Managing Isolation Segments

Page last updated:

This topic describes how operators can isolate deployment workloads into dedicated resource pools called isolation segments.

Requirements

You must have Cloud Foundry Command Line Interface (cf CLI) v.6.26.0 or later installed to manage isolation segments. To download the latest version of the cf CLI, see the Releases section of the Cloud Foundry CLI repository on GitHub. For more information about installing the cf CLI, see Installing the cf CLI.

Target the API endpoint of your deployment with cf api and log in with cf login before performing the procedures in this topic. For more information, see Identifying your Cloud Foundry API Endpoint and Version.

Overview

To enable isolation segments, an admin can pass in a custom operations file with the BOSH CLI. For the example file used in this topic, see the cf-deployment repository in GitHub.

After an admin creates a new isolation segment, the admin can then create and manage relationships between the orgs and spaces of a Cloud Foundry Application Runtime (CFAR) deployment and the new isolation segment.

Add Isolation Segment to Deployment Manifest

To add an isolation segment to your deployment manifest:

  1. Write a custom operations file. The operations file defines an instance group that supports isolation segments. For a working example, see the cf-deployment repository in GitHub. The example sets the following instance group properties:

    • Name as isolated-diego-cell
    • Placement tag as persistent_isolation_segment

      Note: When you use the cf CLI, the name of the isolation segment corresponds to the placement tag you specify in the operations file. The commands throughout this topic use SEGMENT-NAME as an example isolation segment name.

  2. Apply the custom operations file when you deploy CFAR:

    bosh -e BOSH-ENVIRONMENT -d cf deploy cf-deployment/cf-deployment.yml \
    -v system_domain=SYSTEM-DOMAIN \
    -o cf-deployment/operations/CUSTOM-OPS-FILE.yml
    

    Where:

    • BOSH-ENVIRONMENT is your environment alias. For more information about creating an environment alias for BOSH v2 or later, see Environments in the BOSH documentation.
    • SYSTEM-DOMAIN is the system domain of your CFAR deployment.
    • CUSTOM-OPS-FILE.yml is your operations file.

Create an Isolation Segment

To register an isolation segment with Cloud Controller, use the cf CLI.

Note: The isolation segment name used in the cf CLI command must match the value specified in the placement_tags section of the Diego manifest file. If the names do not match, CFAR fails to place apps in the isolation segment when apps are started or restarted in the space assigned to the isolation segment.

To create an isolation segment:

  1. Log in to your deployment by running:

    cf login
    
  2. Run:

    cf create-isolation-segment SEGMENT-NAME
    

    Where SEGMENT-NAME is the name you give your isolation segment.

If successful, the command returns an OK message:

Creating isolation segment SEGMENT-NAME as admin...
OK

Retrieve Isolation Segment Information

The cf isolation-segments, cf org, and cf space commands retrieve information about isolation segments. The isolation segments you can see depends on your role:

  • Admins see all isolation segments in the system.
  • Other users only see the isolation segments that their orgs are entitled to.

List Isolation Segments

To see a list of the isolation segments that are available to you:

  1. Log in to your deployment by running:

    cf login
    
  2. Run:

    cf isolation-segments
    

The command returns results similar to this example output:

Getting isolation segments as admin...
OK

name           orgs
SEGMENT-NAME     org1, org2

Display Isolation Segments Enabled for an Org

An admin can entitle an org to multiple isolation segments.

To view the isolation segments that are available to an org:

  1. Log in to your deployment by running:

    cf login
    
  2. Run:

    cf org ORG-NAME
    

    Where ORG-NAME is the name of your org.

The command returns results similar to this example output:

Getting info for org ORG-NAME as user@example.com...

name:                 ORG-NAME
domains:              example.com, apps.example.com
quota:                paid
spaces:               development, production, sample-apps, staging
isolation segments:   SEGMENT-NAME, OTHER-SEGMENT-NAME

Show the Isolation Segment Assigned to a Space

Only one isolation segment can be assigned to a space.

To view the isolation segment assigned to a space:

  1. Log in to your deployment by running:

    cf login
    
  2. Run:

    cf space SPACE-NAME
    

    Where SPACE-NAME is the name of the space to which your isolation segment is assigned.

