Pivotal Cloud Foundry 2.1 Adds Cloud-Native .NET, Envoy & Native Service Discovery to Boost Your Transformation

March 28, 2018 Jared Ruckle

Digital transformation comes down to one thing: getting better at software.

That truth underpins all the social media, blogs, and whitepapers we’ve all consumed on the topic of “digital transformation.”

It’s time for some real talk. Your organization has transformed into a digital business when you can deliver:

  • Speed. Your development teams are pushing to production thousands of times a month.

  • Stability. Your platform engineering teams are meeting (and exceeding) SLAs and SLOs.

  • Scalability. Your apps can easily scale, and keep serving traffic under variable load.

  • Security. You can quickly apply fixes to CVEs, minimize the risk posed by malware, and reduce the value of leaked credentials.

With these four Ss, you can deliver better business outcomes. Ship your mobile app faster (like Liberty Mutual). Patch your systems quickly (like Synchrony). Keep critical customer systems online during new product launches (like T-Mobile).

Our goal at Pivotal: to help you achieve better business outcomes across your portfolio of applications. And in Pivotal Cloud Foundry 2.1, we help you make transformation real for several exciting new use cases:

  • Run .NET apps on a modern platform, automate Windows Server management at scale. PAS for Windows now includes support for Windows Server 2016 containers. This means your .NET dev teams can push code to an automated, secure, and highly available runtime. SysAdmins can now manage fleets of Windows Servers using immutable infrastructure principles.

  • Advanced multitenancy with service instance sharing. Your developers have all sorts of services attached to their apps. Now, it’s easy to securely share services like RabbitMQ and Config Server across teams.

  • Platform-native service discovery for all frameworks. Managing your own service discovery components is no fun. In PCF 2.1, the platform does it for you.

  • Envoy brings TLS connections all the way to the application container. Envoy is pretty slick open-source tech. PCF now uses Envoy to improve availability and security as traffic flows to and from your apps.

  • Cloud-native data patterns unlock new enterprise value. Caching for microservices (Pivotal Cloud Cache) and modern data pipelines (Spring Cloud Data Flow for PCF) open a new realm of data-driven scenarios for your developers.

  • Use Hardware Security Modules (HSMs) with PCF. Does your org have a strict requirement to use HSMs to protect secrets like digital certificates, private keys, and cryptographic material? If so, PCF is now in play for your application portfolio.

Those are the new scenarios. Per usual, we’ve also released oodles of new features for developer productivity, ops efficiency, and comprehensive security.

Let’s take a closer look!

Run .NET apps on a modern platform, automate Windows Server management at scale

Advanced multitenancy with service instance sharing

Platform-native service discovery for all frameworks

Envoy brings TLS connections all the way to the application container

Cloud-native data patterns unlock new enterprise value

Use Hardware Security Modules (HSMs) with PCF

Ops Manager Enhancements

Pivotal Ready Architecture from Dell EMC

Apps Manager: Use JSON for key-value entries, plus view and scale processes

App Autoscaler: new rule types & CLI plug-in

PCF Healthwatch includes alerts

Enhancements to PAS backup & restore

Single Sign-On: expanded operator APIs

Run .NET Apps on a Modern Platform

Many of your peers are running .NET apps at scale on Pivotal Cloud Foundry. (Several of them are speaking at CF Summit in April). In PCF 2.1, we’ve expanded Cloud Native .NET to include support for Windows Server Containers, a new feature in Windows Server 2016 version 1709. 

This is an implementation detail, albeit an immensely important one. Why? Because it unlocks several key scenarios for .NET teams and Windows sysadmins. “Native” support for Windows Server containers unlocks deeper integration with Pivotal Cloud Foundry. And thanks to this more powerful container implementation, developers enjoy improved isolation and resource management for their apps.

With the new Pivotal Application Service for Windows tile:

  • .NET developers can push Hosted Web Core apps to infrastructure running Windows Server 2016. This gives you support for CPU and network limits, full autoscaling, Diego SSH (i.e. cf ssh), context path routing, and support for multiple buildpacks.

  • Deploy your newer .NET Core apps to Windows or Linux too!

  • Engineers can perform remote debugging with Visual Studio. (This capability is in beta, and uses the new cf ssh port forwarding capabilities.)

