Previous Release Notes For 2024

These prior release notes describe the new features, enhancements, resolved limitations, and known limitations for CloudSecure in previous 2024 releases.

Illumio CloudSecure is an agentless SaaS solution that provides visibility into your AWS and Azure network flows to define Zero Trust Segmentation policies in the public cloud, with the following features:

  • Multi-cloud coverage
  • Fast breach containment
  • Ease of use
  • Low total cost of ownership

For questions, reach out to cloudsecureproduct@illumio.com.

What's New in This Release - September 5th, 2024

No. Feature Category Feature List
1. Applications

The Applications page now lets you export reports.

See View and Approve an Application.

2 Administration

The Connector page automation feature for Slack now allows you to test the new trigger rule before saving.

See Connector.

3. Visualization

These resources are now visible on the Inventory page:

  • Azure Batch Account

See Inventory Supported Resources.

What's New in This Release - August 29th, 2024

No. Feature Category Feature List
1. Onboarding You no longer need to manually configure CloudSecure to fetch flow logs from custom S3 paths, as Illumio now automatically accommodates fetching flow logs stored there. The manual configuration steps have been removed from the documentation portal.
2 Applications

The Application Definitions tab now lets you export reports.

See Define an Application Automatically.

3. Visualization

CloudSecure now retains system events for 30 days.

See Events.

Erratum

The previous release notes erroneously stated that report scheduling was available as a feature. The statement has been removed from the previous release notes.

What's New in This Release - August 21st, 2024

No. Feature Category Feature List
1. Administration The Connector page now lets you automate notifications based on triggers you select. See Connector.

What's New in This Release - August 15th, 2024

No. Feature Category Feature List
1. Administration

The Illumio Virtual Advisor (IVA) is an AI chatbot that helps organizations understand and reduce their risk posture by using natural language questions to generate quick answers and actions.

See About the Illumio Virtual Advisor.

2. Visualization

These resources are now visible on the Inventory page:

  • AWS VPN Connection
  • Azure Virtual Hub IP Configuration

What's New in This Release - August 8th, 2024

No. Feature Category Feature List
1. Visualization

The Traffic page now supports:

  • Linking directly to the Reports page to download a traffic list report as soon as you create it

  • Filtering by known networks

2 Visualization

The Events page now lets you export system event reports.

See Events.

3. Visualization

These AWS resources are now visible on the Cloud Map page:

  • DocumentDB DB Cluster
  • DocumentDB Instance

What's New in This Release - August 2nd, 2024

No. Feature Category Feature List
1. Visualization

The Insights page now includes 24 insight tiles, so you can use out-of-the-box queries to gain quick insights into resources within minutes of onboarding them:

  • Cross Cloud Traffic
  • Cross Region Traffic
  • Cross Tenant Traffic
  • Cross Tenant Traffic
  • Account to Malicious External IP Traffic
  • Account to Unknown External IP Traffic
  • Account to Known External IP Traffic
  • Tenant to Malicious External IP Traffic
  • Tenant to Unknown External IP Traffic
  • Tenant to Known External IP Traffic
  • Region to Malicious External IP Traffic
  • Region to Unknown External IP Traffic
  • Region to Known External IP Traffic
  • Azure Tenant to AWS IP Traffic
  • Account to External Cloud Traffic
  • Tenant to External Cloud Traffic
  • Region to External Cloud Traffic
  • Account to External Geo Traffic
  • Tenant to External Geo Traffic
  • Region to External Geo Traffic
  • Cross Talking Peering Connections
  • Internet Exposed EC2 Instances
  • Unprotected Resources
  • Traffic Blind Spots
2 Visualization

The Insights page now provides descriptions when you hover over the insight tiles.

See Insights.

What's New in This Release - August 1st, 2024

No. Feature Category Feature List
1. Visualization

These Azure resources are now visible on the Inventory page:

  • Virtual Hub

  • Virtual Hub Connection

2. Visualization

The Inventory page now lets you export reports.

See Inventory.

3. Visualization

The Reports page now lets you edit reports.

See Reports.

4. Visualization

The Traffic and Cloud Map pages now lets you filter IP addresses by CIDR blocks.

See Search Traffic and Cloud Map.

5. Visualization

CloudSecure now removes flow information more than 90 days old.

See Traffic.

6. Visualization

The Traffic page now lets you refresh your filter results to clear stale data without refreshing the browser page.

See Search Traffic.

7. Visualization

The Usage page now has updated terminology for the data displayed

See Product Usage.

8. Applications

CloudSecure now has an Application Summary tab in the application details panel.

See View and Approve an Application.

9. Onboarding

CloudSecure now has a Service Accounts page for adding and deleting service accounts and their secrets.

See Service Accounts.

What's New in This Release - July 25th, 2024

No. Feature Category Feature List
1. Visualization

This Azure resource is now visible on the Map page:

  • Redis Cache
2. Visualization

These Azure resources are now visible on the Inventory page:

  • Virtual Network Gateway
  • Virtual Network Gateway connection
3. Visualization

The Events page now performs cleanup after events become seven days old.

4. Visualization

The Reports page now lets you delete reports in bulk.

What's New in This Release - July 18th, 2024

No. Feature Category Feature List
1. Administration

The Show Impact filter now lets you filter by network access control lists.

See Writing Application Policy.

2. Visualization

These AWS resources are now visible on the Inventory page:

  • Transit Gateway

  • Transit Gateway Attachment

  • Transit Gateway Route Table

  • Transit Gateway Multicast Domain

  • DocumentDB Cluster

  • DocumentDB Instance

  • Document DB Elastic Cluster

  • VPC Endpoint Service

What's New in This Release - July 11th, 2024

No. Feature Category Feature List
1. Administration

Role-based access control (RBAC) is now available.

