Groups in Illumination
Groups in the Illumination map represent a collection of workloads or services that communicate with each other and for which you can write segmentation rules. Groups are displayed in the Illumination map after you pair workloads. See the VEN Installation and Upgrade Guide for information about installing (also called pairing Installation of the Illumio VEN software on a workload using a unique secure pairing key. A Workload is paired by executing a pairing script generated from a Pairing Profile.) VENs on workloads.
Illumination Group Detail Levels
You can choose one of three levels of detail in Illumination for enforced workloads in a group.
These levels allow you to control how much data the VEN collects from a workload when enforced, so you can control resource demands on workloads:
- High detail: The VEN collects connection details (source IP, destination IP, protocol and source port and destination port). This option applies to both allowed and blocked connections. This option provides rich Illumination detail but requires some system resources from a workload.
- Low detail: The VEN only collects the blocked connection details (source IP, destination IP, protocol and source port and destination port), including all packets that were dropped. This option provides less Illumination detail but also demands fewer system resources from a workload than high detail.
- No detail: The VEN does not collect any information about traffic connections. This option is only available for workloads that are in the enforced state. This option provides no Illumination detail and demands the least amount of system resources from a workload.
Types of Groups in Illumination
Once you pair workloads, the PCE analyzes the workload data reported by the VENs. Based on the traffic flows among your workloads, Illumination organizes them into groups. A group could represent an instance of an application running in your datacenter, such as an HRM application running in the test environment in your North America datacenter; or a group could represent a web store in production with its web workloads hosted in AWS and its databases hosted in your private datacenter.
In cases where more than 100 workloads are paired, groups are displayed in different levels of detail in the Illumination map. For information about the different view levels of groups in Illumination, see Illumination View Levels.
Group enforcement modes
Groups on the Illumination map are in the following enforcement modes:
- Full: Segmentation rules are enforced for all inbound and outbound services. Traffic not allowed by the segmentation rule is blocked. This was previously known as the "enforced" mode.
- Selective Enforcement: The new enforcement mode where segmentation rules are enforced only for the selected inbound services when workload is within the scope of the Selective Enforcement rule.
- Visibility Only:no traffic is blocked by policy. This was previously the so-called "illuminated" mode.
Groups in Full Enforced Mode
When you are ready to enforce the segmentation rules you have written, place the group into the Full state. When you put a group into the Full state, all traffic flows permitted by segmentation rules are allowed and all other traffic is blocked.
The line around the group is a thick full line.
Groups in Visibility Only Mode
When you have written segmentation rules for the traffic flows in the group, you can place the group into the Visibility Only state to view all traffic that will be blocked when the group is put into the Full enforced mode. To change theenforcement for a group, select the group and select Setenforcement from the command panel.
In the Visibility Only mode, all traffic is still allowed, even traffic flows not permitted by your segmentation rules. You can view all traffic that will be blocked by going to the Blocked Traffic page and selecting the Potentially Blocked Traffic filter.
Discovered Group without segmentation rules
When a Group is first “discovered” by the PCE, its boundary is indicated by a gray dashed line and all traffic lines are gray because segmentation rules cannot be written for the group yet.
View Group Details
After you pair workloads and apply at least one label to them, the Illumination map puts all workloads that communicate together into a group.
You can view a group's details to view or change the labels assigned to the workloads, change the enforcement of the workloads, or unpair or pair new workloads.
To prepare a group for segmentation rules:
-
From the PCE web console menu, choose Illumination Map.
The Illumination map appears.
- Select a group by clicking inside the group (but not on any workloads).
The command panel for the group appears. - The Group details page appears. It shows all the workloads that share the same scope.
- Make changes to workloads or segmentation rules and click Save.
Expand or Collapse Group Roles
When you drill down into a group detail in the Illumination map, multiple workloads that share the same Role label are collapsed together to save space.
You can easily expand the workloads by selecting them and clicking Expand Role in the command panel.
You can expand up to 200 workloads per collapsed role and up to two roles.
- Open the group command panel, same as above.
- Click Expand Group Roles to see the roles inside the group.
- Workloads that share the Role label are expanded:
Add or Remove Workload to or from a Group
In the Illumination map, you might see workloads that don't belong to a group, such as management or monitoring services that run in your network but are not relevant to the policy you want to build.
You can remove workloads from a group by simply dragging them out. Conversely, if you notice that a workload that should be included in a group but is not, you can simply drag it into the group.
You can only add or remove a workload to or from groups that have been prepared for rule writing.
When you add a workload to a group, the workload inherits the Application, Environment, and Location labels associated with the group.
When you remove a workload from a group, the workload's Application, Environment, and Location labels are removed from the workload.