Managing Isolation Segments

Page last updated:

This topic describes how operators can isolate deployment workloads into dedicated resource pools called isolation segments.

Requirements

You must have the v.6.26.0 version or later of the Cloud Foundry Command Line Interface (cf CLI) installed to manage isolation segments.

Target the API endpoint of your deployment with cf api and log in with cf login before performing the procedures in this topic. For more information, see the Identifying your Cloud Foundry API Endpoint and Version topic.

Overview

To enable isolation segments, an admin must first prepare BOSH by assigning placement tags to Diego cells in BOSH. Then an admin can create isolation segments by matching these placement tags.

After an admin creates a new isolation segment, the admin can then create and manage relationships between the orgs and spaces of a Cloud Foundry deployment and the new isolation segment.

To manage the isolation segment, an operator uses cf CLI commands.

Operators can perform the following operations on isolation segments:

Prepare BOSH to Support Isolation Segments

To enable isolation segments for a deployment, you must first assign Diego cells a placement_tags property in your Diego manifest by following the steps below:

  1. In your Diego manifest, for each Diego cell that you want to include in an isolation segment, add a placement_tags attribute with the name of the isolation segment as its value. Isolation segment names must be unique across the entire system, and are not case-sensitive. Only admins can create isolation segments. Specify the value in a single-value array. For example, in diego.yml, you tag a Diego cell with my_segment as follows:

    - instances: 1
      name: cell_z2
      networks:
      - name: diego2
      properties:
        diego:
         rep:
           [...] 
            placement_tags:
            - my_segment
    
  2. Apply the changes (BOSH Deployer only):

    $ bosh deploy
    

Create an Isolation Segment

To register an isolation segment with Cloud Controller, use the cf CLI.

Note: The isolation segment name used in the cf CLI command must match the value specified in the placement_tags section of the Diego manifest file. If the names do not match, Cloud Foundry fails to place apps in the isolation segment when apps are started or restarted in the space assigned to the isolation segment.

The following command creates an isolation segment named my_segment:

$ cf create-isolation-segment my_segment

If successful, the command returns an OK message:

Creating isolation segment my_segment as admin...
OK

Retrieve Isolation Segment Information

The cf isolation-segments, cf org, and cf space commands retrieve information about isolation segments. The isolation segments you can see depends on your role, as follows:

  • Admins see all isolation segments in the system.
  • Other users only see the isolation segments that their orgs are entitled to.

List Isolation Segments

The following request returns a list of the isolation segments that are available to you:

$ cf isolation-segments

For example, the command returns results similar to the following:

Getting isolation segments as admin...
OK

name           orgs
my_segment     org1, org2

Display Isolation Segments Enabled for an Org

An admin can entitle an org to multiple isolation segments.

To view the isolation segments that are available to an org, use the cf org ORG-NAME command. For example:

$ cf org my-org

The command returns results similar to the following:

Getting info for org my-org as user@example.com...

name:                 my-org
domains:              example.com, apps.example.com
quota:                paid
spaces:               development, production, sample-apps, staging
isolation segments:   my_segment, my_other_segment

Show the Isolation Segment Assigned to a Space

Only one isolation segment can be assigned to a space.

To view the isolation segment assigned to a space, use the cf space SPACE-NAME command. For example:

$ cf space staging

The command returns results similar to the following:

name:                staging
org:                 my-org
apps:
services:
isolation segment:   my_segment
space quota:
security groups:     dns, p-mysql, p.mysql, pcf-redis, public_networks, rabbitmq, ssh-logging

Delete an Isolation Segment

Note: An isolation segment with deployed apps cannot be deleted.

Only admins can delete isolation segments.

The following command deletes an isolation segment:

$ cf delete-isolation-segment

If successful, the command returns an OK message:

Deleting isolation segment my_segment as admin...
OK

Manage Isolation Segment Relationships

The commands listed in the sections below manage the relationships between isolation segments, orgs, and spaces.

Enable an Org to Use Isolation Segments

Only admins can enable orgs to use isolation segments. The following command enables the use of an isolation segment.

$ cf enable-org-isolation ORG_NAME SEGMENT_NAME

For example:

$ cf enable-org-isolation org2 my_segment

If an org is entitled to use only one isolation segment, that isolation segment does not automatically become the default isolation segment for the org. You must explicitly set the default isolation segment of an org.

Disable an Org from Using Isolation Segments

Note: You cannot disable an org from using an isolation segment if a space within that org is assigned to the isolation segment. Additionally, you cannot disable an org from using an isolation segment if the isolation segment is configured as the default for that org.

The following command disables an org from using an isolation segment:

$ cf disable-org-isolation ORG_NAME SEGMENT_NAME

For example:

$ cf disable-org-isolation org1 my_segment

If successful, the command returns an OK message:

Removing entitlement to isolation segment my_segment from org org1 as admin...
OK

Set the Default Isolation Segment for an Org

Only admins and org managers can set the default isolation segment for an org.

When an org has a default isolation segment, apps in its spaces that are not explicitly assigned an isolation segment are placed in the org’s default isolation segment.

You set the default isolation segment for an org by performing the following steps:

  1. Obtain the GUID of the isolation segment you wish to set as the default for the org.

    $ cf curl /v3/isolation_segments?names=ISO_SEG_NAME
    
    For example:
    $ cf curl /v3/isolation_segments?names=my_segment
    

  2. Use cf curl to send a request to the endpoint for the organization, and set its default_isolation_segment relationship to the GUID of the new default isolation segment.

    $ cf curl /v3/organizations/ORG_GUID/relationships/default_isolation_segment \
    -X PATCH -d '{ "data": { "guid": "ISO_SEG_GUID" } }'
    
    For example:
    $ cf curl \
    /v3/organizations/11223344-aabb-1122/relationships/default_isolation-segment \
    -X PATCH -d '{ "data": { "guid": "11223344-aabb-1122" } }' 
    

Assign an Isolation Segment to a Space

Admins and org managers can assign an isolation segment to a space. Apps in that space start in the specified isolation segment.

To assign an isolation segment to a space, you must first enable the space’s org to use the isolation segment. See Enable an Org to Use Isolation Segments

The following command assigns an isolation segment to a space:

$ cf set-space-isolation-segment SPACE_NAME SEGMENT_NAME

For example:

$ cf set-space-isolation-segment space1 my_segment

Reset the Isolation Segment Assignment for a Space

Admins can reset the isolation segment assigned to a space to use the org’s default isolation segment.

The following command assigns the default isolation segment for an org to a space:

$ cf reset-space-isolation-segment SPACE_NAME

For example:

$ cf reset-space-isolation-segment space1

Create a pull request or raise an issue on the source for this page in GitHub