Free Trial: Labeling Workloads

Labeling Workloads Lesson

Describing the function of your workloads by creating and applying a natural language, metadata system.

Essential concepts

Before you begin the tutorial you need to understand the following concepts.

Rulesets and rules: The whitelist policies that use labels to generate customized port connections for each workload. Rules are collected into rulesets for versioning. Policies are pushed out to workloads with the matching labels by a process called provisioning.

Providers and consumers: The Illumio model is provider centric. You declare what ports on providers can be accessed by consumers.


Lesson prerequisites

This lesson requires you to have the following data, access, and systems.

Development or Test Applications: The hosts need to have a running application that is generating traffic data. A distributed application is recommended.

Managed workloads: Completion of the pairing lesson where you installed the VENs on workloads by pairing them with the PCE. 




Overview of labels

The Illumio security policy for securing workloads differs from traditional network security policies. Traditional security policies use network constructs, such as VLANs, zones, and IP addresses to tie security to the underlying network infrastructure.

In contrast, the Illumio security policy uses a multidimensional label system to sort and describe the function of workloads. In a general sense, labels abstract the IP addresses, ports, and processes of workloads and infrastructure into a set of easily understood “plain language” labels. In Illumio Core, labeling is a method of attaching metadata to workloads.

By describing workload functionally through labeling, policy statements are clear and unambiguous. Labeling workloads enables application-centric visibility, and a simplified, understandable, and adaptable model for creating policy. With labels, the application environment can be organized and visualized with more context, showing a view of applications and their components.


Labeling workloads

Role: The function of a workload; e.g., for a simple two-tier application consisting of a web server and a database server: Web and Database.

Application: The application that a workload supports; e.g., a multi-tier, distributed application that you want to manage; e.g., Application1234.

Environment: A workload's stage in the product development lifecycle; e.g., QA, staging, or production.

Location: A workload's physical location; e.g., Germany or Asia, Rack #3, or HQ.

Together, labeling workloads and creating the corresponding rulesets and rules define the security policies for the workloads in the organization. The PCE converts these label-based security policies into the appropriate rules for the OS-level firewalls of the workloads and calculates which of the workloads require the rules so that policy is only delivered where it is needed.


Develop a labeling schema

Getting your label design right is one of the most important things you can do for your Illumio deployment. In Core, labels are important for the visual representation of your environment and when writing and managing security policy.

The Role label is often the hardest label type to define, but it is the least crucial if the segmentation type used is micro-segmentation, also known as ringfencing.

The Application label is an important label and usually refers to the business service.

The Environment label is also important to ensure environmental separation.

The Location label importance depends on your business application structure.

When creating and applying labels to workloads, we recommend you follow these guidelines.

Common roles

Think of workloads in your environments that play the same common role regardless of the application location or environment they belong to; e.g., web, application, database, or load balancer. Create Role labels for all these common workload types.

Important applications

List your most important applications and create Application labels for each. Organize workloads that are part of the application into logical tiers; e.g., web, application, and database tier for an ERP or HRM application. Apply common Role labels to each workload in the tier; e.g., “web” for web-tier workloads.

Data center core services

Make a list of infrastructure services, such as domain controllers, DHCP, authentication, Microsoft Active Directory, FTP, and monitoring services such as Zabbix or SIEM. Create labels for each core service.

Key environments

Create labels for common environments first; e.g., production, development, staging, and testing. Create labels for other environments second; e.g., PCI, data replication, and disaster recovery.

Location or virtual designators

Create Location labels that are simple to understand by mimicking your infrastructure location names; e.g., physical location (Rack‐5‐slot2 and New‐York) or virtual location (AWS, Azure, and Rackspace).

Use a combination of Location and Environment labels to avoid confusion; e.g., instead of Location labels “Domain‐A‐East” and “Domain‐A‐West,” use the Environment label “Domain‐A” and the Location labels “East” and “West.”


Identify your workloads

Answering these basic questions will help you label your workloads.




Where is this workload?

It is at  HQ.  


Is it a production, development, or other workload?

It is in the  Dev environment.


What is the business this workload provides to the company?

It stores orders for the  Ordering system.


What specific part of the business does this workload do? What is its tier? Does its name contain its role?

It stores orders. It is a  DB .


Create and apply labels to workloads

1. From the left navigation menu, select Workloads.

2. Use the checkboxes to select the workloads to label or re-label them.

3. Click Edit Labels on the page tool bar.




4. Pick a label type to assign.

5. Type to select an existing label or to create a new one.



Select workloads

6. Click OK. Labels will appear in the workload table.




7. Repeat for all workloads.
TIP: Multiselect workloads to change the labels for multiple workloads at once.




Once your workloads are labeled, you can write rules using the labels you have applied to them. You will learn all about applying security policy to workloads in one of the next lessons.

Next Lesson: Illumination

You will learn about visualizing your application environment and the traffic impacting your workloads.

Start lesson


Any questions, please contact us at