HAProxy** if you want the HAProxy to only allow HTTPS traffic. You can also generate a self-signed certificate using your wildcard system domain.
<p class="note">For details about providing SSL termination certificates and keys, see the [Providing a Certificate for your SSL Termination Point](../opsguide/security_config.html#config) topic.</p>
1. If you are not using SSL encryption or if you are using self-signed certificates, select **Disable SSL certificate verification for this environment**.
1. Select the **Disable insecure cookies on the Router** checkbox to turn on the secure flag for cookies generated by the router.
1. In the **Choose whether or not to enable route services** section, choose either **Enable route services** or **Disable route services**. Route services are a class of [marketplace services](../devguide/services/managing-services.html#marketplace) that perform filtering or content transformation on application requests and responses. See the [Route Services](../services/route-services.html) topic for details.
* If you enable route services, check **Ignore SSL certificate verification on route services** for the routing tier to reject requests that are not signed by a trusted CA.
1. For **Loggregator Port**, you must enter `4443` because that is the port that forwards SSL traffic that supports websockets from the ELB.
1. Optionally, use the **Applications Subnet** field if you need to avoid address collision with a third-party service on the same subnet as your apps. Enter a CIDR subnet mask specifying the range of available IP addresses assigned to your app containers. The IP range must be different from the network used by the system VMs.
1. Optionally, you can change the value in the **Applications Network Maximum Transmission Unit (MTU)** field. Pivotal recommends setting the MTU value for your application network to `1454`. Some configurations, such as networks that use GRE tunnels, may require a smaller MTU value.
1. Optionally, increase the number of seconds in the **Router Timeout to Backends** field to accommodate larger uploads over connections with high latency.
1. Click **Save**.