IP lists allow you to define allowlists The allowlist model means that you must specifically define what traffic is allowed to communicate with your managed workloads; otherwise, it is blocked by default. It follows a trust-centric model that denies everything and only permits what you explicitly allow—a better choice in today’s data centers. The list of what you do want to connect in your data center is much smaller than what you do not want to connect. of trusted IP address, IP address ranges, or CIDR blocks that you want to allow into your datacenter and to be able to access workloads and applications in your network.
Overview of IP Lists
After you define an IP list, you can use it in rulesets to create rules for workload traffic flows. When you provision the rulesets, the workload only allows IP addresses in the IP list to access workload services.
The default IP list “Any” represents all IPv6 addresses as well as all IPv4 addresses. Rules that use IP lists are programmed on one side of the connection only. IP lists can be used as a provider or a consumer.
To allow outbound access to IP lists, Illumio recommends using an intra-scope rule to prevent application of the rule to a broader set of workloads than intended.
Example of IP List Usage
For example, the following ruleset (scope + rules):
| App | Env | Loc | |
|---|---|---|---|
| Scope | HRM | Prod | US |
| Providers | Services | Consumers | |
| Rule | DB | SSH | Corp-HQ |
Means “allow SSH from Corp-HQ to the database.”
This ruleset:
| App | Env | Loc | |
|---|---|---|---|
| Scope | All | Prod | All |
| Providers | Services | Consumers | |
| Rule | Corp-HQ | SSH | DB |
Means “allow SSH from the database to Corp-HQ.”
This ruleset:
| App | Env | Loc | |
|---|---|---|---|
| Scope | All | Prod | All |
| Providers | Services | Consumers | |
| Rule | Any | Any | Any |
Means “do not apply Any IP list to anything.”
Create an IP List
- From the PCE web console menu, choose Policy Objects > IP Lists.
- Click Add.
- Enter a name for the IP list.
-
Add IP addresses, IP address ranges, or CIDR blocks to define the list.
TIP:You can copy and paste lists of IP addresses from other sources.
-
Click Save.
IP List Exclusions
In IP lists, you can exclude certain IP addresses or subnets from a broader IP subnet.
For example, you might want to exclude a list of IP addresses within an IP range that should not access certain workloads. Or, you might want to open up a set of workloads to any IP address (0.0.0.0/0 and ::/0), but exclude a set of IP addresses that keep attempting unauthorized access to your workloads.
Any (0.0.0.0/0) refers to IP addresses not associated with workloads while “All workloads” refers to workloads within a scope.
When you use an IP list with exclusions in a rule, any IP addresses that are marked as exclusions are not allowed, while all the others in the IP list are allowed.
To create IP list exclusions:
-
To add an IP address or subnet exclusion, use an exclamation point followed by the IP address, CIDR block or IP range. The excluded IP addresses must be within the included IP range.
For example, you added 192.16.0.0/12 as an allowed IP address and you want to exclude an IP address from this CIDR block, enter the following value:
!192.31.43.0-192.31.43.100 -
To add a CIDR block but exclude a portion of the CIDR block, enter the following values:
10.0.0.0/8
!10.1.0.0/24In this example, the first block would be included and the second block would be excluded.
Filter IP Lists
You can filter the IP list page using the property filter at the top of the list. You can filter list by entering an IP list name, description, IP address, and provision status (draft or active).
