Overview
Multiple Workloads can be deployed to Control Plane that have a dependency on one another. By default, Workloads are hardened and don’t allow any access from other Workloads. Using the internal firewall settings, secure access (using mTLS) from other Workloads can be enabled. This quick start will focus on allowing internal service-to-service calls between Workloads. This quick start will demonstrate how to:- Set up two Workloads with a sample application.
- Configure a Workloads’ internal firewall to accept requests from other Workloads.
- Prove, using the sample application, that requests are only received by allowed Workloads.
Prerequisites
- Permissions to:
- Latest CLI installed.
Sample Application
A sample application for this quick start is available as an image from Docker Hub that will display the following:- GVC name.
- Cloud provider location.
- Workload name.
- Response from a call to another URL (using the
url
query string parameter). - The image is located at:
cplnquickstarts/service-to-service-quick-start:1.1
.
Step One - Create GVC and Two Workloads
- Authenticate to Control Plane by executing the following CLI command:
- Execute the following CLI command to update your profile with a default Org which will be used by the subsequent commands (substitute ORG_NAME for your org):
quick-start-service-to-service
and will be hosted at AWS within the us-west-2 region.
- Execute the following CLI command to create the two Workloads that will be hosting the sample application.
server
and the second is named client
. They are both configured with the sample application image and the firewall rules have been set to allow outside traffic.
-
Browse to the
server
Workload using the Console:- Select the GVC named
quick-start-service-to-service
. - Click
Workloads
in the left menu and selectserver
.
- Select the GVC named
Workload Health
shows Ready
, click on the Open
link next to the Global Endpoint
URL. A new browser tab will open and display the following:
Step Two - Demonstrate a Failed Request
- Browse to the
client
Workload using the Console:- Click
Workloads
in the left menu and selectclient
.
- Click
Workload Health
shows Ready
, click on the Open
link next to the Global Endpoint
URL. A new browser tab will open and display the output similar to step 1, but showing the second Workload name client
.
The sample application can call another URL endpoint by using the url
query string parameter. Since the client
will be calling the server
, the URL will follow the Service Endpoint Syntax.
From the new browser tab, test the call to the first service by browsing to:
client
cannot connect to the server
):
Step Three - Configure Internal Firewall
Execute the following CLI command to update the firewall rules of theserver
Workload to grant inbound access from any Workload in the same GVC:
same-gvc
.
Step Four - Test the Updated Firewall Rule
- In the browser tab that was opened for step two, we should still have the failed response displayed.
- Refresh the page and the following response will be displayed (it might take a minute or two for the new deployment to complete):
Configure Other Internal Firewall Rules
In step three, the internal firewall rule for theserver
Workload was set to allow access from any Workload in the same GVC.
The rule can also be set to:
- Allow access ONLY from specific Workloads. These Workloads can be from the same or different GVCs. The user configuring this setting must have the
view
permission, set within a policy, on the Workload being specified. - Allow access from any Workloads within the same Org, crossing GVC boundaries.