  • Windows admins can now manage fleets of Windows Server 2016 boxes at scale. We’ve helped sysadmins be more efficient on the Windows front for some time; it’s exciting to see this latest milestone go GA.

Want to know more? Check out Richard Seroter's post on why the tile is a game-changer for .NET teams. Our engineering blog has tons more detail on the tech under the hood.

Also ICYMI - Steeltoe, the toolkit for building .NET microservices reached a huge milestone.

Advanced Multitenancy with Service Instance Sharing

Cloud Foundry deftly handles multitenancy, with its “orgs” and “spaces” model. That multitenancy gets a boost in this release.

In PCF 2.1, the answer is yes! Application developers can now share service instances with other orgs and spaces.

Customers have wanted this feature to help them in these scenarios:

  • Application developers want to share RabbitMQ instances. This helps them publish and receive messages across different microservices.

  • Share a SCS Config Server across many applications in different orgs and spaces.

Now, these scenarios are supported! The feature is partner-ready as well.

NOTE: This is an “opt-in” feature (for both admins and service brokers), and is in beta.

Platform-Native Service Discovery for All Frameworks

We announced a new approach to container networking in Cloud Foundry a while ago. Customers using this feature have enjoyed a few benefits, including:

  • Reduced latency

  • Fine-grained access control through app to app policy

  • Private communication using container IPs instead of public routes

The catch? Developers had to configure and manage an external service discovery mechanism. The trade-off for most scenarios was worth it. (Especially for Java, where Eureka and Ribbon can be used.) But what about other frameworks? Several languages don’t have obvious service discovery mechanisms.

We thought there must be a way to reduce the toil for service discovery management - for Java, as well as any other framework. That’s what our new polyglot service discovery feature does. It’s integrated with PCF “out of the box.”

This is going to be useful in these scenarios:

  • To secure microservices. Use this feature to create internal routes, and to make internal services only accessible within PCF.

  • Blue-Green deployments. Map multiple apps to the same internal route.

  • Clustering apps. Access individual instances of an app using instance-based DNS.

Usha Ramachandran from Pivotal tells you how it works.

NOTE: This is an “opt-in” feature, and is in beta.

Envoy Brings TLS Connections All the Way to the Application Container

TLS everywhere” is one of our long-standing product goals. It’s the best way to ensure that the application and the client are both who they say they are, and that the connection to share information is encrypted. We take this a step further in PCF 2.1. Now, every app container has a TLS cert - with an Envoy process riding sidecar.

There’s lots of buzz around Envoy these days. But this implementation is very practical. Pivotal’s Shannon Coen explains the three benefits of this feature:

  • Increased security: Gorouter will encrypt traffic to application containers via TLS.

  • Increased resiliency: Gorouter will ignore the TTL of app routes, keeping your apps available during failures in the routing control plane.

  • Increased consistency: Gorouter will use the certificate presented in the TLS handshake to validate the identity of application instances before forwarding HTTP requests. Optimizing for availability increases the risk of misrouting, as a healthy Diego will continue recreating containers to keep your apps running and the probability of port reuse is statistically significant; this mechanism increases guarantees against misrouting.

Expect to hear much more from Cloud Foundry in this area. The project continues towards an Istio-driven, polyglot service-mesh capability.

Cloud-Native Data Patterns Unlock New Enterprise Value

If you need to run microservices, Pivotal Application Service is the obvious choice. And as you mature your microservices architectures, Pivotal Cloud Cache becomes an obvious choice as well. PCC 1.3 is a big help, if you’re looking to deploy microservices across multiple data centers, and to embrace in-line caching scenarios.

How can you unlock the treasure trove of data locked away in your IT systems? Build modern pipelines to process and enrich this data! The new Spring Cloud Data Flow for PCF dramatically simplifies this task, thanks to its embrace of the Spring framework.

Use a Hardware Security Module (HSM) with PCF

Some organizations use hardware security modules to store their cryptographic keys. Does your org use an HSM? If so, you can now use PCF in conjunction with these devices. Here’s how:

  • BOSH CredHub, the secrets management repository for the platform, uses the SafeNet Luna Network HSM to encrypt and decrypt data.

  • Pivotal Application Service (PAS), the app runtime, can integrate with Luna HSMs to encrypt service credentials.

  • PAS also leverages Luna HSMs' high availability feature set, to support load balancing and failover across multiple Luna HSM servers.

