Improve Security and Developer Productivity with Service Instance Sharing in PCF 2.1

April 10, 2018 Matt McNeeney

This post was co-written by Zoe Vance and Matt McNeeney.

Sharing service instances among multiple microservices that support a larger application makes sense for a lot of reasons. Most notably, it provides a more intuitive experience for the user, as the different microservices that make up the larger application will be better integrated from a data consistency and security perspective by relying on the same service instance. So the easier and more secure it is for development teams to use the same services, the better.

Until now, Pivotal Cloud Foundry users relied on the “cf create-user-provided-service” workflow to allow different applications running on the platform to gain access to the same service instance. While useful, this workflow does not take advantage of PCF’s built-in security and authentication capabilities using CredHub, leading many development teams to share credentials and other sensitive information outside of the platform. This clearly violates security best practices.

In order to make service instance sharing simpler and more secure, PCF 2.1 introduces a new capability that enables multiple development teams working on separate microservices to access the same backing services, whilst giving those teams the isolation of responsibilities and roles that they require. In reality, this allows development teams working on different microservices of an application to share databases, messaging queues, configuration servers and much more - easily, safely and securely.

This is a capability that PCF developers and operations teams have been asking for and we are happy to deliver the beta version with PCF 2.1. Service instance sharing will GA in a later version of PCF.

How Service Instance Sharing Works

It is now extremely simple to start sharing service instances across your Pivotal Cloud Foundry environment. The RabbitMQ for PCF messaging service has already added support for this new feature, so I will use it to illustrate. Note, however, that because this feature is supported via the Open Service Broker API project, many more Service Brokers will be adopting this feature over the coming months.  

For those not familiar with it, RabbitMQ is a messaging service that is used as a backing service for applications. An application that consists of a set of microservices may have many services listening for events (e.g., for updates to a database) and will use RabbitMQ as the messaging service to distribute those events.

Imagine two separate development teams managing different microservices that roll up to the same larger application. In order to use the same messaging service instance, such as RabbitMQ, the teams had to either develop their application inside a single space in Cloud Foundry (making it easy for development teams to accidentally interfere with one another) or come up with a manual workaround to share messages. Until now. With service instance sharing, these teams can now share a message service such as RabbitMQ easily and securely in just a few short steps.

To share a single RabbitMQ service instance among multiple microservices running on Pivotal Cloud Foundry, all that is needed is to...

  • Install PCF 2.1, the RabbitMQ for PCF tile and the latest version of the CF CLI.

  • Create your first RabbitMQ cluster.

  • Run cf share-service and choose the space (and org) you want to share your cluster with.

  • Applications running in that space can immediately bind to that cluster and start sending and receiving messages on it.

This new capability improves developer productivity, as less time and fewer steps are required to share service instances among different teams and applications. It also makes the process more secure, obviating the need to swap user credentials among multiple developers.

Currently, RabbitMQ for PCF, Redis for PCF and Spring Cloud Services for PCF support the instance sharing capability, and all are available in the Pivotal Services Marketplace. Additional third-party services are expected to add support for the capability over the coming weeks and months. You can determine if your favorite service supports instance sharing by reviewing the latest documentation.

More information on how to use this feature and the security considerations you should take can be found here. Try out the new capability and let us know what you think, as we are always improving the platform and related services based on your feedback.

Previous
New in PCF 2.1: App & Container Identity Assurance via Automatic Cert Rotation
New in PCF 2.1: App & Container Identity Assurance via Automatic Cert Rotation

Pivotal Cloud Foundry includes several new features to improve routing resiliency and security. In this pos...

Next
Modernizing your .NET apps? Look to Steeltoe's Service Connectors to speed things up.
Modernizing your .NET apps? Look to Steeltoe's Service Connectors to speed things up.

Learn how to connect to modern data services, and have confidence that it "just works," with Steeltoe and P...