See Role-Based Access Control.

2. Visualization

The Traffic and Application Traffic basic filter has been replaced by the advanced filter.

See Search Traffic.

3. Visualization

The Traffic page now has an export option.

See Traffic.

4. Visualization

These Azure resources are now visible on the Inventory page:

  • Firewall Policy

  • Rule Collection Group

  • Diagnostic Setting

5. Visualization

The Reports page now lets you generate Risk reports. It also now lets you delete reports.

See Reports.

6. Visualization

The Events page now has a System Events Tab, which lets you view system-generated events.

See Events.

What's New in This Release - June 28th, 2024

No. Feature Category Feature List
1. Visualization

The Reports page gives you the ability to generate event audit reports asynchronously. You can then download and share the reports.

See Reports.

2. Visualization

CloudSecure's Inventory page provides the following new resource properties for the AWS resources listed:

  • Security Group Rule: The properties for his resource now also provide a table of security group rules.

  • ElasticLoadBalancingV2 Load Balancer: The properties for this resource now also provide schemes.

  • RAM Resource Share: The properties for this resource now also provide resource owner ID and resource type.

  • Route Table: The properties for this resource now also provide a list of associated rules.

  • VPC Peering: The name and ID for this resource now appear as a hoverable resource tile instead of static text.

  • Shared VPC and Shared Subnets: The properties for this resource now also provide owner IDs and shared status.

  • All resources: The properties for all resources now also provide resource group information if it exists.

3. Visualization

CloudSecure's Inventory page provides the following new information or presentation:

  • Route table relationships

  • Category and region information in attached resource tables

  • Resource names and IDs now appear as a hoverable resource tile instead of static text

  • Account IDs now appear as a hoverable resource tile instead of static text

4. Visualization

These Azure resources are now visible on the Inventory page:

  • Redis Cache

  • Private Links

5. Visualization

The Inventory, Application Inventory, and Cloud Map filters now let you search for resource groups and resource names.

See CloudSecure Search.

6. Flow Log Access

You can now manually add permissions to the CloudSecure role so that it can fetch flow logs that you may have stored in custom S3 bucket directories.

See Manually Configure CloudSecure to Fetch Flow Logs.

What's New in This Release - June 21st, 2024

No. Feature Category Feature List
1. Visualization

The advanced traffic filter now also appears on the Applications page Traffic tab. Use it to search traffic to and from the selected application.

See Search Traffic.

What's New in This Release - June 18th, 2024

Note: If you are on a single product offering and are interested in learning more about the new Platform offering, contact Illumio Customer Success.

No. Feature Category Feature List
1. Visualization

With Illumio CloudSecure Insights, you can use out-of-the-box queries to gain quick insights into resources within minutes of onboarding them, including:

  • Networks where flows logs are not enabled

  • EC2 instances that are directly reachable from the Internet

  • Cross-account, cross-region communications enabled with peered network connections

What's New in This Release - June 13th, 2024

The following new features are available in this release:

No. Feature Category Feature List
1. Flow Log Access

CloudSecure now lets you filter Flow Log Access tables in the following places:

  • Flow Log Access page

  • Flow Log Access Details By Log Destination Account tab

  • Flow Log Access Details By Log Source Account tab

2. Visualization
  • CloudSecure now lets you add additional search terms without having to delete existing terms in the Traffic page Advanced Filter.

    See Search Traffic.

  • This resource now appears on the Inventory Details page as an attached resource for VPCs and subnets:

    • AWS:

      • RAM ResourceShare

3. Policy
  • CloudSecure now lets you write single allow rules for multiple ports for AWS security groups so long as there is no deny rule prohibiting the allow rule.

  • CloudSecure now lets you create a single rule for multiple IPs if they belong to a CIDR.

  • Policies now let you select 'All Resources' instead of 'All Workloads.'

  • See Writing Application Policy.

     

Note: If you are on a single product offering and are interested in learning more about the new Platform offering, contact Illumio Customer Success.

No. Feature Category Feature List
1. Visualization

Illumio now lets you achieve unified visibility with the Map:

  • You can view the traffic between resources

  • You can right-click on a resource to write policy

  • You can distinguish between AWS, Azure, and server datacenter types

  • You can view the cloud metadata in search filters like Account ID, Region, Resource Type, and more

2. Policy

Policy can now be authored and enforced for all datacenters and cloud workloads. Illumio allows or denies traffic between applications using policies that you write. In order to write application policies, you must create rules for the policy.

See Unified Policy.

3. Administration

The Illumio Virtual Advisor (IVA) is an AI chatbot that helps organizations understand and reduce their risk posture by using natural language questions to generate quick answers and actions.

See About the Illumio Virtual Advisor.

4. Labeling
  • Use AI labeling to label assets based on metadata and flow logs to make sure you have accurate and consistent labeling. This method speeds up deployments and ensures consistent enforcement.

  • Rule-based labeling allows you to assign labels to one or more workloads when their attributes match conditions that you specify in easily-configurable rules. You can perform the following tasks with this feature:

    • You can create a basic rule to match workloads running on a specific operating system

    • You can create a rule with multiple values to match workloads with a hostname containing any of the entered values (up to 20)

    • You can create an IP Address rule to match workloads within an IP address range

    • You can create a CIDR block rule to match workloads within a CIDR block

What's New in This Release - June 6th, 2024

The following new features are available in this release:

No. Feature Category Feature List
1. Flow Log Access

CloudSecure now gives destination-based view to grant flow log access. The new view provides a list of flow log destinations that are used for storing flow logs on a per-account basis. You can also see a list of log sources sent from different accounts. For centralized flow logs, you can now grant access to the log archive account's destination so that CloudSecure can read and process the logs. See Grant Flow Log Access.

