CloudSecure Map

This topic explains how to work with the Cloud Map in CloudSecure.

What is the Cloud Map?

Organizations can find it difficult to understand their cloud topology. For example, understanding the relationships between the objects and related components such as security groups, tags, and other metadata in your cloud accounts is challenging. CloudSecure is designed to handle this challenge. CloudSecure analyzes these relationships to provide a view of assets with proper cloud hierarchy.

In CloudSecure, the Cloud Map displays a view of your cloud inventory as a network topology map for the cloud infrastructure. The map displays the relationships between your resources by using cloud native constructs. Typically, you go to the map to view your entire state of cloud resources from the cloud accounts you have onboarded with CloudSecure.

Customers use the Cloud Map to view their cloud topology and analyze the traffic flow data CloudSecure captures. The map helps you visualize your cloud resources and provides an understanding of the traffic flows between them.

CloudSecure will synchronize the data in cloud accounts you have onboarded, and display the data in the Inventory, Traffic, and Cloud Map pages.

How the Cloud Map is Organized

CloudSecure organizes the map first by cloud — AWS versus Azure. Each public cloud has its own grouping in the map. Within each cloud, you see next the accounts from that cloud you have onboarded with CloudSecure.

The map organization continues to get progressively more granular and displays resources in this hierarchy:

Region (Location) VPC (VNet) Subnet Resources

Inside your regions, the map displays your resources. In this example, you are viewing the us-west-2 region in your AWS 13########## account, as shown in the following image.

When you zoom into view a region, you see you the number of resources in that region. The map tells you the count of the resources.

Inside the region, the map contains three types of objects:

  • Cloud Hierarchy Combo

    This can be a cloud, account, region, VPC, or subnet. For example, a VPC combo can contain a subnet, and a subnet combo can contain an EC2 instance.

  • Resource Combo

    This is a group of resources of the same type, indicated with a numeral.

  • Resource Node

    This is an individual resource.

How to Navigate the Cloud Map

Ways to Move Around Your Map

You have these ways to navigate the Cloud Map:

  • Use the filters at the top of the page to locate and zoom to specific areas or resources; see Filtering the Map.
  • Click anywhere in the map to refocus the view to that level. For example, you have zoomed into an object and click outside the cloud groups to refocus on the full map.
  • Use the built-in map tools to zoom in:

    • Click the plus (+) for a group:

      To collapse a group so that you it's not expanded and you see the resources within it, click a minus (-) icon.

    • Click the white space within a group:

Filtering Your Map Resources

At the top of the page, the map includes a Resource filter. You can set one of several filters to show or hide different elements of your data and focus your map on what is most important to you.

The Resource filter includes several options, including Cloud, Account ID, Region, Object Type, VPC/VNET ID, Subnet ID, Cloud Tags, and others.

By default, when you first open your Cloud Map, the Resource filter is empty. The map displays groups for each of the clouds you have onboarded — AWS and Azure. Next, it displays the accounts you've onboarded from each of those public clouds.

When you are filtering for resources that support displaying traffic flows, the map includes a traffic filter to help you narrow the traffic flows to display:

IMPORTANT:

As you use the filters to manipulate the map display and display details about accounts and the resources in them, CloudSecure might display a message that it can't display all the results for your query because your filter results would display more than 2,000 resources or more than 10,000 traffic flows. When this happens, refine your query so that it is more focused and returns fewer results.

For information, see Limitations for Using the Cloud Map.

Display Resource Side Panel

When you click a resource in the map, CloudSecure opens a right-side panel that displays the resource metadata. For example, you can click an EC2 instance to see a summary information about the resource.

When you open a VM (Azure) or an EC2 instance (AWS) the right panel will include a Traffic tab. The Traffic tab displays when that resource is sending or receiving traffic. In the tab, you can view information for the flows, such as source and destination, label sets, port/protocol, associated security groups, packet counts, etc.

NOTE:

At this time, the Cloud Map only supports displaying traffic data for VM (Azure) and EC2 instance (AWS) resources. For resources that don't support displaying traffic flows, the panel includes a Summary tab only.

Cloud Map Animation for Flows

The Cloud Map includes traffic lines for resources that are sending and/or receiving traffic. Flows that are one direction are displayed with a single arrow line. Bidirectional flows have dual arrow lines.

When you hover over a resource displaying a traffic line, the map refreshes with an animation of the traffic flow for just that resource. This animation isolates the traffic flow for only the resource you are interested in. Using hover is a good way to isolate a resource and see at a glance all the flows from that point of view coming from and going to that resource.

In this example, you see how traffic from the isolated EC2 instance in the us-east-1 region flows to the internet.

To stop the animation, simply move your cursor to another part of the map.

Limitations for Using the Cloud Map

After onboarding an account, you will start seeing the resources in the map within 5 to 10 minutes. During this time, your map will display the message “No resources available yet.”

When the map loads, CloudSecure limits on the number of objects that the map will display.

  • Resources: 2,000 objects

  • Traffic: 10,000 flows

These display limitations are not configurable. After you onboard your cloud accounts, CloudSecure discovers all their resources. To provide optimal map display performance, Illumio set these display limitations. These limitations are a UI limitation only. You can filter your map to retrieve data about resources that aren't initially displayed when you elect to view your full map. See Filtering Your Map Resources for information.

When you encounter this display limitation, the map includes a information message informing you to filter your map to see more resources. For example, the following message indicates the current map view is not displaying not all traffic flows. You can close the message at any time.

Caveats

Flow ingestion occurs every 15 minutes, but flows are shown for only completed 60 minute chunks. This means that if flow log access has just been enabled, you would need to wait at least an hour to see the flows in the Cloud Map, Traffic, and Inventory pages. However, if you enabled flow log access some time ago and already have previous 60-minute flow chunks, you would see the updated flow within 15 minutes.