For example:

The command returns results similar to this example output:

name:                staging
org:                 ORG-NAME
apps:
services:
isolation segment:   SEGMENT-NAME
space quota:
security groups:     dns, p-mysql, p.mysql, public_networks, rabbitmq, ssh-logging

Delete an Isolation Segment

Note: An isolation segment with deployed apps cannot be deleted.

Only admins can delete isolation segments.

To delete an isolation segment:

  1. Log in to your deployment by running:

    cf login
    
  2. Run:

    cf delete-isolation-segment SEGMENT-NAME
    

    Where SEGMENT-NAME is the name of the isolation segment you want to delete.

If successful, the command returns an OK message:

$ cf delete-isolation-segment SEGMENT-NAME
Deleting isolation segment SEGMENT-NAME as admin...
OK

Manage Isolation Segment Relationships

The commands listed in the sections below manage the relationships between isolation segments, orgs, and spaces.

Enable an Org to Use Isolation Segments

Only admins can enable orgs to use isolation segments.

To enable the use of an isolation segment:

  1. Log in to your deployment by running:

    cf login
    
  2. Run:

    cf enable-org-isolation ORG-NAME SEGMENT-NAME
    

    Where:

    • ORG-NAME is the name of your org.
    • SEGMENT-NAME is the name of the isolation segment you want your org to use.

If an org is entitled to use only one isolation segment, that isolation segment does not automatically become the default isolation segment for the org. You must explicitly set the default isolation segment of an org. For more information, see Set the Default Isolation Segment for an Org.

Disable an Org from Using Isolation Segments

Note: You cannot disable an org from using an isolation segment if a space within that org is assigned to the isolation segment. Additionally, you cannot disable an org from using an isolation segment if the isolation segment is configured as the default for that org.

To disable an org from using an isolation segment:

  1. Log in to your deployment by running:

    cf login
    
  2. Run:

    cf disable-org-isolation ORG-NAME SEGMENT-NAME
    

    Where:

    • ORG-NAME is the name of your org.
    • SEGMENT-NAME is the name of the isolation segment you want to disable the org from using.

If successful, the command returns an OK message:

Removing entitlement to isolation segment SEGMENT-NAME from org org1 as admin...
OK

Set the Default Isolation Segment for an Org

Note: This section requires cf CLI v6.29.0 or later. To download cf CLI v6.29.0 or later, go to the Releases section of the Cloud Foundry CLI repository on GitHub.

Only admins and org managers can set the default isolation segment for an org.

When an org has a default isolation segment, apps in its spaces belong to the default isolation segment unless you assign them to another isolation segment. You must restart running apps to move them into the default isolation segment.

To set the default isolation segment for an org:

  1. Log in to your deployment by running:

    cf login
    
  2. Run:

    cf set-org-default-isolation-segment ORG-NAME SEGMENT-NAME
    

    Where:

    • ORG-NAME is the name of your org.
    • SEGMENT-NAME is the name of the isolation segment you want to set as your org’s default.

If successful, the command returns an OK message:

$ cf set-org-default-isolation-segment org1 SEGMENT-NAME
Setting isolation segment SEGMENT-NAME to default on org org1 as admin...
OK

To display the default isolation segment for an org:

  1. Run:

    cf org
    

Assign an Isolation Segment to a Space

Admins and org managers can assign an isolation segment to a space. Apps in that space start in the specified isolation segment.

To assign an isolation segment to a space, you must first enable the space’s org to use the isolation segment. For more information, see Enable an Org to Use Isolation Segments.

To assign an isolation segment to a space:

  1. Log in to your deployment by running:

    cf login
    
  2. Run:

    cf set-space-isolation-segment SPACE-NAME SEGMENT-NAME
    

    Where:

    • SPACE-NAME is the name of your space.
    • SEGMENT-NAME is the name of the isolation segment you want to assign to your space.

Reset the Isolation Segment Assignment for a Space

Admins can reset the isolation segment assigned to a space to use the org’s default isolation segment.

To assign the default isolation segment for an org to a space:

  1. Log in to your deployment by running:

    cf login
    
  2. Run:

    cf reset-space-isolation-segment SPACE-NAME
    

    Where SPACE-NAME is the name of the space to which you want to assign your org’s default isolation segment.

Create a pull request or raise an issue on the source for this page in GitHub