With TAS for VMs, you can isolate deployment workloads into dedicated resource pools called isolation segments. This article explains how.

Isolation segments overview

To enable isolation segments, an operator must install the Isolation Segment tile by performing the procedures in Installing Isolation Segment. Installing the tile creates a single isolation segment.

After an admin creates a new isolation segment, the admin can then create and manage relationships between the orgs and spaces of a VMware Tanzu Application Service for VMs (TAS for VMs) deployment and the new isolation segment.

Requirements

Target the API endpoint of your deployment with cf api and log in with cf login before performing the procedures in this topic. For more information, see Identifying the API Endpoint for Your TAS for VMs Instance.

Register an isolation segment

After you install the Isolation Segment tile, you must register it with Cloud Controller. If you only install the Isolation Segment tile without registering the isolation segment it creates, Cloud Controller does not detect the isolation segment and cannot place apps on it.

To register an isolation segment in the Cloud Controller database (CCDB), use the cf CLI.

Note: If you run smoke tests as a post-deploy errand in the Isolation Segment tile, the smoke tests check if your isolation segment is registered in the CCDB. If the isolation segment is not registered, the smoke tests register it in the CCDB. This eliminates the need to manually register an isolation segment with cf create-isolation-segment. For more information, see cf login

  • Run:

    cf create-isolation-segment SEGMENT-NAME
    

    Where SEGMENT-NAME is the name you give your isolation segment.

    Note: The isolation segment name used in the cf CLI command must match the value specified in the Segment name field of the Isolation Segment tile. If the names do not match, Ops Manager fails to place apps in the isolation segment when apps are started or restarted in the space assigned to the isolation segment.

    If successful, the command returns an OK message:

    Creating isolation segment SEGMENT-NAME as admin...
    OK
    
  • Retrieve isolation segment information

    The cf isolation-segments, cf org, and cf space commands retrieve information about isolation segments. The isolation segments you can see depends on your role:

    • Admins see all isolation segments in the system.
    • Other users only see the isolation segments that their orgs are entitled to.

    List isolation segments

    To see a list of the isolation segments that are available to you:

    1. Log in to your deployment by running:

      cf login
      
    2. Run:

      cf isolation-segments
      

      The command returns results similar to this example output:

      Getting isolation segments as admin...
      OK
      name     	   orgs
      SEGMENT-NAME     org1, org2
      

    Display isolation segments enabled for an org

    An admin can entitle an org to multiple isolation segments.

    To view the isolation segments that are available to an org:

    1. Log in to your deployment by running:

      cf login
      
    2. Run:

      cf org ORG-NAME
      

      Where ORG-NAME is the name of your org.

      The command returns results similar to this example output:

      Getting info for org ORG-NAME as [email protected]...
      
      name:                 ORG-NAME
      domains:              example.com, apps.example.com
      quota:                paid
      spaces:               development, production, sample-apps, staging
      isolation segments:   SEGMENT-NAME, OTHER-SEGMENT-NAME
      

    Showing the isolation segment assigned to a space

    You can assign the same isolation segment to multiple spaces. You cannot assign more than one isolation segment to the same space.

    To view the isolation segment assigned to a particular space:

    1. Log in to your deployment by running:

      cf login
      
    2. Run:

      cf space SPACE-NAME
      

      Where SPACE-NAME is the name of the space to which your isolation segment is assigned.

      The command returns results similar to this example output:

      name:                staging
      org:                 ORG-NAME
      apps:
      services:
      isolation segment:   SEGMENT-NAME
      space quota:
      security groups:     dns, p-mysql, p.mysql, public_networks, rabbitmq, ssh-logging
      

    Deleting an isolation segment

    Note the following: * Only admins can delete isolation segments. * An isolation segment with deployed apps cannot be deleted.

    To delete an isolation segment:

    1. Log in to your deployment by running:

      cf login
      
    2. Run:

      cf delete-isolation-segment SEGMENT-NAME
      

      Where SEGMENT-NAME is the name of the isolation segment you want to delete.

