Define an Application

This topic explains how to define an application in CloudSecure.

For an explanation of CloudSecure application definitions and how they relate to deployments, see Deployments and Applications.

Prerequisites

Before you define an application, you must have onboarded at least one cloud account. Defining a deployment is optional. For information about defining a deployment, see Define a Deployment.

Define Applications Automatically

Although CloudSecure has always allowed you to define applications individually, you can now automatically create multiple applications by defining an Application Discovery Rule. This feature runs in the background, so the rule you create automatically defines applications when new resources are added that meet the rule parameters.

Create an Application Discovery Rule

The user interface presents the following ways to begin creating such rules:

• If you have not defined your first application, either individually or with an Application Discovery Rule, the Application Definitions page displays a banner inviting you to add your first application definition using either method. Click Add Application Definition, select Application Discovery Rule, and click Confirm to begin.

• If you have already added an application individually, but not yet with the Application Discovery Rule method, a banner invites you to do so. Click Create to begin.

• If you have already created an Application Discovery Rule, navigate to the Application Discovery menu item

The in-application pop-up guide instructs you on how to proceed.

Application Discovery Rule Guidelines

• Choose your rule name carefully, to make it clear what sort of applications you are automatically defining

• You can add a prefix to the name of all applications discovered with the rule

• The prefix and name may be changed when editing the rule. Other parts of the rule are not editable.

  When editing the rule, if the edit does not affect an existing application definition, you do not need to modify or re-approve the application. If the edit affects an existing application definition, then the following apply:

  • If the change is to only the prefix in the rule, rename the existing application label to reflect the new prefix. You do not need to re-approve application.

  • If any of the change is to metadata (the type of rule, such as account/subscription, virtual network, etc.), you may need to review and approve new or existing application deployments

  When you save your rule edits, the application approval or re-approval workflows begin. A prompt tells you to review and remove any policies associated with application labels that were previously associated with the rule.

• The rule's exact behavior may vary depending on the rule type you select.

  • Cloud Tags: If you choose this rule type, a Cloud Tag Keys dropdown menu appears
  • Cloud Accounts: If you choose this rule type, it applies to all the available account/subscription across all accounts and ties an application to each account/subscription with the relevant resources. You have the option to specify the CSPs to which the rule applies. You can have only one rule of this type.
  • Virtual Networks: If you choose this rule type, it applies to all the available virtual networks across all accounts and ties an application to each virtual network with the relevant resources. You have the option to specify the CSPs to which the rule applies. You can have only one rule of this type.
  • Subnet: If you choose this rule type, it applies to all the available subnets across all of your accounts, and therefore ties any application to each subnet with the relevant resources. You have the option to specify the CSPs to which the rule applies. You can have only one rule of this type.
• Application Discovery Rules cannot be disabled or paused once added. There are two workarounds:
  • You can delete the rule, which will also delete all application definitions created with the rule
  • You can modify individual application definitions for those created with the rule, which decouples the application definition with the rule

• Once you create an Application Discovery Rule, you can browse to Discovery Rules > View details to edit it.

• Application definitions have contexts for how they were created, viewable on their respective detail pages, either individually or using an Application Discovery Rule

Application Label Conventions

• Tag-based application labels are generated in the format Prefix-<TagValue> e.g., infosec-payment
• Account/Subscription-based application labels are generated in the format Prefix-<unique account/sub identifier> e.g., InfoSec-Act123
• VPC/VNet based-metadata application labels are generated in the format Prefix-<unique virtual network identifier> InfoSec-VirtualNetwork123
• Subnet based metadata application labels are generated in the format Prefix-<unique subnet identifier> InfoSec-Subnet123

Define Applications Individually

1. From the left navigation, choose Application Discovery > Application Definitions.

2. Click Add. A page with the fields to define the application appears.

3. Enter a name and description (optional) for the application.

   This name is what appears in CloudSecure. The name should be descriptive so that you can easily identify it in CloudSecure.

   Though optional, providing a description helps other members of your organization understand the purpose of this application.

4. Click Add Resources Using Cloud Metadata.

   Cloud metadata contains information about the instances of your running cloud resources and can include subnets and virtual networks. CloudSecure obtains your cloud tags directly from your cloud accounts. This data is the label that you assigned to a cloud resource along with an optional tag value.

   You do not define your application instances using Illumio CloudSecure labels. Your applications are defined for CloudSecure purely based on cloud properties.

