What to Do Next

This topic explains what to do next after onboarding your public cloud accounts and enabling flow log access for them.

1. Enable Flow Log Access

For CloudSecure to see your cloud environment flow logs, you will need to enable access to the flow logs. See Grant Flow Log Access.

2. Visualize Your Cloud Resources

After you've onboarded your public cloud accounts, CloudSecure begins the process of discovering and ingesting their resources.

Before defining your public cloud environment, Illumio strongly recommends that you review the resources ingested into CloudSecure. Reviewing your ingested resources helps you gain an understanding of how your cloud resources are utilized and how they are communicating.

If you are a visual person and want to analyze a graphical, hierarchical display, go to the Cloud Map and browser your resources. If you are most comfortable working with lists and sorted data, go to the Inventory page and browse your discovered resources.

  • About the Cloud Map

    In CloudSecure, the Cloud Map displays a view of your cloud inventory as a network topology map for the cloud infrastructure. The map displays the relationships between your resources by using cloud native constructs. Go to the map to view your entire state of cloud resources from the cloud accounts you have onboarded with CloudSecure.

    Use the Cloud Map to view your cloud topology and analyze the traffic flow data CloudSecure captures. The map helps you visualize your cloud resources and provides an understanding of the traffic flows between them.

    CloudSecure will synchronize the data in cloud accounts you have onboarded, and display the data in the Inventory, Traffic, and Cloud Map pages.

    For more information, see CloudSecure Map.

  • About the Inventory Page

    This page lets you view the cloud resources from accounts that CloudSecure has discovered in your environment.

    The search function allows you to search and filter cloud resources on different parameters. You also view preset filters and set custom columns for viewing by selecting the options under the Cloud Details drop-down menu.

    For more information, see Inventory.

  • Review Your Traffic Flows

    After you onboard your cloud accounts and configure your flow log access, CloudSecure discovers all their resources and looks for traffic.

    Before writing policy rules to either allow or block traffic, Illumio recommends you determine if there are any traffic flows between resources. The Traffic page lets you filter your resources by flow status, source labels and addresses, destination labels and addresses/ports, and so forth.

    For more information see Traffic.

3. Define Your Public Clouds in CloudSecure

Defining your public clouds in CloudSecure is a multi-step process:

  1. Define your deployment stacks:

    In CloudSecure, you may decide to create deployment stacks as part of specifying which applications in your cloud account to protect with CloudSecure.

    After onboarding your cloud accounts, you may begin by defining the environments you're using in the cloud. In CloudSecure, we refer to this as “adding deployment stacks.” In the cloud, stacks provide a way to manage your resources as a single, atomic unit.

    When you define a deployment, CloudSecure doesn't discover anything about your applications. You defined your deployment stacks separately.

    For more information, see Define a Deployment.

  2. Define your applications:

    Defining an application follows a similar process. You begin by specifying an Application label. Then, you associate cloud resources to that label by selecting the appropriate cloud tags or cloud metadata associated with that application.

    For more information, see Define an Application.

  3. Approve your application definitions:

    CloudSecure separates the process of defining an application from the ability to create policy for it.

    In this way, CloudSecure ensures other key stakeholders are in the loop to approve your application definitions.

    For more information, see View and Approve an Application.

4. Create Policy in CloudSecure

Now that you've reviewed your ingested cloud resources and defined your cloud environment in CloudSecure, you are ready to create security policy for your public clouds.

The Policies page lists all the different policies you have created in CloudSecure. The page contains two types of policies:

  • Organization policies
  • Application policies

  1. Create your organization polices:

    You can think of organization policies as guardrail policies that prevent application policies from allowing undesired traffic, or that are additive to application policies allowing desired traffic. An organization policy can exist all by itself, but these policies are also evaluated during policy computation for any application policy.

    Organization policies are broader policies that you write that are independent of applications. They can override application policies, including any future application policies, that may have overly permissive allow rules.

    For more information, see Writing Organization Policy.

  2. Create your application policies:

    Illumio allows or denies traffic between applications using policies that you write. You can think of application policies as segmentation policies to control network traffic using Illumio labels, services, and IP/IP lists to define what can talk to applications.

    For more information, see Writing Application Policy.