Tanzu Platform for Cloud Foundry 10.0

PDF
10.0 6.0 4.0

Configuring App Security Groups for email notifications

Last Updated March 13, 2025

You can configure App Security Groups (ASGs) to give network access to the Notifications Service.

To allow the Notifications Service to have network access, you must create App Security Groups (ASG). You cannot use the Notifications Service without ASGs.

For more information, see App Security Groups.

Prerequisite

Before configuring ASGs for the Notifications Service, you must first set up the Notifications Service. To set up the Notifications Service, see Getting Started with the Notifications Service.

Configure network connections

The Notifications Service is deployed as a suite of apps to the notifications-with-ui space in the system org. It requires the following outbound network connections:

DestinationPortsProtocolReason
SMTP_SERVER587 (default)tcp (default)This service is used to send out email notifications.
LOAD_BALANCER_IP80, 443tcpThis service accesses the load balancer.
ASSIGNED_NETWORK3306tcpThis service requires access to internal services. ASSIGNED_NETWORK is the CIDR of the network assigned to this service.

The SMTP server port and protocol are dependent on how you configure your server.

Create a SMTP server ASG

To create an ASG for your SMTP server:

  1. Go to the Tanzu Operations Manager Installation Dashboard.

  2. Click the VMware Tanzu Platform for Cloud Foundry (Tanzu Platform for Cloud Foundry) tile.

  3. Select Email Notifications.

  4. Record the values in the SMTP server address and SMTP server port fields.

  5. Using the SMTP server address you obtained in the previous step, find the IP addresses and protocol of your SMTP server from the service you are using. You might have to contact your service provider for this information.

  6. Create a smtp-server.json file. For destination, you must enter the IP address of your SMTP Server.

    [
    {
        "protocol": "tcp",
        "destination": SMTP_SERVER_IPS,
        "ports": "587"
    }
]

  7. Create an ASG called smtp-server by running:

    cf create-security-group smtp-server smtp-server.json

Create an assigned network ASG

If you use external services, the IP addresses, ports, and protocols depend on the service.

To create an ASG for an assigned network:

  1. Go to the Tanzu Operations Manager Installation Dashboard.

  2. Click the Tanzu Platform for Cloud Foundry tile.

  3. Select Assign AZs and Networks.

  4. Record the network selected in the Network dropdown.

  5. Return to the Tanzu Operations Manager Installation Dashboard.

  6. Click the BOSH Director tile.

  7. Select Create Networks.

  8. Record the CIDR for the network you identified in Assign AZs and Networks. Ensure the subnet mask allows the space to access p-mysql, p-rabbitmq, and p-redis.

  9. Create a file assigned-network.json. For the destination, enter the CIDR you recorded above.

    [
    {
        "protocol": "tcp",
        "destination": "10.68.0.0/20",
        "ports": "3306,5672,6379"
    }
]

  10. Create an ASG called assigned-network by running:

    cf create-security-group assigned-network assigned-network.json

Bind the ASGs

After creating your ASGs, you must bind them to the Notifications Service.

To bind your ASGs to the Notifications Service:

  1. Target the system org by running:

    cf target -o system

  2. Create a notifications-with-ui space by running:

    cf create-space notifications-with-ui

  3. Bind the ASGs you created in this topic to the notifications-with-ui space by running:

    cf bind-security-group smtp-server system notifications-with-ui
cf bind-security-group assigned-network system notifications-with-ui