2. Visualization

This resource is now visible on the Inventory page:

AWS:

  • RAM ResourceShare

Resolved Limitations in CloudSecure

  • [Policy Services UI] Do not highlight Delete button with a resource when you create a new Service (C-3944)
    When provisioning new services, users saw the Remove button automatically gain focus with a numeral '1.' Clicking Remove deleted the new service.

What's New in This Release - May 30th, 2024

The following new features are available in this release:

No. Feature Category Feature List
1. Flow Log Access

CloudSecure now lets you access Azure VNet flow logs. See Grant Flow Log Access.

2. Policy

Organization policies now let you select 'All Workloads' that allow you to write organization policies for all resources in onboarded cloud accounts. See Writing Application Policy.

Resolved Limitations in CloudSecure

  • [Policy Services UI] Do not highlight Delete button with a resource when you create a new Service (C-3944)
    When provisioning new services, users saw the Remove button automatically gain focus with a numeral '1.' Clicking Remove deleted the new service.
  • Error shown when users attempt to add an existing user to their account (C-3083)
    When a user tried to add existing users to their existing CloudSecure account, CloudSecure correctly prevented the action, but did not issue an error message. For example, if a customer had one live CloudSecure account and also one trial account, trying to add an existing trial user to the live account silently failed.

What's New in This Release - May 23rd, 2024

The following new features are available in this release:

No. Feature Category Feature List
1. Visualization

The Dashboard now lets you ingested resources at a glance. See CloudSecure Dashboard.

2. Labeling

The Label Mapping page now lets you view a list of the following system-generated labels at a glance:

  • ServiceCategory describes resources by their categories
  • ServiceRole describes resources according to their roles

Resolved Limitations in CloudSecure

  • Reselecting custom traffic filter will reset the time span (C-1978)
    When users adjusted the time filter after searching for flows in a given time span, the filter reset to the previous day.

Known Limitations in CloudSecure

  • AWS PaaS resources may not have ENI (C-3265)
    CloudSecure uses DNS lookup on the fully qualified domain name to get the elastic network interface relationships, which is not guaranteed to get a match. The potentially affected AWS resources are RDS DBInstances, RDS DBClusters, ElasticLoadBalancingV2 load balancers, MemoryDB clusters, ElastiCache for Redis clusters, and Redshift clusters.
  • Error shown when users attempt to add an existing user to their account (C-3083)
    When a user tries to add existing users to their existing CloudSecure account, CloudSecure correctly prevents the action, but does not issue an error message. For example, if a customer has one live CloudSecure account and also one trial account, trying to add an existing trial user to the live account will silently fail.
  • Middle, right, or control click to open in new tab do not work (C-2398)
    Middle click, right click, and control click sometimes do not open the specific desired CloudSecure tab.
  • Application sometimes gets mapped to the wrong deployment's env label (C-1257)
    The resources have multiple cloud tags, the tag in the application definition label doesn't align with the one used in the environment label.
  • Competing application definition (multiple app-def using same tags) (C-1095)
    CloudSecure allows users to create multiple application definition with the same rules, i.e., same set of tags can be shared for two applications.

What's New in This Release - May 16th, 2024

The following new features are available in this release:

No. Feature Category Feature List
1. Visualization

The Traffic page now lets you view traffic flow source and destination details. See Traffic.

Known Limitations in CloudSecure

  • AWS PaaS resources may not have ENI (C-3265)

    CloudSecure uses DNS lookup on the fully qualified domain name to get the elastic network interface relationships, which is not guaranteed to get a match. The potentially affected AWS resources are RDS DBInstances, RDS DBClusters, ElasticLoadBalancingV2 load balancers, MemoryDB clusters, ElastiCache for Redis clusters, and Redshift clusters.
  • Error shown when users attempt to add an existing user to their account (C-3083)

    When a user tries to add existing users to their existing CloudSecure account, CloudSecure correctly prevents the action, but does not issue an error message. For example, if a customer has one live CloudSecure account and also one trial account, trying to add an existing trial user to the live account will silently fail.
  • Middle, right, or control click to open in new tab do not work (C-2398)

    Middle click, right click, and control click sometimes do not open the specific desired CloudSecure tab.
  • Application sometimes gets mapped to the wrong deployment's env label (C-1257)

    The resources have multiple cloud tags, the tag in the application definition label doesn't align with the one used in the environment label.
  • Competing application definition (multiple app-def using same tags) (C-1095)

    CloudSecure allows users to create multiple application definition with the same rules, i.e., same set of tags can be shared for two applications.

What's New in This Release - May 13th, 2024

The following new features are available in this release:

No. Feature Category Feature List
1. Visualization

The Inventory page now has a Service Category filter for searching your inventory of resources. See CloudSecure Search.

Resolved Limitations in CloudSecure

  • Map not matching Azure VM topology (C-2720)
    Sometimes the Cloud Map showed VMs as the child of a location instead of a subnet. The subnet was found, but the VM did not show up in the subnet.

What's New in This Release - May 2nd, 2024

The following new features are available in this release:

No. Feature Category Feature List
1. Labeling

You can now use the following system-generated labels:

  • ServiceCategory describes resources by their categories
  • ServiceRole describes resources according to their roles
2. Visualization

The Traffic page Beta Advanced Filter now lets you search by VPC, subnet, and resource type. See Search Traffic.

3. Policy

The following resources now support policy:

  • AWS:
    • Redshift Clusters
    • RDS DB Instances
    • ElastiCache CacheClusters
    • Lambda Functions
  • Azure:
    • Virtual Machine ScaleSets

Resolved Limitations in CloudSecure

  • Empty page should have string called "No integrations" (C-983)

    When the Onboarding page was empty, there was no text string. If the page lacks data, it now says "No data to display."

