The Illumio CloudSecure policy model is a label-based system, which means that the rules you write don't require the use of an IP address or subnet, like traditional firewall solutions. You control the range of your policy primarily by using labels. This functionality helps you categorize your resources more quickly and makes it easier to set up your policy.
Label Types
| Label | Description |
|---|---|
|
Environment
|
This label type allows you to describe a deployment based upon its stage in the product development lifecycle, such as QA, staging and production. |
|
Application
|
When you define your application, this label type is created, allowing you to describe the application composed of your resources. This functionality in turn allows Illumio CloudSecure to discover applicable deployments for applications. |
| ServiceCategory | This label type allows you to describe key resources by their categories, such as Databases, Data Warehouse, Storage, Network Management, Network Security, Network Routing, Security Infrastructure, Account Management, Compute, Serverless, and Containers. For a list of supported resources and their categories, see Inventory Supported Resources. To view your ServiceCategory labels, see View System Labels. Note that this label type is system-generated and cannot be edited or removed. Also note that CloudSecure does not apply this label type to AWS EC2 Snapshots, AWS ElasticLoadBalancingV2 Load Balancer Target Groups, or Azure Private Endpoints. For information on which ServiceCategory labels support policy authoring, see Writing Application Policy. |
| ServiceRole | This label type allows you to describe resources according to their roles. Examples include ServiceRole:S3 and ServiceRole:RDS. Note that this label type is system-generated and cannot be edited or removed. To view youre ServiceRole labels, see View System Labels. Also note that CloudSecure does not apply this label type to AWS EC2 Snapshots, AWS ElasticLoadBalancingV2 Load Balancer Target Groups, or Azure Private Endpoints. For information on which ServiceRole labels support policy authoring, see Writing Application Policy. |
| Other labels | You can use cloud tag to label mapping to create any label that meets your organization's business needs. For example, you might want to label applications according to their function. |
Label Resources Using Cloud Tag to Label Mapping
If you have a tagging strategy in your cloud environment, this feature lets you associate labels other than application and environment resources with your application. This functionality allows for more granularity when writing policies.
For example, if you map a “risk” cloud tag key to the Illumio label type “Risk,” you could then create an application with a tag called “risk:Critical,” which would assign the Illumio “Risk” label to the application.
Illumio recommends that you use the cloud tag to label mapping feature before creating an application definition. This workflow is recommended but not mandatory. You can create your application definition independent of any associated labels.
See Cloud Tag to Label Mapping for information.
Create an Application Definition (Label and Auto-Discovery)
Once you have added at least one deployment, you can define your applications, which will create a label for that application (which is defined using cloud tags and metadata).
In effect, the application definition comprises an application label and auto discovery of application deployments. So, by defining your application, you are labeling it and allowing Illumio CloudSecure to discover applicable deployments that you previously added.
Once you define an application, the name you gave it will appear in the Application Label column on the Application Definitions page.
At this time, application definitions and their labels are not editable once created. You can delete application definitions, however, which will delete the associated application label.
See Define an Application Automatically for information.