Cloud Foundry Networking on Bosh-lite

This post is deprecated, as cf-networking-release  is now part of  cf-deployment and deployed by default!

Cloud Foundry Networking is a new Cloud Foundry project, currently in incubation, which provides policy-based container networking for Cloud Foundry. This release allows for the first time in cloud foundry direct tcp and udp connection between containers.
This blog covers a brief overview how to get started with the cf-networking-release on bosh-lite using bosh cli v2.


  • git
  • cf cli
  • BOSH CLI v2
  • a bosh-lite deployment

You can start with my previous post: Deploying Cloud Foundry on Virtualbox using BOSH CLI v2

Preparing BOSH director

We need to load the br_netfilter  module on our bosh-lite vm to enable networking support on bosh-lite.
If you don’t have yet extracted the private SSH key as described in the last post, you need to do so now:

umask 077; touch ~/deployments/vbox/director_priv.key
bosh int ~/deployments/vbox/creds.yml --path /jumpbox_ssh/private_key > ~/deployments/vbox/director_priv.key

Finally enable the module:

ssh jumpbox@ -i ~/deployments/vbox/director_priv.key 'sudo modprobe br_netfilter && lsmod | grep br_netfilter'

Cloud Foundry Networking Deployment

We need the cf-networking-release  repository:

git clone ~/workspace/cf-networking-release

Next, we upload the release:

bosh upload-release

The next step is already to either start a new cloud foundry deployment with networking or updating an existing deployment on bosh-lite. The command is the same.

bosh -d cf deploy ~/workspace/cf-deployment/cf-deployment.yml \
  -o ~/workspace/cf-networking-release/manifest-generation/opsfiles/cf-networking.yml \
  -o ~/workspace/cf-deployment/operations/bosh-lite.yml \
  -o ~/workspace/cf-networking-release/manifest-generation/opsfiles/postgres.yml \
  --vars-store ~/deployments/vbox/deployment-vars.yml \

You’re already finished deploying the Cloud Foundry Networking release.

Preparing the Client

The current Cloud Foundry CLI does not yet include networking support. Therefore we need do download and install the networking plug-in.

chmod +x network-policy-plugin-linux64
cf install-plugin network-policy-plugin-linux64

Cloud Foundry Networking introduces a new scope network.admin in the UAA. If you are updating an existing deployment, you will need to logout  on the client to  get the new permissions assigned.

cf logout
cf login -a --skip-ssl-validation -u admin -p $(bosh int ~/deployments/vbox/deployment-vars.yml --path /uaa_scim_users_admin_password )

Example Application

The cf-networking-release repository does include a few sample projects under src/example-apps/ .


The Cloud Foundry Networking project is a huge enhancements for Cloud Foundry. Its direct containter-to-container network with fine grained policies is a great foundation for microservice applications.

Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.