Known Limitations in CloudSecure

  • AWS PaaS resources may not have ENI (C-3265)

    CloudSecure uses DNS lookup on the fully qualified domain name to get the elastic network interface relationships, which is not guaranteed to get a match. The potentially affected AWS resources are RDS DBInstances, RDS DBClusters, ElasticLoadBalancingV2 load balancers, MemoryDB clusters, ElastiCache for Redis clusters, and Redshift clusters.
  • Error shown when users attempt to add an existing user to their account (C-3083)

    When a user tries to add existing users to their existing CloudSecure account, CloudSecure correctly prevents the action, but does not issue an error message. For example, if a customer has one live CloudSecure account and also one trial account, trying to add an existing trial user to the live account will silently fail.
  • Middle, right, or control click to open in new tab do not work (C-2398)

    Middle click, right click, and control click sometimes do not open the specific desired CloudSecure tab.
  • Application sometimes gets mapped to the wrong deployment's env label (C-1257)

    The resources have multiple cloud tags, the tag in the application definition label doesn't align with the one used in the environment label.
  • Competing application definition (multiple app-def using same tags) (C-1095)
    CloudSecure allows users to create multiple application definition with the same rules, i.e., same set of tags can be shared for two applications.

What's New in This Release - April 25th, 2024

The following new features are available in this release:

No. Feature Category Feature List
1. Policy

The following resources now support policy:

  • AWS:
    • ElasticLoadBalancingV2 Load Balancer
  • Azure:
    • SQL Server
2. Flow Log Access You can now test your accounts' flow log access. See Grant Flow Log Access.
3. Visualization
  • The Usage page now lets you select a custom time range, going back to day zero. See Product Usage.

  • The Audit Events page now shows up to 10,000 results. See Events.

Resolved Limitations in CloudSecure

  • Missing Feature: Day 0 Map, Inventory, and Traffic Views (C-2913)

    The Day 0 Cloud Map and Traffic pages did not show the Add Cloud Banner. It instead gave a "no resource/traffic available" message.

Known Limitations in CloudSecure

  • AWS PaaS resources may not have ENI (C-3265)

    CloudSecure uses DNS lookup on the fully qualified domain name to get the elastic network interface relationships, which is not guaranteed to get a match. The potentially affected AWS resources are RDS DBInstances, RDS DBClusters, ElasticLoadBalancingV2 load balancers, MemoryDB clusters, ElastiCache for Redis clusters, and Redshift clusters.
  • Error shown when users attempt to add an existing user to their account (C-3083)

    When a user tries to add existing users to their existing CloudSecure account, CloudSecure correctly prevents the action, but does not issue an error message. For example, if a customer has one live CloudSecure account and also one trial account, trying to add an existing trial user to the live account will silently fail.
  • Middle, right, or control click to open in new tab do not work (C-2398)

    Middle click, right click, and control click sometimes do not open the specific desired CloudSecure tab.
  • Application sometimes gets mapped to the wrong deployment's env label (C-1257)

    The resources have multiple cloud tags, the tag in the application definition label doesn't align with the one used in the environment label.
  • Competing application definition (multiple app-def using same tags) (C-1095)
    CloudSecure allows users to create multiple application definition with the same rules, i.e., same set of tags can be shared for two applications.

What's New in This Release - April 18th, 2024

The following new features are available in this release:

No. Feature Category Feature List
1. Visualization
  • Cloud, Region, and Account are now available as filterable categories in the Traffic page Beta Advanced Filter mode. See Traffic.
  • This resource is now visible on the Inventory page, and appears on the Cloud Map page as an attached resource for EC2 Instances and ElasticLoadBalancingV2 Load Balancers:
    • AWS:
      • ElasticLoadBalancingV2 Target Group
2. Deployments

You can now edit your deployments. See Define a Deployment.

Resolved Limitations in CloudSecure

  • Traffic flow filter by status not working as expected (C-3566, C-3686)

    Users navigating the Cloud Map sometimes also saw denied traffic included on a node Details page despite filtering for allowed traffic.
  • Error onboarding Azure Flow Logs (C-2890)

    Users would sometimes get an error when onboarding Azure flow logs due to CloudSecure not understanding that flow log destination access was already granted.
  • No description in Azure "Forbidden" onboarding message (C-2023)

    When encountering an Azure onboarding error message, users did not get sufficient information to readily resolve the problem.

Known Limitations in CloudSecure

  • AWS PaaS resources may not have ENI (C-3265)

    CloudSecure uses DNS lookup on the fully qualified domain name to get the elastic network interface relationships, which is not guaranteed to get a match. The potentially affected AWS resources are RDS DBInstances, RDS DBClusters, ElasticLoadBalancingV2 load balancers, MemoryDB clusters, ElastiCache for Redis clusters, and Redshift clusters.
  • Error shown when users attempt to add an existing user to their account (C-3083)

    When a user tries to add existing users to their existing CloudSecure account, CloudSecure correctly prevents the action, but does not issue an error message. For example, if a customer has one live CloudSecure account and also one trial account, trying to add an existing trial user to the live account will silently fail.
  • Middle, right, or control click to open in new tab do not work (C-2398)

    Middle click, right click, and control click sometimes do not open the specific desired CloudSecure tab.
  • Application sometimes gets mapped to the wrong deployment's env label (C-1257)

    The resources have multiple cloud tags, the tag in the application definition label doesn't align with the one used in the environment label.
  • Competing application definition (multiple app-def using same tags) (C-1095)
    CloudSecure allows users to create multiple application definition with the same rules, i.e., same set of tags can be shared for two applications.

