Understanding these concepts will help you complete the solutions in this Illumio ASP Free Trial and give you a deeper understanding of the Illumio technology.

Policy Compute Engine (PCE)

The brain of the Illumio ASP. The ASP stores its program logic and the information it collects in the PCE. The PCE generates and distributes segmentation policies for each VEN connected to it.

Virtual Enforcement Node (VEN)

The local control point of the Illumio ASP installed on each workload. It provides information about the workload and enforces policy rules by controlling the Linux iptables or Windows Filtering Platform (WFP) tables on a workload.


The Illumio generic term for anything with an operating system, such as a bare-metal server, VM, or container (e.g., Docker container).

Workload policy states

The VEN supports multiple policy states to help with the policy creation process. Illumination shows these states and uses them to visualize traffic.


The process of installing the Illumio VEN software on a workload by using a unique secure pairing key.

Rulesets and rules

The whitelist policies that use labels to generate customized port connections for each workload. Rules are collected into rulesets for versioning. Policies are pushed out to workloads with the matching labels by a process called provisioning.

Providers and consumers

The Illumio model is provider centric. You declare what ports on providers can be accessed by consumers.

Role labels

The function of a workload; e.g., for a simple two-tier application consisting of a web server and a database server: Web and Database. Assigning Role labels to workloads allows you to create advanced segmentation policies.

Application groups

Are collections of workloads with the same Location, Environment, and Application labels. Applications are a control point for policy. Policy Generator uses application groups as the essential unit.



Any questions, please contact us at free-trial@illumio.com.

Try Illumio Edge

Swag Request

Try Illumio Core