   The Application Definition dialog box appears.

5. In the top-most drop-down list, choose whether to use cloud tags, virtual networks and subnets, or accounts to define the application.

6. In the Filter By Cloud Accounts field, select the accounts that are hosting the application resources. Continue selecting accounts until you've specified them all. To clear an account from the field, click backspace or click the X to clear them all.

7. In the Select field, select the specific tags or metadata (depending on the type your chose) that defines the application.

   TIP:

   The list is pre-populated with values that CloudSecure discovered after you onboarded your cloud accounts. Depending on the size of your cloud environments, the list can get quite long. You can scroll the list to locate the values you want or type a value in the Select field to filter the list. The list refreshes with values matching your search criteria.

   When done adding data, click Add to Selection. The tags or metadata move to the selected section.

   You can continue this process to add as many tags or metadata as required to define this application.

8. When done, click Confirm Selection. The dialog box closes, and your selected tags or metadata appears in the Selected section.

   If necessary, repeat the process using the other type of data until you've fully defined all resources for the application. For example, you chose to locate all the relevant clouds tags first and then repeated the process adding the relevant metadata.

9. Click the Auto Approve Setting toggle to ON if you want CloudSecure to automatically approve all discovered deployments and resources for this application. This skips the manual approval process for applications.
   If you click the toggle to OFF, you must approve the application definition manually. See View and Approve an Application for information.
10. When you have defined the application with enough specificity, click Save.

The Application Definitions page refreshes and includes the new application: The Deployments column indicates that CloudSecure is discovering any defined deployments that host this application.

When the discovery process finishes, the list includes any deployments where CloudSecure discovered matching cloud tags or metadata.

CloudSecure does not populate the Deployments column if you choose not to define any for that application.

When CloudSecure finishes discovering your saved application definition, and your application is listed as pending approval, you can still modify the resources defined for the application. For instance, you can add or drop cloud tags in the application definition in such a way that it applies to an additional resource, and CloudSecure automatically re-synchronizes the application to include the new resource. Once an application is approved i.e., no longer pending, any subsequent resource modifications could trigger a new pending approval state for the application deployment.

Edit an Application Definition

You may wish to update or otherwise edit an application you have already defined. Use the following steps to do so.

1. From the Application Discovery > Application Definitions tab, find the application label for which you want to edit the definition.

2. Click View Details for the application of interest.

3. Click Edit. The in-application pop-up guide instructs you on how to proceed. Note that if during editing you change the Auto Approve Setting toggle, you must confirm and save to retain the toggle change.

Delete Application Definitions

When you delete applications that are pending approval, CloudSecure simply deletes the application definitions.

When you delete approved applications, CloudSecure deletes the application definitions and the rulesets (policies) associated with the application definitions and the application instances. CloudSecure also disassociates any related resources from the application definitions being removed.

Delete Individually Created Application Definitions

1. From the left navigation, choose Application Discovery > Application Definitions. The Applications Definitions page appears and the Application Definitions tab is selected.

2. Select all the application definitions that you want to delete and click Remove.

   A confirmation dialog box appears displaying the applications you are deleting.

3. Verify that you are deleting the correct applications and click Remove in the dialog box.

Delete Application Discovery Rule-Created Application Definitions

Note that deleting a discovery rule automatically deletes all application definitions associated with the rule. You may also choose to manually delete associated application definitions, as follows:

1. From the left navigation, choose Application Discovery > Discovery Rules. The Application Discovery page appears and the Discovery Rules tab is selected.
2. For the Application Discovery Rule in question, select the View Details link in its table row. The Details page for that rule appears.

3. In the Discovered Application Definitions section of the Details page, select all the application definitions that you want to delete and click the Remove button in the upper right of the Discovered Application Definitions section. This is different than the Remove button at the very top of the page, which is grayed-out when you select an application definition.

   A confirmation dialog box appears displaying the applications you are deleting.

4. Verify that you are deleting the correct applications and click Remove in the dialog box.

Exporting an Application Definition Report

1. Click Export on the Application Definitions tab.
2. Edit the report name and select the format.
3. Click Save when done.
4. Go to the Reports page to download the exported report.

What's Next

Approve your application. (Each instance of the application in different deployments requires approval.) See View and Approve an Application for information.

Begin creating policy for your application. See Writing Application Policy for information.