What's New in This Release - April 11th, 2024

The following new features are available in the April 11th, 2024 release:

No. Feature Category Feature List
1. Visualization
  • The Audit Events page shows you a running list of different events in your environment such as onboarding, policy, labeling and user actions. See Events for information.
  • The Inventory page is no longer limited in the number of resources it can display. See Inventory for information.
2. Applications

You can now bulk-delete applications that were created using Application Discovery Rules. See Define an Application Automatically for information.

3. Labels The Tag to Label Mapping page now shows both the Illumio label type and the labels to which you have mapped your CSP cloud tag keys. See Cloud Tag to Label Mapping for information.

Resolved Limitations in CloudSecure

  • Map is empty when no regions returned in top down view (C-2982)

    When users filtered the Cloud Map in a way that excluded regions, it would appear empty. This limitation is resolved.

Known Limitations in CloudSecure

  • AWS PaaS resources may not have ENI (C-3265)

    CloudSecure uses DNS lookup on the fully qualified domain name to get the elastic network interface relationships, which is not guaranteed to get a match. The potentially affected AWS resources are RDS DBInstances, RDS DBClusters, ElasticLoadBalancingV2 load balancers, MemoryDB clusters, ElastiCache for Redis clusters, and Redshift clusters.
  • Error shown when users attempt to add an existing user to their account (C-3083)

    When a user tries to add existing users to their existing CloudSecure account, CloudSecure correctly prevents the action, but does not issue an error message. For example, if a customer has one live CloudSecure account and also one trial account, trying to add an existing trial user to the live account will silently fail.
  • Application sometimes gets mapped to the wrong deployment's env label (C-1257)

    The resources have multiple cloud tags, the tag in the application definition label doesn't align with the one used in the environment label.
  • Competing application definition (multiple app-def using same tags) (C-1095)
    CloudSecure allows users to create multiple application definition with the same rules, i.e., same set of tags can be shared for two applications.
  • Competing application definition (multiple app-def using same tags) (C-1095)
    CloudSecure allows users to create multiple application definition with the same rules, i.e., same set of tags can be shared for two applications.

What's New in This Release - April 4th, 2024

 

The following new features are available in the April 4th, 2024 release:

No. Feature Category Feature List
1. Visualization
  • These resources are now visible on the Cloud Map page:
    • AWS:
      • VPC Endpoints
    • Azure:
      • Private Endpoints
  • You can now see colored traffic lines on the Cloud Map page indicating allowed (green), denied (red), and mixed (orange)
    See the Cloud Map documentation on the portal.

  • The Inventory Details page now shows inbound and outbound rules for AWS Network ACLs
  • The resources documentation now contains a Category column. See the Inventory, Cloud Map, and Traffic documentation on the portal.
  • You can now see the IP addresses of certain types of resources in the Inventory Details page and the Map page Details pane. Such resources include Redshift Clusters and Load Balancers. See the Inventory and Cloud Map documentation on the portal.
  • You can now filter your Traffic page searches with labels. See the Traffic documentation on the portal.

Resolved Limitations in CloudSecure

  • Cloud Map is only showing some VNET peering links (C-3428)

    Sometimes the Inventory page showed additional peers that did not show up on the Map page. This limitation is resolved.

  • Security group names not showing up in console (C-1875)

    Discovered EC-2 instances did not show security group names. This limitation is resolved.

  • AWS Security Group Rules not rendered on UI (C-3466)
    The Inventory detail page displayed security group details, but the rules were missing. This limitation is resolved.

Known Limitations in CloudSecure

  • AWS PaaS resources may not have ENI (C-3265)

    CloudSecure uses DNS lookup on the fully qualified domain name to get the elastic network interface relationships, which is not guaranteed to get a match. The potentially affected AWS resources are RDS DBInstances, RDS DBClusters, ElasticLoadBalancingV2 load balancers, MemoryDB clusters, ElastiCache for Redis clusters, and Redshift clusters.
  • Error shown when users attempt to add an existing user to their account (C-3083)

    When a user tries to add existing users to their existing CloudSecure account, CloudSecure correctly prevents the action, but does not issue an error message. For example, if a customer has one live CloudSecure account and also one trial account, trying to add an existing trial user to the live account will silently fail.
  • Application sometimes gets mapped to the wrong deployment's env label (C-1257)

    The resources have multiple cloud tags, the tag in the application definition label doesn't align with the one used in the environment label.
  • Competing application definition (multiple app-def using same tags) (C-1095)

    CloudSecure allows users to create multiple application definition with the same rules, i.e., same set of tags can be shared for two applications.

What's New in This Release - March 28th, 2024

The following new features are available in the March 28th, 2024 release:

1. Visualization
  • The Inventory page Resource Graph tab now lets you view a graphical representation of resource that you select. The graph contains the following:
    • Your selected resource

    • An inner ring around your selected resource, depicting each of its attached resources

    • An outer ring, depicting the individual instances of the attached resources shown in the inner ring

    • A series of incoming flow lines from the left, depicting sources for which your selected resource is the destination

    • A series of outgoing flow lines to the right, depicting destinations for which your selected resource is the source

    • See the Inventory documentation on the portal.
2. Applications CloudSecure now lets you bulk delete application definitions. See the Define an Application Automatically documentation on the portal.

Resolved Limitations in CloudSecure

  • Azure NAT Gateway not showing up in Cloud Map (C-3427)
    Azure NAT gateways appeared on the Inventory page but did not show up on the Cloud Map page. This limitation is resolved.

  • Allow multiple rules with empty prefix (C-3339)

    There was previously a constraint enforced where two rules could not have the same prefix, even if the prefix were left blank. This limitation is resolved.

