Managing Isolation Segments in Cloud Foundry
Page last updated:
With Cloud Foundry, you can isolate deployment workloads into dedicated resource pools called isolation segments.
Isolation Segments overview
To enable isolation segments, an admin can pass in a custom operations file with the BOSH CLI. For the example file used in this topic, see the cf-deployment repository in GitHub.
After an admin creates a new isolation segment, the admin can then create and manage relationships between the orgs and spaces of a Cloud Foundry deployment and the new isolation segment.
Requirements
Target the API endpoint of your deployment with cf api
and log in with cf login
before performing the procedures in this topic. For more information, see Identifying your Cloud Foundry API Endpoint and Version.
Add an Isolation Segment to your deployment manifest
To add an isolation segment to your deployment manifest:
Write a custom operations file. The operations file defines an instance group that supports isolation segments. For a working example, see the cf-deployment repository in GitHub. The example sets the following instance group properties:
- Name as
isolated-diego-cell
- Placement tag as
persistent_isolation_segment
When you use the cf CLI, the name of the isolation segment corresponds to the placement tag you specify in the operations file. The commands throughout this topic use
SEGMENT-NAME
as an example isolation segment name.
- Name as
Apply the custom operations file when you deploy Cloud Foundry by running:
bosh -e BOSH-ENVIRONMENT -d cf deploy cf-deployment/cf-deployment.yml \ -v system_domain=SYSTEM-DOMAIN \ -o cf-deployment/operations/CUSTOM-OPS-FILE.yml
Where:
BOSH-ENVIRONMENT
is your BOSH environment alias. For more information about creating an environment alias for BOSH v2 or later, see Environments in the BOSH documentation.SYSTEM-DOMAIN
is the system domain of your Cloud Foundry deployment.CUSTOM-OPS-FILE.yml
is your operations file.
Register an isolation segment
To register an isolation segment in the Cloud Controller database (CCDB), use the cf CLI.
To register an isolation segment in the CCDB:
Log in to your deployment by running:
cf login
Run:
cf create-isolation-segment SEGMENT-NAME
Where
SEGMENT-NAME
is the name you give your isolation segment.
Note The isolation segment name used in the cf CLI command must match the value specified in the
placement_tags
section of the Diego manifest file. If the names do not match, Cloud Foundry fails to place apps in the isolation segment when apps are started or restarted in the space assigned to the isolation segment.If successful, the command returns an `OK` message:
Creating isolation segment SEGMENT-NAME as admin... OK
Retrieve isolation segment information
The cf isolation-segments
, cf org
, and cf space
commands retrieve information about isolation segments. The isolation segments you can see depends on your role:
- Admins see all isolation segments in the system.
- Other users only see the isolation segments that their orgs are entitled to.
List isolation segments
To see a list of the isolation segments that are available to you:
Log in to your deployment by running:
cf login
Run:
cf isolation-segments
The command returns results similar to this example output:
Getting isolation segments as admin... OK name orgs SEGMENT-NAME org1, org2
Display isolation segments enabled for an org
An admin can entitle an org to multiple isolation segments.
To view the isolation segments that are available to an org:
Log in to your deployment by running:
cf login
Run:
cf org ORG-NAME
Where
ORG-NAME
is the name of your org.The command returns results similar to this example output:
Getting info for org ORG-NAME as [email protected]... name: ORG-NAME domains: example.com, apps.example.com quota: paid spaces: development, production, sample-apps, staging isolation segments: SEGMENT-NAME, OTHER-SEGMENT-NAME
Showing the isolation segment assigned to a space
Only one isolation segment can be assigned to a space.
To view the isolation segment assigned to a space:
Log in to your deployment by running:
cf login
Run:
cf space SPACE-NAME
Where
SPACE-NAME
is the name of the space to which your isolation segment is assigned.The command returns results similar to this example output:
name: staging org: ORG-NAME apps: services: isolation segment: SEGMENT-NAME space quota: security groups: dns, p-mysql, p.mysql, public_networks, rabbitmq, ssh-logging
Deleting an isolation segment
An isolation segment with deployed apps cannot be deleted.
Only admins can delete isolation segments.
To delete an isolation segment:
Log in to your deployment by running:
cf login
Run:
cf delete-isolation-segment SEGMENT-NAME
Where
SEGMENT-NAME
is the name of the isolation segment you want to delete.If successful, the command returns an
OK
message:$ cf delete-isolation-segment SEGMENT-NAME Deleting isolation segment SEGMENT-NAME as admin... OK
Managing isolation segment relationships
The commands listed in the following sections manage the relationships between isolation segments, orgs, and spaces.
Enabling an org to use isolation segments
Only admins can enable orgs to use isolation segments.
To enable the use of an isolation segment:
Log in to your deployment by running:
cf login
Run:
cf enable-org-isolation ORG-NAME SEGMENT-NAME
Where:
ORG-NAME
is the name of your org.SEGMENT-NAME
is the name of the isolation segment you want your org to use.
If an org is entitled to use only one isolation segment, that isolation segment does not automatically become the default isolation segment for the org. You must explicitly set the default isolation segment of an org. For more information, see Set the Default Isolation Segment for an Org.
Deactivating an org from using isolation segments
You cannot deactivate an org from using an isolation segment if a space within that org is assigned to the isolation segment. Additionally, you cannot deactivate an org from using an isolation segment if the isolation segment is configured as the default for that org.
To deactivate an org from using an isolation segment:
Log in to your deployment by running:
cf login
Run:
cf disable-org-isolation ORG-NAME SEGMENT-NAME
Where:
ORG-NAME
is the name of your org.SEGMENT-NAME
is the name of the isolation segment you want to deactivate the org from using.
If successful, the command returns an
OK
message:Removing entitlement to isolation segment SEGMENT-NAME from org org1 as admin... OK
Setting the default isolation segment for an org
This section requires cf CLI v6.29.0 or later. To download cf CLI v6.29.0 or later, go to the Releases section of the Cloud Foundry CLI repository on GitHub.
Only admins and org managers can set the default isolation segment for an org.
When an org has a default isolation segment, apps in the spaces belong to the default isolation segment unless you assign them to another isolation segment. You must restart running apps to move them into the default isolation segment.
To set the default isolation segment for an org:
Log in to your deployment by running:
cf login
Run:
cf set-org-default-isolation-segment ORG-NAME SEGMENT-NAME
Where:
ORG-NAME
is the name of your org.SEGMENT-NAME
is the name of the isolation segment you want to set as your org’s default.
If successful, the command returns an
OK
message:$ cf set-org-default-isolation-segment org1 SEGMENT-NAME Setting isolation segment SEGMENT-NAME to default on org org1 as admin... OK
To display the default isolation segment for an org:
Run:
cf org
Assign an isolation segment to a space
Admins and org managers can assign an isolation segment to a space. Apps in that space start in the specified isolation segment.
To assign an isolation segment to a space, you must first activate the space’s org to use the isolation segment. For more information, see Enable an Org to Use Isolation Segments.
To assign an isolation segment to a space:
Log in to your deployment by running:
cf login
Run:
cf set-space-isolation-segment SPACE-NAME SEGMENT-NAME
Where:
SPACE-NAME
is the name of your space.SEGMENT-NAME
is the name of the isolation segment you want to assign to your space.
Resetting the isolation segment assignment for a space
Admins can reset the isolation segment assigned to a space to use the org’s default isolation segment.
To assign the default isolation segment for an org to a space:
Log in to your deployment by running:
cf login
Run:
cf reset-space-isolation-segment SPACE-NAME
Where
SPACE-NAME
is the name of the space to which you want to assign your org’s default isolation segment.