PFR: Extend CF ASGs to app scoped too

[gowrisankar22]

Current Status quo: At the moment, CF supports Platform-Wide and Space-Scoped ASGs.

• Platform-Wide : To provide granular control when securing a deployment, admins can assign platform-wide ASGs that apply to all app and task instances for the entire deployment, or
• space-scoped ASGs that apply only to apps and tasks in a particular space.

In the CF environments the ASGs for a particular space are combined with the platform ASGs to determine the effective rules for that space.

Feature Request: What would even nicer is supporting app-scoped ASGs that should apply only to specific app and task in a particular space. At the end, In the CF environments the ASGs for a particular app are combined with the platform ASGs and Space-Scoped ASGs to determine the effective rules for that app (or) with platform ASGs, App-Scoped ASGs should take the priority than Space-Scoped ASGs but off-course it is an implementation detail.

Use-case: We have services that use a publish–subscribe model, which means that when a user creates a service instance, a worker application is launched behind the scenes on a service provider space.

• If any other enduser space service (for example, postgres) implements ASGs, it is not allowed to consume in app running in provider space(same enduser worker app) unless whitelist complete CIDR blocks of postgres or instance sharing is done. Instance sharing requires a space developer role on both sides to work, but is not a good solution for a multi-tenant environment.

• If the enduser space service has be consumed by the worker app above(same enduser worker instance), after which we get IP from enduser space service and add it to the allowlisting only to specific worker app that is running in provider space. In this situation, app-scoped ASGs will aid in gaining more control maintaining isolation.

• There could more benefits to control the app specific firewalls.