Known Limitations in CloudSecure

  • AWS PaaS resources may not have ENI (C-3265)

    CloudSecure uses DNS lookup on the fully qualified domain name to get the elastic network interface relationships, which is not guaranteed to get a match. The potentially affected AWS resources are RDS DBInstances, RDS DBClusters, ElasticLoadBalancingV2 load balancers, MemoryDB clusters, ElastiCache for Redis clusters, and Redshift clusters.
  • Error shown when users attempt to add an existing user to their account (C-3083)

    When a user tries to add existing users to their existing CloudSecure account, CloudSecure correctly prevents the action, but does not issue an error message. For example, if a customer has one live CloudSecure account and also one trial account, trying to add an existing trial user to the live account will silently fail.
  • Application sometimes gets mapped to the wrong deployment's env label (C-1257)

    The resources have multiple cloud tags, the tag in the application definition label doesn't align with the one used in the environment label.
  • Competing application definition (multiple app-def using same tags) (C-1095)
    CloudSecure allows users to create multiple application definition with the same rules, i.e., same set of tags can be shared for two applications.

What's New in This Release - March 21st, 2024

The following new features are available in the March 21st, 2024 release:

No. Feature Category Feature List
1. Visualization
  • The Usage page now lets you choose the graph style and includes the following additional workload hour categories: 
    • Container Hosts
    • Serverless Containers
    • Serverless Functions

  • You can now filter your searches with operators (AND, OR, =, !=, etc.)
  • See the CloudSecure Search documentation on the portal.
  • These resources are now visible on the Inventory page:
    • Azure:
      • Azure NAT Gateway
      • Azure publicIPAddress
      • Network Security Groups Default Security Rule
  • For a full list of all supported resources visible on the Inventory page, see the Inventory documentation on the portal.

  • These resources are now visible on the Cloud Map page:
    • Azure:
      • Azure NAT Gateway (Azure public IP prefixes will appear on the Details panel)
  • For a full list of all supported resources visible on the Cloud Map page, and the VPC/VNet peering described below, see the Cloud Map documentation on the portal
  • You can now view VPC/VNet peering in detail on the Cloud Map page.

 

2. Flows

The Risk Report feature on the Traffic page now lets you toggle which details you wish to include. See the Traffic documentation on the portal.

 

3. Traffic

The filter now lets you use the Beta Advanced Filter mode, which lets you use joiners and operators while searching for sources, destinations, categories, etc. See the Traffic documentation on the portal.

 

4. Onboarding
  • The AWS onboarding process now lets you download a text file containing the permissions indicated by the read/write toggle

  • The AWS account onboarding process now lets you see the CloudSecure ID you will need if you share CloudFormation stacks. See the Onboard an AWS Cloud Account documentation on the portal.

  • The Azure onboarding process is now more streamlined, so that you no longer need to manually enter client IDs and secrets

  • For Azure, CloudSecure can read now flow logs from several NSGs going to the same storage account. See the Onboard an Azure Cloud Tenant and Onboard an Azure Cloud Subscription documentation on the portal.

 

5. Applications

CloudSecure now lets you automatically approve application definitions in two places. The Application Definition page lets you toggle whether you want CloudSecure to automatically approve all discovered applicable deployments and resources. Similarly, the Application Discovery Rule page lets you toggle whether you want CloudSecure to automatically approve all discovered application definitions, as well as any updates made to their deployments and resources. See the Define an Application Automatically documentation on the portal.



Either of these methods will skip the manual approval process for those applications.

Resolved Limitations in CloudSecure

  • Editing discovery rules inserts extra dash (-) automatically (C-3337)

    When modifying discovery rules, an extra dash was added automatically to the prefix. This limitation is resolved.

  • Deleting T2L mapping does not delete label dimension (C-2646)

    When users deleted a tag to label mapping, any labels that were assigned to resources using that mapping were not removed. Deleting the mapping kept those mapped labels on the resources, resulting in the label never being deleted. This limitation is resolved.

Known Limitations in CloudSecure

  • AWS PaaS resources may not have ENI (C-3265)

    CloudSecure uses DNS lookup on the fully qualified domain name to get the elastic network interface relationships, which is not guaranteed to get a match. The potentially affected AWS resources are RDS DBInstances, RDS DBClusters, ElasticLoadBalancingV2 load balancers, MemoryDB clusters, ElastiCache for Redis clusters, and Redshift clusters.
  • Error shown when users attempt to add an existing user to their account (C-3083)

    When a user tries to add existing users to their existing CloudSecure account, CloudSecure correctly prevents the action, but does not issue an error message. For example, if a customer has one live CloudSecure account and also one trial account, trying to add an existing trial user to the live account will silently fail.
  • Application sometimes gets mapped to the wrong deployment's env label (C-1257)

    The resources have multiple cloud tags, the tag in the application definition label doesn't align with the one used in the environment label.
  • Competing application definition (multiple app-def using same tags) (C-1095)
    CloudSecure allows users to create multiple application definition with the same rules, i.e., same set of tags can be shared for two applications.

What's New in This Release - March 11th, 2024

The following new features are available in the March 11th, 2024 release:

No. Feature Category Feature List
1. Onboarding

You can now onboard Azure tenants in addition to individual subscriptions as before. See the Onboard an Azure Cloud Tenant documentation on the portal.

2. Visualization

These resources are now visible on the Inventory page:

AWS:

  • VPC

Azure:

  • VNet

For a full list of all supported resources visible on the Inventory page, see the Inventory documentation on the portal.

3. Policy
  • You can now preview a policy's impact before provisioning it
  • This resource is now available for policy enforcement:

    • AWS RDS DB clusters

See the Writing Application Policy documentation on the portal.

4. Applications You can now approve application deployments and resources in bulk on the application definition page. See the View and Approve documentation on the portal.

