This topic explains how to work with the Cloud Map in CloudSecure, found in the Cloud > Explore menu. For information on navigating the Cloud Map, see Navigating the Cloud Map.
For a list of resources you can view on the Cloud Map, see Cloud Map Supported Resources. For a list of resources against which you can write policy, see Resources that Support Policy.
What is the Cloud Map?
Organizations can find it difficult to understand their cloud topology. For example, understanding the relationships between the objects and related components such as security groups, tags, and other metadata in your cloud accounts is challenging. CloudSecure is designed to handle this challenge. CloudSecure analyzes these relationships to provide a view of assets with proper cloud hierarchy.
In CloudSecure, the Cloud Map displays a view of your cloud inventory as a network topology map for the cloud infrastructure. The map displays the relationships between your resources by using cloud native constructs. Go to the map to view your entire state of cloud resources from the cloud accounts you have onboarded with CloudSecure.
Use the Cloud Map to view your cloud topology and analyze the traffic flow data CloudSecure captures. The map helps you visualize your cloud resources and provides an understanding of the traffic flows between them.
CloudSecure will synchronize the data in cloud accounts you have onboarded, and display the data in the Inventory, Traffic, and Cloud Map pages.
How the Cloud Map is Organized
CloudSecure organizes the map first by cloud — AWS versus Azure. Each public cloud has its own grouping in the map.
The map organization continues to get progressively more granular and displays resources in this hierarchy:
Region (Location) → VPC (VNet) → Subnet → Resources
The map displays your resources within the regions. This example shows us-west-2 region in your AWS 13########## account.
When you zoom in to view a region, you see you the number of resources in that region. The map tells you the count of the resources.
Each region of the map contains the following types of objects:
-
Cloud Hierarchy Combo
This can be a cloud, account, region, VPC, or subnet that contains other resources. For example, a VPC combo can contain a subnet, and a subnet combo can contain an EC2 instance.
-
Resource Combo
This is a group of resources of the same type, indicated with a number.
-
Resource Node
This is an individual resource.
Limitations for Using the Cloud Map
After onboarding an account, the resources within the map begin to display within the cloud map within five to ten minutes. During this time, your map displays the message “No resources available yet.”
When the map loads, CloudSecure limits on the number of objects that the map will display.
-
Resources: 2,000 objects
- Traffic: 10,000 flows
These display limitations are not configurable. After you onboard your cloud accounts, CloudSecure discovers all their resources. To provide optimal map display performance, Illumio sets these display limitations. These limitations are a UI limitation only. You can filter your map to retrieve data about resources that aren't initially displayed when you elect to view your full map. See Filtering Your Map Resources for information.
When you encounter this display limitation, the map includes a information message informing you to filter your map to see more resources. For example, the following message indicates the current map view is not displaying all traffic flows.
Caveats
Every 10 minutes the map ingests traffic flows in 60-minute chunks. Flows are shown only for completed chunks. This means that if flow log access has just been enabled, you would need to wait at least an hour to see the flows in the Cloud Map, Traffic, and Inventory pages. However, if you enabled flow log access some time ago and already have previous 60-minute flow chunks, you would see the updated flow within 10 minutes.