Groups in Illumination

Groups in the Illumination map represent a collection of workloads or services that communicate with each other and for which you can write rules. Groups are displayed in the Illumination map after you pair workloads. See the VEN Installation and Upgrade Guide for information about installing (also called pairing Installation of the Illumio VEN software on a workload using a unique secure pairing key. A Workload is paired by executing a pairing script generated from a Pairing Profile.) VENs on workloads.

Illumination Group Detail Levels

You can choose one of three levels of detail in Illumination for enforced workloads in a group.

These levels allow you to control how much data the VEN collects from a workload when enforced, so you can control resource demands on workloads:

  • High detail: The VEN collects connection details (source IP, destination IP, protocol and source port and destination port). This option applies to both allowed and blocked connections. This option provides rich Illumination detail but requires some system resources from a workload.
  • Low detail: The VEN only collects the blocked connection details (source IP, destination IP, protocol and source port and destination port), including all packets that were dropped. This option provides less Illumination detail but also demands fewer system resources from a workload than high detail.
  • No detail: The VEN does not collect any information about traffic connections. This option is only available for workloads that are in the enforced state. This option provides no Illumination detail and demands the least amount of system resources from a workload.

Types of Groups in Illumination

Once you pair workloads, the PCE analyzes the workload data reported by the VENs. Based on the traffic flows among your workloads, Illumination organizes them into groups. A group could represent an instance of an application running in your datacenter, such as an HRM application running in the test environment in your North America datacenter; or a group could represent a web store in production with its web workloads hosted in AWS and its databases hosted in your private datacenter.

In cases where more than 100 workloads are paired, groups are displayed in different levels of detail in the Illumination map. For information about the different view levels of groups in Illumination, see Illumination View Levels.

Group Bubbles

Group bubbles on the Illumination map are in the following policy states:

  • Enforced: Can have a mix of enforced, idle, unmanaged workloads, and virtual services
  • Test: Can have a mix of test, idle, unmanaged workloads, and virtual services
  • Build: Can have a mix of build, idle, unmanaged workloads, and virtual services

The idle, unmanaged workloads, and virtual services do not change the state of the bubbles. The default bubble is Build. If the bubble only contains items that are idle, unmanaged, or virtual services, it defaults to Build.

The “discovered” bubbles are created from unlabeled workloads that have traffic between them, which you can use to go to the group page and label all the workloads with traffic between them in a single step.

Group in Enforced State

When you are ready to enforce the rules you have written, place the group into the Enforced state. When you put a group into the Enforced state, all traffic flows permitted by rules are allowed and all other traffic is blocked.

Group in Test State

When you have written rules for the traffic flows in the group, you can place the group into the Test state to view all traffic that will be blocked when the group is put into the Enforced state. To change the policy state for a group, select the group and select Set policy state from the command panel.

In the Test state, all traffic is still allowed, even traffic flows not permitted by your rules. You can view all traffic that will be blocked by going to the Blocked Traffic page and selecting the Potentially Blocked Traffic filter.

Groups in the Test state are displayed with a dashed blue line.

Prepared Group in Build State

When a group is prepared for rule writing, it moves into the Build policy state and displays in the Illumination map with a solid gray line around it. At this stage, you can write rules for the group by clicking the traffic links and clicking Add Rule from the command panel.

Discovered Group without Rules

When a Group is first “discovered” by the PCE, its boundary is indicated by a dashed line and traffic lines are gray because rules cannot be written for the group yet.

View Group Details

After you pair workloads and apply at least one label to them, the Illumination map puts all workloads that communicate together into a group.

You can view a group's details to view or change the labels assigned to the workloads, change the policy state of the workloads, or unpair or pair new workloads.

To prepare a group for rules:

  1. From the PCE web console menu, choose Illumination.

    The Illumination map appears.

  2. Select a group by clicking inside the group (but not on any workloads).

  3. In the command panel for the group, click Group Details.

    The Group details page appears. It shows all the workloads that share the same scope, which are the Application, Environment, and Location labels from the ruleset associated with the workloads within the group.

  4. Select one or more of the workloads to change their label assignment, set policy state, or unpair any of the workloads in the group.
  5. Click Save if you've made any changes to workloads or rules.

Expand or Collapse Group Roles

When you drill down into a group detail in the Illumination map, multiple workloads that share the same Role label are collapsed together to save space.

You can easily expand the workloads by selecting them and clicking Expand Role in the command panel.

NOTE:

You can expand up to 200 workloads per collapsed role and up to two roles.

For example:

To expand the workloads in the group that share the same label, click the Role Label icon, and from the command panel, click Expand Role.

Workloads that share the Role label are expanded:

Add or Remove Workload to or from a Group

In the Illumination map, you might see workloads that don't belong to a group, such as management or monitoring services that run in your network but are not relevant to the policy you want to build.

You can remove workloads from a group by simply dragging them out. Conversely, if you notice that a workload that should be included in a group but is not, you can simply drag it into the group.

NOTE:

You can only add or remove a workload to or from groups that have been prepared for rule writing.

When you add a workload to a group, the workload inherits the Application, Environment, and Location labels associated with the group.

When you remove a workload from a group, the workload's Application, Environment, and Location labels are removed from the workload.