Resolved Limitations in CloudSecure

  • Slice bug on Flow Log Access page (C-3080)
    A conditional check was missing for sliced items. Therefore, users might have gotten a blank screen. This limitation is resolved.
  • 406 errors should be displayed when deleting tag to label mappings (C-3217)
    When users deleted a tag to label mapping, any errors returned by the delete response were not shown in the UI. This limitation is resolved.

  • Application has 0 resources, but the map is rendering resources (C-3041)
    When users selected an application on the Cloud Map, the map would sometimes indicate resources despite there not being any. This limitation is resolved.

  • Go button does not refresh data unless filters change (C-2296)
    When users executed a query on the Traffic, Inventory, or Cloud Map pages, the Go button did not re-run the same query on fresh data. To re-run the same query, users had to change the filter and change it back again before re-running the query. This limitation is resolved.

  • Avoid label create/delete race conditions (C-2957)
    When users deleted and re-created an application or deployment in quick succession, CloudSecure sometimes deleted the label that was re-used by the re-created app/deployment. Users ended up with an application or deployment linked to a deleted label. This limitation is resolved.

  • Events in CloudSecure UI should show the latest events at the top (C-2946)
    The Events page would show the oldest events at the top rather than at the bottom. This limitation is resolved.

  • Editing Azure subscription integrations showed child account list (C-2920)
    When users edited their Azure subscriptions, the user's child accounts were mistakenly listed. This limitation is resolved.

Known Limitations in CloudSecure

  • Error shown when users attempt to add an existing user to their account (C-3083)
    When a user tries to add existing users to their existing CloudSecure account, CloudSecure correctly prevents the action, but does not issue an error message. For example, if a customer has one live CloudSecure account and also one trial account, trying to add an existing trial user to the live account will silently fail.
  • Application sometimes gets mapped to the wrong deployment's env label (C-1257)
    The resources have multiple cloud tags, the tag in the application definition label doesn't align with the one used in the environment label.
  • Competing application definition (multiple app-def using same tags) (C-1095)
    CloudSecure allows users to create multiple application definition with the same rules, i.e., same set of tags can be shared for two applications.

What's New in This Release - February 29th, 2024

The following new features are available in the February 29th, 2024 release:

No. Feature Category Feature List
1. Visualization
  • The new Usage feature displays workload hours and flow log storage usage.

  • These resources are now visible on the Cloud Map page:

    • AWS:

      • DynamoDB tables

      • Lambda

    For a full list of all supported resources visible on the Cloud Map page, see the Cloud Map documentation on the Illumio documentation portal.
  • This resource is now visible on the Inventory page:

    • AWS:

    • Lambda

    For a full list of all supported resources visible on the Inventory page, see the Inventory documentation on the Illumio documentation portal.

Resolved Limitations in CloudSecure

  • App approval status filters do not show correct results (C-2945)
    The resources have multiple cloud tags, the tag in the application definition label doesn't align with the one used in the environment label.

Known Limitations in CloudSecure

  • Application sometimes gets mapped to the wrong deployment's env label (C-1257)
    The resources have multiple cloud tags, the tag in the application definition label doesn't align with the one used in the environment label.
  • Competing application definition (multiple app-def using same tags) (C-1095)
    CloudSecure allows users to create multiple application definition with the same rules, i.e., same set of tags can be shared for two applications.

What's New in This Release - February 22nd, 2024

The following new features are available in the February 22nd, 2024 release:

No. Feature Category Feature List
1. Application Definition

Application Discovery Rules now allow full editing.

2. Policy Allow rules are now available for organization policies.
3. Visualization
  • The new Usage feature displays workload hours and flow log storage usage.

  • These types of resources are now visible on the Cloud Map page:

    • AWS:

      • Redshift clusters
    • Azure:

      • Microsoft.Web/sites
      • Microsoft.Web/sites/functions
    For a full list of all supported resources visible on the Cloud Map page, see the Cloud Map documentation on the Illumio documentation portal.
  • These types of resources are now visible on the Inventory page:

    • AWS:

      • Redshift clusters
      • DynamoDB tables
    • Azure
      • Microsoft.Web/sites
      • Microsoft.Web/sites/functions
    For a full list of all supported resources visible on the Inventory page, see the Inventory documentation on the Illumio documentation portal.

Resolved Limitations in CloudSecure

  • Tag to label mapping must be defined before an app is defined (C-2997)
    User did not have the ability to write policies on labels created using tag to label mapping if those labels were not associated with any application. This limitation is resolved.
  • Editing proxy username is not supported (E-113332)
    CloudSecure did not support updating the username. Due to this limitation, name editing was disabled in existing tenants and all the new users added to existing tenants. The edit user function in the User detail page and the My Profile page were disabled. For new tenants and users in new tenants, editing the user is now supported. This limitation is resolved.
  • Traffic doesn't show labeled workloads (C-2559)
    When users went to the Traffic tab, flows sometimes erroneously lacked labels. When users searched for labeled traffic flows, sometimes no results were returned. This limitation is resolved.

Known Limitations in CloudSecure

  • Application sometimes gets mapped to the wrong deployment's env label (C-1257)
    The resources have multiple cloud tags, the tag in the application definition label doesn't align with the one used in the environment label.
  • Competing application definition (multiple app-def using same tags) (C-1095)
    CloudSecure allows users to create multiple application definition with the same rules, i.e., same set of tags can be shared for two applications.

What's New in This Release - February 15th, 2024

The following new features are available in the February 15th, 2024 release:

No. Feature Category Feature List
1. Visualization

Public IPs are supported for Azure VM flows but not policies.

