From 4de4aea46f90bd41304af42bba015461044a8905 Mon Sep 17 00:00:00 2001
From: i759715 <m.encheva@sap.com>
Date: Wed, 13 Aug 2025 14:02:28 +0300
Subject: [PATCH 1/3] Add the new ipv6 asg group to the docu

---
 _default_asg_oss.html.md.erb | 18 ++++++++++++++----
 asg.html.md.erb              | 17 +++++++++++++++++
 2 files changed, 31 insertions(+), 4 deletions(-)

diff --git a/_default_asg_oss.html.md.erb b/_default_asg_oss.html.md.erb
index cad048e9..ef65ed16 100644
--- a/_default_asg_oss.html.md.erb
+++ b/_default_asg_oss.html.md.erb
@@ -1,4 +1,4 @@
-Cloud Foundry preconfigures two ASGs: `public_networks` and `dns`.
+Cloud Foundry preconfigures three ASGs: `public_networks`, `dns` and the experimental `public_networks_ipv6`.
 
 Unless you modify these before your initial deployment, these ASGs are applied by default to all containers in your deployment.
 
@@ -9,7 +9,12 @@ Foundry blocks outgoing traffic to the following IP address ranges by specifical
 	* 172.16.0.0 - 172.31.255.255
 	* 192.168.0.0 - 192.168.255.255
 
-* `dns`: This group allows access to DNS on port 53 for any IP address. The default ASGs are defined in the `cf-deployment.yml` file as follows:
+* `dns`: This group allows access to DNS on port 53 for any IP address. 
+
+* `public_networks_ipv6`: This group is experimentally added to manage IPv6 egress traffic. It is particularly intended for experimental use,
+ with caution advised due to its broad scope `2000::/3` that may not align with optimal security standards in production environments. 
+
+The default ASGs are defined in the `cf-deployment.yml` file as follows:
 
