IBM Cloud - Structured Ideas

Welcome to the idea portal for structured ideas (i.e. product feature requests) - A more integrated and automated feedback system to connect your product improvement ideas with IBM product and engineering teams.  Happy submitting!


NOTE: All IBM employees must enter Ideas through this Ideas Portal.

Application Security Groups (ASGs) on Bluemix Local

We would like to leverage ASGs on Bluemix Local. By design (CloudFoundry), ASG defines allow rules. This means that you can only add new rules to the existing ones.
On Bluemix Local, the default rules allow all traffic (all destinations, all protocols). As a consequence, there is no way to actually control which destinations are accessible from the apps. Adding new allow rules to the default allow all rule is useless.

The proposed solution to make it possible to leverage ASGs on Bluemix Local is to change the default rules to allow the traffic to the minimum (only what is required for Bluemix Local to run).

  • Catherine Ezvan
  • Feb 15 2017
  • Shipped
  • Attach files
  • ANANDA DEBNATH commented
    February 16, 2017 13:32

    Catherine - I seem to be missing the "why" here. What's the underlying use-case? Are they trying to restrict Local apps from connecting to other internal local apps and endpoints or external ones? If internal, why so? If external, why not do it with a proxy?

  • Catherine Ezvan commented
    February 16, 2017 15:20

    More clarifications on the use case. Several Lines of Business have their apps hosted on the Bluemix Local Platform. An organization is assigned to each LoB. Each LoB can decide to have several spaces, one for test, one for integration, one for pre-production, etc. Apps need to reach backends (CICS, DBs, MQs on mainframe for example) hosted on corporate private network (outside of Bluemix, but still in private network).  We want to make sure that Bluemix apps from LoB1 can access backends from LoB1 and only from LoB1,  apps from LoB2 can access backends from LoB2 and only from LoB2, etc. We can even imagine than for a given LoB, the access to the pre-production backends is allowed only for the apps in the pre-production space (and not for the apps in the integration or test spaces).

  • ANANDA DEBNATH commented
    February 26, 2017 23:47

    Catherine - would you please tag the customers who have asked for this today?

NOTICE TO EU RESIDENTS: per EU Data Protection Policy, if you wish to remove your personal information from the IBM ideas portal, please login to the ideas portal using your previously registered information then change your email to "anonymous@euprivacy.out" and first name to "anonymous" and last name to "anonymous". This will ensure that IBM will not send any emails to you about all idea submissions