Cloud Tag to Label Mapping

This section describes the purpose of the Illumio CloudSecure cloud tag to label mapping feature, and provides a general example of how you would use it.

Use Case and Example

If you have a tagging strategy in your cloud environment, this feature lets you associate more than application and environment labels with your resources. You can use this feature to associate additional labels with your resources too, allowing for more granularity when writing policies. You can create up to 20 such mappings.

Note that tag to label mapping can map labels to resources that are not part of an application. In this way, application approval is not required to complete the tag to label mapping process. Unlike the application approval process, the tag to label mapping process occurs immediately, without the need for approval.

For example, if you have cloud tags such as “Risk,” “Cost Center,” “Compliance,” etc., you can map those cloud tags to Illumio labels. Once you map these additional tags to Illumio labels, you will be able to associate these labels with resources in Illumio CloudSecure. Considering this example, if you have resources that have the cloud tag “Risk,” those resources will associate them with the Illumio “Risk” label. The following diagram illustrates how you could use this feature:

In the diagram, cloud tag keys (“Risk,” “Threat,” and “RiskStatus”) are mapped to the Illumio label type “Risk.” This mapping enables different values of cloud tag keys to automatically map to the value of the Illumio label key. The following instructions simplify the process steps by focusing on mapping the cloud tag key “Risk” to the Illumio label “Risk.”

1. The first part of the sequence is to create one or more tag to label mappings, such as the following mappings:
• Cloud tag key Risk mapped to Illumio Label Risk

You can also map multiple cloud tag keys to one Illumio label type, i.e., mapping cloud tag keys “Compliance,” “Regulations,” or “Guidelines” to the Illumio label type “Compliance.” Note that the relationship between cloud tags to label types is that you can have multiple mappings using the same cloud tag keys, but there can be only one mapping for each label type. Defining the mapping from a cloud tag key to an Illumio label type automatically assigns the corresponding cloud tag values to Illumio label values. These Illumio labels can then be associated with resources in CloudSecure. Although you do not need to have resources associated with an application when mapping cloud tags to Illumio labels, you may choose to do so. The following example supposes that you do have an application that you wish to define using resources that you have associated with tag to label mappings. For example:

• Cloud tag 1 on Resource 1: Risk:Critical
• Label: tag key: Risk, value: Critical

2. Any cloud tags that were mapped to Illumio labels for the desired resources will then be notionally associated with any applications or deployments using those resources. Note that although the labels are notionally associated with an application possessing those resources in order to provide context, such labels are not in fact functionally associated with the application. These mapped labels are functionally associated with the resources only.

   Assume the label Application: Payment has the following deployments: env:dev/staging/prod.

   If any resources within the Payment application are mapped to the label Risk:Critical, the Illumio “Risk” label will be notionally associated to the application. The Tag to Label Mapping page will show the Illumio label type and the labels to which you have mapped your CSP cloud tag keys.

3. Then, you could write granular policies using specific labels, such as the Illumio “Risk” label. Note that those polices will reference only the resources in question, and not the notionally associated application itself.

   Cloud tags are required for this degree of granularity. Without cloud tag to label mapping, you can still write policies, but those policies would be coarser with broad Illumio labels such as app or environment.