Using a cloud-based HSM? PCF 2.1 also supports CloudHSM Classic from AWS.

Ops Manager Enhancements

Operational efficiency is a central theme for Pivotal Cloud Foundry. Check out the full roundup of all the new features that support this theme. Here’s a quick review of the highlights in this area:

Multi-tenancy improvements

We recently added new permissions to Ops Manager. In PCF 2.1, we’ve expanded on this capability. “Full View” and “Restricted View” users can now access Ops Manager at the same time. (Previously, the system only allowed one viewer at a time.)

More control over floating stemcells

The current floating stemcell features in PCF helps you quickly apply fixes to CVEs. But there are times when you may need to apply updates at a time of your choosing. The new floating stemcell manager helps you do just that. (Of course, we still recommend applying fixes as soon as they are available!)

Deeper integration with IaaS targets

Ops Manager now supports several new features for public cloud providers and vSphere.

  • AWS - use Application Load Balancers, as well as user-provided KMS keys for all disk encryption. We’ve also added support for multi-VPC and multi-region deployments. (NOTE: operators are responsible for configuring VPNs between VPCs.)

  • Google Cloud Platform - use Google Cloud Storage as the BOSH Director blobstore.

  • vSphere - Ops Manager availability zones can now consist of multiple vSphere clusters.

We’re also working with Microsoft to support its Application Gateway service. Stay tuned!

IaaS flexibility with custom vm_extensions

This feature will sound familiar to BOSH users. The parameter vm_extensions has long been used to interact with underlying IaaS primitives. Now, in PCF 2.1, you can use the Ops Manager API to associate these custom vm_extensions with an instance group. Use this workflow if you want to:

  • Use spot instance pricing on AWS

  • Define a custom IaaS security groups on a per-instance-group basis (rather than as a global setting)

  • Apply IAM instance profiles on AWS

  • Associate certain instances with GCP internal load balancers

Try out the new automation with custom vm_extensions; they are useful in so many ways! Get started by reading the docs.

Improved IP management

As of PCF 2.1, Ops Manager delegates its IP address management BOSH. Operators will notice several handy improvements:

  • The “artificial limit” the number of usable IPs is now gone. (This scenario was especially hard to workaround for large deployments on small CIDRs.)

  • IP collisions will be far less frequent. (In fact, for a certain type of operations, IP collisions will no longer occur at all.)

  • Operators no longer need to specify a special “services network” for on-demand broker tiles. This is useful when an operator wants to use a pre-provisioned service, and instead of one created on-demand.

Pivotal Ready Architecture from Dell EMC

An easy way to add capacity to your private cloud footprint: hyper-converged infrastructure. Just drop the gear into your data center, plug it in, configure a few things, and you’re good to go.

That ease and convenience now extends to modern platforms, thanks to the new Pivotal Ready Architecture from Dell EMC.

What’s Pivotal Ready Architecture? It’s a tested, validated reference architecture for deploying Pivotal Cloud Foundry on VxRail, Dell EMC’s hyper-converged infrastructure appliance.

If you want to deploy Pivotal Cloud Foundry on-prem, this approach offers a few advantages.

  • Peace of mind. Pivotal Ready Architecture is a designed, tested, and proven hardware and software solution.

  • Speed and convenience. Installing PCF is simple enough. But getting the underlying IaaS ready for the platform isn’t always straightforward. With VxRail, this is done for you. The appliance is plug-and-play.

  • Flexibility. You can add to your deployment over time as you expand your use of the platform. Get started with a custom configuration that fits your requirements. You can even opt for a multiple availability zone option!

Check out Chad Sakac’s blog for more on this winning combination.

Apps Manager: Use JSON for Key-Value Entries, Plus View and Scale Processes

Got an app with multiple processes? Now you can use Apps Manager view individual processes within the app. Further, you can use the UI to scale each process independently.

Use Apps Manager to keep tabs on apps with multiple processes.

One other thing: you can now use JSON for key-value entries in the Apps Manager UI. This is handy for arbitrary parameters and environment variables alike.

App Autoscaler: New Rule Types & CLI Plug-in

We’ve enhanced the App Autoscaler service in this release. You can now scale your apps based on two new rules: container memory and RabbitMQ queue depth.

Use the container memory rule to automatically scale your app instances based on container memory utilization. Use the RabbitMQ rule to will scale app instances based on message depth within a specific queue. You can create multiple RabbitMQ rules to scale on multiple queues.

