Skip to main content
Version: 31.1.0

a9s Service Guard

General Information

The a9s Service Guard is using a feature of Consul called Consul Watches to detect if there is a change in the Consul catalog because a change in the catalog could mean that a new service instance was created, a service instance was deleted or a service instance got a new IP address. Then the a9s Service Guard creates, updates or deletes a CF Application Security Group.

Properties

cf_service_guard.nodes_whitelist

An array with node names or regular expressions which should be updated. If the whitelist is given, the ignore_nodes list is ignored.

Example Ops file to change the value:

---
- type: replace
path: /properties/cf_service_guard/nodes_whitelist/-
value: "([a-z][a-z0-9]*)?d[a-f0-9]+(-es-)[0-9]+"
- type: replace
path: /properties/cf_service_guard/nodes_whitelist/-
value: "([a-z][a-z0-9]*)?d[a-f0-9]+(-master-)[0-9]+"
- type: replace
path: /properties/cf_service_guard/nodes_whitelist/-
value: "([a-z][a-z0-9]*)?d[a-f0-9]+(-worker-)[0-9]+"

cf_service_guard.service_brokers

The a9s Service Guard can only create Application Security Groups in Cloud Foundry for service instances that are known by one of the a9s Service Brokers that have been configured in cf_service_guard.service_brokers array.

The array has the following format:

cf_service_guard:
service_brokers:
- api_endpoint: http://localhost:3000
username: admin
password: secret
timeout: 10

cf_service_guard.consul

The configuration for the Consul agent which should be used by the a9s Service Guard is done in a hash.

The hash has the following format (with the default values):

cf_service_guard:
consul:
agent_address: http://127.0.0.1:8500
timeout: 10

cf_service_guard.jobs

cf_service_guard.jobs.delete_approval

The configuration for the delete_approval job which is responsible for deleting Application Security Groups in Cloud Foundry can be done in a hash.

The hash has the following format (with the default values):

cf_service_guard:
jobs:
delete_approval:
max_trials: 10
run_again_waiting_time: 30

Limitations

Maximum Number of Shared Spaces

If you are using Cloud Foundry, it is possible to share a service instance across spaces and orgs. a9s Service Guard will create security groups for each space, however, it will only create security groups for a maximum of 50 different spaces, if a service instance is shared to more than this number of spaces, some of them will not have the security group automatically created. For these spaces, it is still possible to create the security groups manually.