      If successful, the command returns an OK message:

      $ cf delete-isolation-segment SEGMENT-NAME
      Deleting isolation segment SEGMENT-NAME as admin...
      OK
      

    Managing isolation segment relationships

    The commands listed in the sections below manage the relationships between isolation segments, orgs, and spaces.

    Enabling an org to use isolation segments

    Only admins can enable orgs to use isolation segments.

    To enable the use of an isolation segment:

    1. Log in to your deployment by running:

      cf login
      
    2. Run:

      cf enable-org-isolation ORG-NAME SEGMENT-NAME
      

      Where:

      • ORG-NAME is the name of your org.
      • SEGMENT-NAME is the name of the isolation segment you want your org to use.

    If an org is entitled to use only one isolation segment, that isolation segment does not automatically become the default isolation segment for the org. You must explicitly set the default isolation segment of an org. For more information, see Set the Default Isolation Segment for an Org.

    Deactivating an org from using isolation segments

    You cannot prevent an org from using an isolation segment if a space within that org is assigned to the isolation segment. Additionally, you cannot prevent an org from using an isolation segment if the isolation segment is configured as the default for that org.

    To disable an org from using an isolation segment:

    1. Log in to your deployment by running:

      cf login
      
    2. Run:

      cf disable-org-isolation ORG-NAME SEGMENT-NAME
      

      Where:

      • ORG-NAME is the name of your org.
      • SEGMENT-NAME is the name of the isolation segment you want to disable the org from using.

      If successful, the command returns an OK message:

      Removing entitlement to isolation segment SEGMENT-NAME from org org1 as admin...
      OK
      

    Setting the default isolation segment for an org

    Note: This section requires cf CLI v6.29.0 or later. To download cf CLI v6.29.0 or later, go to the Releases section of the Cloud Foundry CLI repository on GitHub.

    Only admins and org managers can set the default isolation segment for an org.

    When an org has a default isolation segment, apps in its spaces belong to the default isolation segment unless you assign them to another isolation segment. You must restart running apps to move them into the default isolation segment.

    To set the default isolation segment for an org:

    1. Log in to your deployment by running:

      cf login
      
    2. Run:

      cf set-org-default-isolation-segment ORG-NAME SEGMENT-NAME
      

      Where:

      • ORG-NAME is the name of your org.
      • SEGMENT-NAME is the name of the isolation segment you want to set as your org's default.

      If successful, the command returns an OK message:

      $ cf set-org-default-isolation-segment org1 SEGMENT-NAME
      Setting isolation segment SEGMENT-NAME to default on org org1 as admin...
      OK
      

    To display the default isolation segment for an org:

    1. Run:

      cf org
      

    Assign an Isolation Segment to a Space

    Admins and org managers can assign an isolation segment to a space. Apps in that space start in the specified isolation segment. You can assign an isolation segment to multiple spaces. You cannot assign more than one isolation segment to the same space.

    To assign an isolation segment to a space, you must first enable the space’s org to use the isolation segment. For more information, see Enable an Org to Use Isolation Segments.

    To assign an isolation segment to a space:

    1. Log in to your deployment by running:

      cf login
      
    2. Run:

      cf set-space-isolation-segment SPACE-NAME SEGMENT-NAME
      

      Where:

      • SPACE-NAME is the name of your space.
      • SEGMENT-NAME is the name of the isolation segment you want to assign to your space.
    3. To assign the same isolation segment to a different space, run:

      cf set-space-isolation-segment DIFFERENT-SPACE-NAME SEGMENT-NAME
      

      Where: * DIFFERENT-SPACE-NAME is the name of a different space. * SEGMENT-NAME is the name of the same isolation segment that you assigned to your first space.

    Reset the isolation segment assignment for a space

    Admins can reset the isolation segment assigned to a space to use the org’s default isolation segment.

    To assign the default isolation segment for an org to a space:

    1. Log in to your deployment by running:

      cf login
      
    2. Run:

      cf reset-space-isolation-segment SPACE-NAME
      

      Where SPACE-NAME is the name of the space to which you want to assign your org’s default isolation segment.

    check-circle-line exclamation-circle-line close-line
    Scroll to top icon