Inventory

This topic describes the purpose of the Illumio CloudSecure Inventory feature, and provides a general example of how you would use it. For instructions on how to use the search function in the Inventory page, see the pop-ups in the CloudSecure GUI.

Supported Resource Types

See Inventory Supported Resources. For a list of resources against which you can write policy, see Resources that Support Policy.

Resources Use Case and Example

Illumio CloudSecure discovers your resources when cloud onboarding is done. This feature lets you search through a table of your discovered resources. You might want to confirm general expectations of what resources you have, want to know what is in a given region, or be interested in a specific type of resource.

For example, suppose you are interested in reviewing a particular virtual machine, like an AWS EC2 instance. The following steps illustrate how you would do that.

  1. The first part of the sequence might be to filter by Object Type and select AWS::EC2::Instance:

    This filter would return a list of EC2 instances. Depending on how you customize your columns, you might see:

    • Cloud type
    • Name and ID
    • Resource State
    • Account ID

    And many other characteristics. You can also choose one of the preset column customizations, including Cloud Details, Labels and Cloud Tags, and Security Controls.

  2. The next step in the sequence would be to click one of the entries in the Name and ID column. In the case of an EC2 instance or VM, you will see additional information, beyond the general information, listed in the Attached Resources tab. That tab displays the following information:

    • NICs
    • Security Groups
    • Subnets
    • Traffic

    Selecting an ID column entry in any of those headings will show details for that entry such as its state or creation date.

For more information on Inventory page search, see CloudSecure Search.

VPC/VNet Peering Details

VPC and VNet peering connection details are provided in the Details pages of VPC and VNET resources in the inventory list.

VPC/VNet Peering Guidelines

  • You can click on any of the peered VPCs or VNets to see further details
  • The requester/acceptor is defined by the peering connection, so the current VPC or VNet can either be a requester or an acceptor
  • VPCs and VNets can be peered across accounts. For example, this means you could have two VPC connections, with one VPC in each of the two accounts, but only one peering relationship. Note that to see the full details, you must have both accounts onboarded. For cross-account VPC/VNet connections, if you do not have both accounts onboarded, you will still see the peering connection, but the details of the non-onboarded peer (attached resource) will display only its CSP ID rather than a link to an inventory resource.
  • If you do not have both accounts onboarded, you will still see the peering connection, but the details of the non-onboarded peer (attached resource) will display only its ID rather than a link

  • Cross-account peering connections for AWS VPCs have the same CSP ID, but cross-account peering connections for Azure VNets will have a different CSP ID for each VNet because Azure CSP IDs include account information within the CSP ID

Security Control Resource Details

Inbound/Outbound rules are featured for security control resources, including:

  • AWS Security Groups

  • Azure Network Security Groups

  • AWS Network ACLs

On the Details page of any security control resource, you will see two additional tabs: Inbound Rules and Outbound Rules.

  • Inbound rules: these control the incoming traffic that’s allowed to reach the instances associated with the security group

  • Outbound rules: these control the outgoing traffic from your instances

Each of these rules will contain information such as source/destination, port/port range, protocol, etc.

NOTE:

Although AWS security group rules and Azure network security rules are visible on the Details page for AWS security groups and Azure network security groups, Azure network security group rules created before July, 2021 will not appear in the Details page. This is because CloudSecure does not ingest rules created without resource IDs. If any of your rules do not appear due to this issue, recreating the rule will allow it to display.

Details Resource Graph

When you click on the details for a given resource, you can go to the Resource Graph tab for a visual representation of that resource's relationships to sources, destinations, and attached resources. For example, if you selected the graph for an EC2 instance you could see:

  • The EC2 instance depicted in the center of a series of concentric rings

  • An inner ring, depicting each of the attached resources such as subnets, VPCs, security groups, and network interfaces

  • An outer ring, depicting the individual instances of the attached resources shown in the inner ring. For example, you might see an outer ring listing one or more individual network interfaces and their ID numbers.

  • A series of incoming flow lines from the left, depicting sources such as other EC2 instances, ENIs, IPs, and so forth, for which the EC2 instance in the center is the destination

  • A series of outgoing flow lines to the right, depicting destinations such as RDS DB clusters, ENIs, IPs and so forth, for which the EC2 instance in the center is the source

The following figure provides an example.

Exporting an Inventory Report

  1. Click Export to export the inventory data.
  2. Edit the report name and select the format.
  3. Click Save when done.
  4. Go to the Reports page to download the exported report.

Known Networks

The Known Networks tab displays a list of known networks, which are IP lists, in effect. This list populates the options for the Known Networks filter option on the Traffic page. See Search Traffic. To add one, follow the in-application help directions.

The Cloud Map also displays them as a type of resource in the upper left-hand corner.