Resolved Limitations in CloudSecure

  • The username is incorrectly displayed on the main page and within the user grid (C-2897)
    User's names displayed incorrectly after being added. This limitation is resolved.
  • Resources not shown for pending approval apps (C-2887)
    When creating applications either individually or using a discovery rule, resources were not visible on the Application Definition page resources link while the applications were pending. This limitation is resolved.
  • UI must validate application deployment inputs (C-2797)
    Users were allowed to add deployment types without any values. If a user did not enter any values, a UI page crash occurred and/or the backend rejected the request. The UI now disables the Add button when no values are selected. This limitation is resolved.
  • Tried to onboard an AWS account previously onboarded and offboarded, getting errors in cloudformation template creation (C-2715)
    Offboarding AWS accounts did not completely remove the stack. Workaround: Follow the Remove the Integration instructions on the Illumio documentation portal.

Known Limitations in CloudSecure

  • Application sometimes gets mapped to the wrong deployment's env label (C-1257)

    The resources have multiple cloud tags, the tag in the application definition label doesn't align with the one used in the environment label.
  • Competing application definition (multiple app-def using same tags) (C-1095)
    CloudSecure allows users to create multiple application definition with the same rules, i.e., same set of tags can be shared for two applications.

What's New in This Release - February 8th, 2024

The following new features are available in the February 8th, 2024 release:

No. Feature Category Feature List
1. Visualization
  • These types of resources are now visible on the Cloud Map page:
    • AWS:
      • S3 bucket VPC endpoints in will appear in the Detail panel, but multiple VPC endpoints for a single S3 bucket are not supported
      • ElasticLoadBalancingV2 Load balancer
    • Azure:
      • Azure spot VMs
      • VM scale sets
      • Storage account private endpoints will appear in the Detail panel as attachments
      • Azure postgreSQL
        • Microsoft.DBforPostgreSQL/serverGroupsv2
        • Microsoft.DBforPostgreSQL/flexibleServers (databases will appear in the Detail panel as attachments)
        • Microsoft.DBforPostgreSQL/servers (databases will appear in the Detail panel as attachments)
      • Microsoft.DocumentDB/cassandraClusters
      • Microsoft.DocumentDB/mongoClusters
      • (databases will appear in the Detail panel as Azure SQL servers attachments)
    For a full list of all supported resources visible on the Cloud Map page, see the Cloud Map documentation on the Illumio documentation portal.
  • These types of resources are now visible on the Inventory page:
    • Azure
      • Microsoft.DBforPostgreSQL/flexibleServers/databases
      • Microsoft.DBforPostgreSQL/servers/databases
    For a full list of all supported resources visible on the Inventory page, see the Inventory documentation on the Illumio documentation portal.
  • In the Inventory page you will see two additional tabs: Inbound Rules and Outbound Rules. These tabs appear in your AWS Security Groups' and Azure Network Security Group's Detail panels as attachments.
2. Onboarding You can now onboard AWS organizations in addition to individual accounts as before.
3. Applications

Although CloudSecure has always allowed you to define applications individually, you can now automatically create multiple applications by defining an Application Discovery Rule. This feature runs in the background, so the rule you create will automatically define applications when new resources are added that meet the rule parameters.

You can also now use accounts, in addition to cloud tags or virtual networks and subnets, to define your applications.

Resolved Limitations in CloudSecure

  • NSG attached to subnet is not included in vm->nsg relationship (C-2594)
    CloudSecure was programming only network security groups associated with a NIC. This limitation is resolved. Now CloudSecure will program both network security groups associated with a subnet and those associated with a NIC.
  • Label search within an application shows resources that do not belong to the application (C-2568)
    A label search within an application showed all resources instead of showing the resources for only the selected application. This limitation is resolved.
  • Dashboard Traffic Summary tile forgets user's previous filter selection (C-2387)
    When users filtered by a specific CSP and a specific timeframe, and went away from the Dashboard page, the Traffic Summary tile would reset to the 24-hour default, with all CSPs selected. This limitation is resolved.

Known Limitations in CloudSecure

  • Application sometimes gets mapped to the wrong deployment's env label (C-1257)

    The resources have multiple cloud tags, the tag in the application definition label doesn't align with the one used in the environment label.
  • Competing application definition (multiple app-def using same tags) (C-1095)
    CloudSecure allows users to create multiple application definition with the same rules, i.e., same set of tags can be shared for two applications.

What's New in This Release - February 1st, 2024

The following new features are available in the February 1st, 2024 release:

No. Feature Category Feature List
1. Visualization
  • These types of resources are now visible on the Cloud Map and Inventory pages:
    • AWS:
      • RDS DB clusters

      • RDS DB instances

      • EC2 VPCs, subnets, NAT gateways, Internet gateways, spot fleet requests and spot instance requests

      • ECS clusters

      • ECS container instances

      • Glacier vaults

      • ElastiCache clusters

      • MemoryDB clusters

    • Azure:
      • Virtual networks and their subnets

      • Storage accounts

      • Application gateways

      • Load balancers

      • Azure firewalls

      • Virtual network gateways

      • VPN gateways

      • NAT gateways

      • DocumentDB database accounts

  • Additional types of resources are visible on the Traffic page:
    •  AWS
      • ENIs
    •  Azure
      • Network interfaces
2. Flows

The Risk Report feature on the Traffic page lets you generate a PDF report summarizing the following at the account/subscription level:

  • Total count of ransomware-susceptible traffic flows

  • Total count of resources in your cloud environment affected by such flows

3. Onboarding When onboarding CSP accounts or subscriptions, you can now select read-only access.

Known Limitations in CloudSecure

  • Application sometimes gets mapped to the wrong deployment's env label (C-1257)

    The resources have multiple cloud tags, the tag in the application definition label doesn't align with the one used in the environment label.
  • Competing application definition (multiple app-def using same tags) (C-1095)
    CloudSecure allows users to create multiple application definition with the same rules, i.e., same set of tags can be shared for two applications.