Illumination Lesson

Visualizing your application environment and the inbound and outbound network traffic impacting your workloads.

Essential concepts

Before you begin this lesson, you need to understand the following concepts.

Workload: Illumio generic term for anything with an operating system such as a bare-metal server, VM, or container (e.g., a Docker container).

Workload policy states: The VEN supports multiple policy states to help with the policy creation process. Illumination shows these states and uses them to visualize traffic.

 

Lesson prerequisites

This lesson requires you to have the following data, access, and systems.

5 to 20 workloads: That are running and that you’ve paired with the PCE.

Labeled workloads: Applied a basic labeling scheme to the workloads (though you can refine it using Illumination).

TIP: You won’t get the full benefit of mapping traffic unless your environment is generating network traffic between the workloads you pair.

Development or test applications: The workloads need to have running applications that are generating traffic data. A distributed application is recommended.

 

arrow BACK TO TUTORIAL PAGE

Instructions

About Illumination

Visibility into your application environment is an important step toward implementing micro-segmentation. It's important to understand what it is that you want a segment. And, understanding the applications inside your environment—not just the applications, but also the workloads that comprise them—is critical.

The Illumio web console includes a visualization tool—the Illumination map—that you can use to reveal the granular details of application traffic flows between specific workloads, allowing you to discover interactions across applications and between the tiers within your applications.

 

Group discovery in Illumination

After you pair workloads, they appear in the Illumination map. It displays the inbound and outbound network traffic for your workloads. When you have less than 50 workloads paired with the PCE, you see them all in the Illumination map.

Based on how you label your workloads, the Illumination map forms logical groups.

 

bubbles

 

Workloads with the same Application, Environment, and Location labels appear in the same group. Illumination organizes your groups by their Application label. Changing any of a workload’s labels moves the workload in the Illumination map and displays inter-group traffic flows.

 

Autoscaling Illumination map

views

 

NOTE: If you have paired more than 50 workloads, the Illumination map switches to displaying your workloads grouped by their Location labels. See the Illumio ASP Web Console User Guide for more information.

To see details about a group, click the group to zoom in. A command panel appears that displays valuable information about the group.

 

group

 

Traffic flows

The Illumination map uses a color-coded system to display whether traffic will be allowed or blocked between your workloads.

 

legend

The traffic link colors are impacted by two key features in Illumio ASP: Workload policy states and the Draft and Reported views of the Illumination map.

 

Workload policy states

When you pair a workload with the PCE, you assign a policy state to the workload. The policy state determines how Illumio rules affect a workload's network communication. (NOTE: The default pairing profile adds workloads with the Build policy state.)

Idle

The VEN does not take control of the workload’s native OS firewall and no traffic is blocked in this state. When a workload is in the Idle policy state, it reports its traffic flows with green lines (allowed).

Build

The VEN does not take control of the workload’s native OS firewall and no traffic is blocked in this state. When a workload is in the Build policy state, it reports its traffic flows with green lines (allowed).

 

NOTE: The Idle and Build policy states are similar in the way they display traffic in the Illumination map. They differ in the way they collect traffic data from the VENs.

Test

The VEN does not take control of the workload’s native OS firewall and no traffic is blocked in this state. However, when you view your Illumination map using the Draft view, workloads in the Test policy state display red lines for traffic that would be blocked if the workload was in the Enforced policy state.

IMPORTANT: Traffic is reported as blocked traffic unless you’ve written an Illumio rule allowing the connection.

Enforced

The VEN takes control of the workload’s native OS firewall and blocks traffic unless you’ve written an Illumio rule allowing the connection.

IMPORTANT: Placing your workloads in the Enforced policy state is not available in this Free Trial.

Unmanaged

You have created the workload in the PCE by specifying its attributes, such as IP address, hostname, and OS. Unmanaged workloads aren’t paired with the PCE and don’t have the VEN installed on them. You can apply labels to unmanaged workloads so that managed workloads (with VENs installed) can communicate with unmanaged workloads.

Illumination map views 

The Illumination map provides two views of the policy data. These views show you what is happening and what will happen after provisioning pending changes from the PCE to the VENs.

Reported

Provides an accurate representation of what is allowed or blocked by the VENs. Use this view to verify your security changes; e.g., you added an Illumio rule allowing traffic or you changed a workload state to Enforced.

Draft

Provides a “what-if” analysis conducted by the PCE. This view is a modeling tool that depicts whether traffic flows known to the PCE will be allowed or blocked, based on the configured policy.

TIP: To switch between the two views, select the view from the top-right corner of the web console.

 

modes

Next Lesson: Policy Generator

You will learn about writing rules to ringfence one of your applications.

Start lesson

Questions?

Any questions, please contact us at
free-trial@illumio.com.

Swag Request

Illumio Free Trial