     ```
       security_group_definitions:
@@ -33,6 +38,11 @@ Foundry blocks outgoing traffic to the following IP address ranges by specifical
         - destination: 0.0.0.0/0
           ports: '53'
           protocol: udp
+      - name: public_networks_ipv6
+        rules:
+        - destination: 2000::/3
+          protocol: all
     ```
-    Modify the default ASGs to block outbound traffic as necessary for your installation. To see how the ASGs are defined by
-    default, see the [cf-deployment.yml](https://github.com/cloudfoundry/cf-deployment/blob/main/cf-deployment.yml#L604-L627) file on GitHub.
+    
+Modify the default ASGs to block outbound traffic as necessary for your installation. To see how the ASGs are defined by 
+default, see the [cf-deployment.yml](https://github.com/cloudfoundry/cf-deployment/blob/main/cf-deployment.yml#L894-L914) file on GitHub.
diff --git a/asg.html.md.erb b/asg.html.md.erb
index 2b60f2fb..47e55dde 100644
--- a/asg.html.md.erb
+++ b/asg.html.md.erb
@@ -356,6 +356,7 @@ The following table describes examples of typical ASGs. Configure your ASGs in a
 | --- | ---
 | `dns` | DNS, either public or private |
 | `public-networks` | Public networks, excluding IaaS metadata endpoints |
+| `public_networks_ipv6` | Public IPV6 networks |
 | `private-networks` | Private networks in accordance with [RFC-1918](https://tools.ietf.org/html/rfc1918#section-3) |
 | `load-balancers` | The internal <%= vars.app_runtime_abbr %> load balancer and others |
 | `internal-proxies` | Internal proxies |
@@ -416,6 +417,22 @@ The following is an example `public_networks` ASG:
 ]
 ```
 
+### <a id='public-networks-ipv6-example'></a> Public IPv6 networks
+
+For IPv6-enabled environments, public repositories and services are generally accessible within the range 2000::/3.
+As this configuration is in an experimental phase, the provided range is intended for testing purposes only. Before deploying in production environments, additional research on IPs to exclude for enhanced security is recommended.
+
+The following is an example `public_networks_ipv6` ASG:
+
+```
+[
+  {
+    "destination": "2000::/3",
+    "protocol": "all"
+  }
+]
+```
+
 ### <a id='private-networks-example'></a> Private networks
 
 Network connections that are commonly allowable in private networks include endpoints such as proxy servers, Docker registries, load balancers, databases, messaging servers, directory servers, and file servers. Configure appropriate private network ASGs as appropriate. You might find it helpful to use a naming convention with `private_networks` as part of the ASG name, such as `private_networks_databases`.

From 409dc783a1a155e3473e0209ee8000811c32c41b Mon Sep 17 00:00:00 2001
From: i759715 <m.encheva@sap.com>
Date: Thu, 14 Aug 2025 09:43:02 +0300
Subject: [PATCH 2/3] Remove the IPv6 security group from the default ASGs

---
 _default_asg_oss.html.md.erb | 18 ++++--------------
 1 file changed, 4 insertions(+), 14 deletions(-)

diff --git a/_default_asg_oss.html.md.erb b/_default_asg_oss.html.md.erb
index ef65ed16..f1ff5832 100644
--- a/_default_asg_oss.html.md.erb
+++ b/_default_asg_oss.html.md.erb
@@ -1,4 +1,4 @@
-Cloud Foundry preconfigures three ASGs: `public_networks`, `dns` and the experimental `public_networks_ipv6`.
+Cloud Foundry preconfigures two ASGs: `public_networks` and `dns`.
 
 Unless you modify these before your initial deployment, these ASGs are applied by default to all containers in your deployment.
 
@@ -9,12 +9,7 @@ Foundry blocks outgoing traffic to the following IP address ranges by specifical
 	* 172.16.0.0 - 172.31.255.255
 	* 192.168.0.0 - 192.168.255.255
 
-* `dns`: This group allows access to DNS on port 53 for any IP address. 
-
-* `public_networks_ipv6`: This group is experimentally added to manage IPv6 egress traffic. It is particularly intended for experimental use,
- with caution advised due to its broad scope `2000::/3` that may not align with optimal security standards in production environments. 
-
-The default ASGs are defined in the `cf-deployment.yml` file as follows:
+* `dns`: This group allows access to DNS on port 53 for any IP address. The default ASGs are defined in the `cf-deployment.yml` file as follows:
 
     ```
       security_group_definitions:
@@ -38,11 +33,6 @@ The default ASGs are defined in the `cf-deployment.yml` file as follows:
         - destination: 0.0.0.0/0
           ports: '53'
           protocol: udp
-      - name: public_networks_ipv6
-        rules:
-        - destination: 2000::/3
-          protocol: all
     ```
-    
-Modify the default ASGs to block outbound traffic as necessary for your installation. To see how the ASGs are defined by 
-default, see the [cf-deployment.yml](https://github.com/cloudfoundry/cf-deployment/blob/main/cf-deployment.yml#L894-L914) file on GitHub.
+    Modify the default ASGs to block outbound traffic as necessary for your installation. To see how the ASGs are defined by
+    default, see the [cf-deployment.yml](https://github.com/cloudfoundry/cf-deployment/blob/main/cf-deployment.yml#L894-L914) file on GitHub.
\ No newline at end of file

From e954ded9dc72f44920e525d143dc271e00ae848a Mon Sep 17 00:00:00 2001
From: i759715 <m.encheva@sap.com>
Date: Thu, 14 Aug 2025 10:30:05 +0300
Subject: [PATCH 3/3] Add more specific description for the IPv6 sec groups

---
 asg.html.md.erb | 11 +++++++----
 1 file changed, 7 insertions(+), 4 deletions(-)

diff --git a/asg.html.md.erb b/asg.html.md.erb
index 47e55dde..e3846716 100644
--- a/asg.html.md.erb
+++ b/asg.html.md.erb
@@ -356,7 +356,7 @@ The following table describes examples of typical ASGs. Configure your ASGs in a
 | --- | ---
 | `dns` | DNS, either public or private |
 | `public-networks` | Public networks, excluding IaaS metadata endpoints |
-| `public_networks_ipv6` | Public IPV6 networks |
+| `public_networks_ipv6` | Public IPv6 networks |
 | `private-networks` | Private networks in accordance with [RFC-1918](https://tools.ietf.org/html/rfc1918#section-3) |
 | `load-balancers` | The internal <%= vars.app_runtime_abbr %> load balancer and others |
 | `internal-proxies` | Internal proxies |
@@ -419,10 +419,11 @@ The following is an example `public_networks` ASG:
 
 ### <a id='public-networks-ipv6-example'></a> Public IPv6 networks
 
-For IPv6-enabled environments, public repositories and services are generally accessible within the range 2000::/3.
-As this configuration is in an experimental phase, the provided range is intended for testing purposes only. Before deploying in production environments, additional research on IPs to exclude for enhanced security is recommended.
+In IPv6 networking, the range 2000::/3 encompasses the entirety of the public IPv6 address space. Unlike IPv4, IPv6 lacks explicitly designated private address ranges, meaning that most addresses are public unless configured otherwise.
 
-The following is an example `public_networks_ipv6` ASG:
+Within your infrastructure, some IPs may serve internal functions, such as those for Diego cells or BOSH-managed nodes. To maintain security, these adresses should be excluded from ASG access settings, as they are protected from external requests via global firewall rules that apply for the CF foundation. 
+
+Example ASG configuration for testing purposes:
 
 ```
 [
@@ -433,6 +434,8 @@ The following is an example `public_networks_ipv6` ASG:
 ]
 ```
 
+Ensure thorough assessment to identify and exclude any internal IPs before finalizing configurations for production environments.
+
 ### <a id='private-networks-example'></a> Private networks
 
 Network connections that are commonly allowable in private networks include endpoints such as proxy servers, Docker registries, load balancers, databases, messaging servers, directory servers, and file servers. Configure appropriate private network ASGs as appropriate. You might find it helpful to use a naming convention with `private_networks` as part of the ASG name, such as `private_networks_databases`.