In previous releases, this feature was referred to as “Segmentation Rulesets.” In Illumio Core 21.5.0 and later releases, this feature is now referred to as “Rulesets.” Some images might still display the previous feature name.
The App Group map visualizes all the App Groups in your PCE to help you quickly access specific workloads based on the App Group to which they belong. You can also view the traffic with segmentation rule coverage considering Windows process-based services.
The Illumination map visualizes the workloads and traffic in your datacenter, which takes time to render with large-scale deployments. However, some users such as application owners prefer to think about their datacenter in terms of traffic between workloads that belong to different application instances, rather than between physical locations.
The App Group Map is designed to provide visualization for application owners by showing all workloads for an application instance in a single App Group, even when they are not currently communicating with each other. This feature allows application owners to focus on the workloads that only belong to their applications, regardless of location, when building or validating security policies for traffic between workloads.
The App Group Map visualizes the network traffic by organizing it based on App Groups. App Groups can either be a set of Application and Environment labels or a set of Application, Environment, and Location labels.
The App Group Map displays all the App Groups in your PCE to help you quickly access specific workloads their traffic based on the App Group to which they belong. For each chosen App Group, you can view:
- Consuming App Groups: Use services provided by the current application
- Providing App Groups: Provide services used by the current application
You can search for specific App Groups and see the associated workloads, traffic, and segmentation rule coverage between the workloads in that App Group, other App Groups that provide or consume its services, and segmentation rule coverage for the traffic between App Groups.
App Group Views
The App Group Map initially displays a search bar that allows you to search for a specific App Group. When you have previously used the App Group page, a list of recently viewed App Groups is also displayed.
If you click an App Group that contains more than 1,000 workloads, you see an alert message and the workloads are not displayed.
When you select an App Group (either from the list of recently viewed App Groups if it exists or from the drop-down list in the App Group search bar), the workloads and traffic for the workloads in that App Group displays, as well as a list of other App Groups communicating with that App Group either as providers or consumers of services.
Above the App Group, you see a link to the App Groups that initiates connections to this application instance. Below the App Group, you see a link to the App Groups that provide services for this application instance.
To view the consuming or providing App Groups, click View. A pop-up window displays the name of each App Group, its Location label, and the number of workloads it contains.
From this pop-up window, you can click Close to close it or select an App Group to display it in the App Group Map.
If the App Group does not have any connections, the Providing and Consuming App Groups do not display.
When you select a Consuming or Providing App Group, an oval representing the expanded App Group displays in the App Group Mmap. Lines representing the traffic links between the App Groups are displayed in either red for blocked traffic or green for allowed traffic. Consuming App Groups display above the original App Group and Providing App Groups display below the original App Group.
If an expanded Consuming or Providing App Group is currently displayed in the App Group Map, the link in the App Group's circle changes from View to Next. Click Next to view the next connected Consuming or Providing App Group.
When you select an App Group, the list of all observed services between any workloads in that App Group displays. When you click a specific line between two workloads, all services between the selected workloads display.
When you have virtual servers, you can view their details in the App Group Map command panel in both Reported and Draft views.
When you select a traffic line between two App Groups and click Create Ruleset, the auto-populated name is a combination of the labels for the selected App Group.
When a ruleset already exists for this traffic, click View Ruleset to display it.
Application owners can write both intra- and extra-scope rules to allow others to use the application instance. However, as an application owner, you can only write rules when you are the owner of the Providing App Group to allow other Consuming App Groups to access your application workloads.