There’s also a new App Autoscaler CLI plugin. The plugin offers you a new way to manage autoscaling rules. Download it from PivNet.

Manage autoscaling policies for your apps with the CLI plug-in.

PCF Healthwatch includes Alerts

PCF Healthwatch is “out of the box” platform monitoring for PCF. The dashboard “watches” the most important metrics, and renders them visually in a colorful dashboard. Operators get an intuitive at-a-glance view of what’s happening. This “out of the box” convenience now extends to alerts!

You can now manage alerts for the dozens of key performance indicators and key scaling indicators that PCF Healthwatch tracks. These are included as part of the standard PCF Healthwatch 1.2 installation (We ship with sensible “default” thresholds based our experiences with PCF. But you are free to customize to your environment of course!)

You’ll need to install the forthcoming Event Alerts tile first. Once you've done that:

  • You can receive the alerts via Slack, email, or by webhook targets.

  • When the threshold is exceeded, you are notified via your chosen channels.

Here’s an example of a Slack alert:

A Slack alert sent by PCF Healthwatch.

One other quick update: PCF Healthwatch is updated to reflect the new set of relevant KPI/KSI changes for PCF 2.1.

Enhancements to PAS Backup & Restore

We introduced BOSH Backup & Restore (BBR) to help customers perform backup and restoration operations in Cloud Foundry. Since then, the service is now improving this scenario across the board for PAS. Consider these 3 highlights in PCF 2.1:

  • Reduced PAS API downtime during backups. The legacy PCF backup jobs would often cause several hours of PAS API downtime. BBR has reduced that, down to less than 30 minutes in most cases! We’ve reduced this downtime further, with parallel lock/unlock where possible. (Make sure to update to the latest versions of PAS and BBR for the shortest possible downtime.)

  • PAS backup supports “external” MySQL. Previously, backups had to be stored using the “internal MySQL” store within PAS. Now, you can choose to host your PAS backups with an “external” MySQL service (e.g. AWS RDS, GCP Cloud SQL, or an existing on-premises service). Consistency and fidelity are identical between the two options.

  • PAS backups support S3 versioned blobstores. If you’ve configured PAS to an external S3-compatible blobstore with versioning enabled, backup and restore via BBR is now supported. The backup artifact is a list of version IDs (rather than a copy of the blobs) so replication is recommended.

Single Sign-On: Expanded Operator APIs

Lots of new service plan configuration options are now supported for operators through UAA APIs in this release. You can now configure plans, login page branding, signing key rotation, and default authorities for users - all via API.

Use Google Authenticator for multi-factor authentication? Then you might want to try out the preview of SSO’s integration with the service in 2.1. Contact your PA for details!

BBR helps Single Sign-On as well, since data and configuration for this tile is backed up and restored automatically as part of PAS.

Focus on Business Outcomes

Get real about your transformation in three easy steps:

  1. Get your key people in a room.

  2. Discuss and analyze how your code gets to production today.

  3. Create a plan to get better, based on the data from step 2.

These 3 steps are “value stream mapping.” It’s one of the most important things you can do to get real about your transformation. That’s why we make it a central pillar of how we work with our customers.

Value stream mapping reveals how you can bring more speed, stability, scalability, and security to your business. From there, it’s easy to see how Pivotal Cloud Foundry can play a key role in helping you get better at software. But don’t just take our word for it - listen to our customers!

Learn more about Pivotal Cloud Foundry 2.1.

Ready to try out PCF 2.1? Check out Small Footprint PCF, PCF Dev, or spin up a free trial on Pivotal Web Services.

About the Author

Jared Ruckle

Jared works in product at Pivotal.

Follow on Twitter More Content by Jared Ruckle
Previous
PostgreSQL for Kubernetes Quickstart for PKS
PostgreSQL for Kubernetes Quickstart for PKS

Pivotal Technology Partner, Crunchy Data, introduced their tool to help you manage a containerized PostgreS...

Next
Spring Cloud Data Flow 1.4: UI/UX Refresh, Stream Deployment Builder, and Security Improvements
Spring Cloud Data Flow 1.4: UI/UX Refresh, Stream Deployment Builder, and Security Improvements

We are pleased to announce the general availability of Spring Cloud Data Flow 1.4. It improves stream deplo...