Pivotal Knowledge Base


Container-to-Container Networking for Pivotal Web Services


Pivotal Web Services (PWS): All versions


To configure Container-to-Container Networking (C2CN) policy on PWS.
Container-to-Container Networking (C2CN) policy config on PWS was always scoped to the Spaces where the user has the Space Developer role but was only enabled on request. Now, by default, any user with Space Developer role can configure network policies for applications in their space(s).


The commands are executed from the CLI Network Access plug-in and the resulting ‘cf allow-access’ command. The CLI Network Access plug-in is available from https://github.com/cloudfoundry-incubator/cf-networking-release/releases

Testing Direct Container Networking

If you have just deployed your client and service applications for the first time, you probably don’t have any networking policies set up.

1) Verify this by running the `cf list-access`

2) If you go to the client application’s URL, the visitor application (In the “Who is Home?” sample), you will receive a message that the visitor application is not able to communicate with the registered service homeowner

Although the service registry provides the internal IP address and port for the service to connect to, there is no network policy allowing this communication. Communication is blocked by default.

3) To enable communication between the client and service applications, you can add a network policy. For example, to allow a visitor to communicate with the homeowner, use the following command:

$ cf allow-access visitor homeowner --protocol tcp --port 8080

The allow-access command sets up a network route from the visitor to the homeowner using a TCP protocol on port 8080. Once this network policy has been added successfully, the visitor application can communicate with the homeowner application.

Moreover, this is done by not using an externally available route; it uses direct container networking with an IP address and port for the service application. When we list the network policies, we now see the following:

$ cf list-access
Source		Destination	Protocol	Port
visitor		homeowner	tcp		8080

*Direct C2CN enables many new scenarios for applications deployed to Pivotal Cloud Foundry.

One of those use cases: The ability to register applications using the direct registration method with a Spring Cloud Services Service Registry.

Now, a registered service no longer needs an externally routable URL, and instead, you can control communication with the service using network policies!

Additional Information 

For more details, refer to the original blog post.


Powered by Zendesk