Using Isolation Segments for GoRouter-Only Deployments
Article ID: 436870
Updated On:
Products
Issue/Introduction
A possible need for customers is the ability to perform targeted stemcell updates on GoRouters independently from Diego Cells and other platform components. One approach to achieve this is deploying GoRouters into a dedicated Isolation Segment (IsoSeg) tile without enabling compute or network isolation.
The question this article addresses: If you deploy a GoRouter-only Isolation Segment with Compute Isolation set to "Do not use" and Networking Isolation set to route to the main ERT deployment and shared Diego Cells, do those GoRouters serve all core platform Diego Cells without requiring orgs/spaces to be tagged with the isolation segment?
Environment
Isolation Segment Tile
Cause
With the above setting, the GoRouters behave the same as the default GoRouters in terms of route advertisement and traffic forwarding.
Reference: routing-release gorouter spec L439
Org/Space IsoSeg tagging only affects compute placement. It determines which Diego Cells an application's container is scheduled on. It has no bearing on which GoRouters handle inbound traffic to that application. Therefore, tagging orgs/spaces is not required.
Resolution
To deploy a GoRouter-only Isolation Segment that routes to all core platform Diego Cells:
- Deploy the Isolation Segmentation tile in Ops Manager.
- Under Compute and Networking Isolation, configure as follows:
- Compute Isolation: Do Not Use
- Networking Isolation (destinations for isolated GoRouters' traffic): The main Elastic Application Runtime deployment, shared Diego cells, and the Diego cells for this segment.
- Do not tag orgs or spaces with the isolation segment.
- Apply Changes.
This allows stemcell updates to be applied exclusively to GoRouters without triggering a full TAS tile deploy and potential disruption during routine patching.
Feedback
