#BOSH
- Inbound to tcp/25555 From internal
- Inbound to tcp/25250 From bosh-agent (blobstore)
- Inbound to tcp/25777 from bosh-agent (registry)
- Inbound to tcp/6868 From jumpbox, concourse (allow jumpboxes + concourse to bosh create-env + talk to the agent on directors
- Inbound to tcp/4222 From bosh-agent
#BOSH-Agent
- Inbound to tcp/6868 From BOSH
- Inbound to tcp/22 From internal
- allow all egress
#DMZ allow icmp, ssh from all
#jumpbox
- allow ssh from internal
- inbound to openvpn from anywhere
#Vault
- Inbound to tcp/8222 From bastion, jumpbox, concourse
- vault -> vault sg traffic udp + tcp
#Concourse
- Inbound to tcp/80 From bastion, jumpbox, VPN Clients
- Inbound to tcp/443 From bastion, jumpbox, VPN Clients
- concourse -> concourse sg traffic udp + tcp
#SHIELD Incoming
- Inbound to tcp/80 from bastion, jumpbox, VPN Clients
- Inbound to tcp/443 from bastion, jumpbox, VPN Clients
#SHIELD-Agent Inbound to tcp/5444 From SHIELD
#CF edge
- Inbound to tcp/80 from all
- Inbound to tcp/443 from all
- Inbound to tcp/4443 from all
- Inbound to tcp/2222 from all
- all traffic from cf core nodes
- metron from cf-edge
- metron from cf-runtime
- metron from cf-db
- consul from cf-edge
- consul from cf-runtime
- consul from cf-db
- bbs from cf-runtime
- Inbound to from jumpbox
- Inbound to 4222 from jumpbox
- Inbouncd to Consul API from jumpbox
- all traffic from cf edge
- all traffic from cf core
- all traffic from runtime
- sql traffic from cf-core
- all traffic from cf-db
- Service Broker -> nats
- CF Router -> Service Instance All Ephemerals
- CF Router -> Service Broker API
- CF Runner -> Service Instance All Ephemerals
- Service Broker -> CF API
- Jumpbox -> Service Instance All Ephemeral