The Illumio Adaptive Security Platform® (ASP) delivers real-time application dependency mapping and micro-segmentation to prevent the spread of breaches inside your data centers and cloud environments.

Illumio ASP provides real-time visibility into the connectivity between workloads across heterogeneous compute environments, generates optimal micro-segmentation policies based on how workloads communicate, and programs the native stateful enforcement points in each host to enforce applicable firewall rules.


Illumio ASP Architecture


Core Components


You have several options for deploying the Policy Compute Engine (PCE):

  • Illumio ASP Cloud: Illumio hosts and manages the PCE in a multi-tenant SaaS infrastructure.
  • Illumio ASP On Premises:
    • PCE Virtual Appliance: Deployed as a virtual appliance in your data center or private cloud.
    • PCE Software: Deployed as software on the servers in your data center or private cloud.

PCE Supercluster enables centralized visibility and policy management for globally distributed environments at massive enterprise scale—environments with more than 25,000 managed workloads. PCE Supercluster supports a single administrative and visibility domain that spans multiple independent PCE regions. See it in action here.


A Virtual Enforcement Node (VEN) is installed in discrete operating system instances for which an organization wants complete visibility and enforcement. It can run on a bare-metal server, in a virtual machine, within a containerized host, and on public cloud instances.


A VEN is not an enforcement point—it collects telemetry from the workload such as the operating system type, interface IP addresses, running processes, and the IP addresses to which those workloads are talking. It then transmits this information to the PCE. The PCE receives information from the VEN and creates a live visibility map of communication. This insight is used to build micro-segmentation policy. The PCE turns that policy into stateful firewall rules and transmits it to the VEN which then programs the native, host-based stateful firewalls within each workload. A VEN can program the following:

  • Layer 3/Layer 4 firewalls in the host operating system (Windows Filtering Platform, iptables for Linux, and IPFilter for AIX/Solaris)
  • Access control lists (ACLs) in load balancers (F5) and switches (Arista), containerized hosts, and cloud security groups (AWS, Azure, GCP)


The Illumio ASP policy model does not use network constructs like VLANs, zones, subnets, and IP addresses to tie security to the underlying network. Instead, you assign four-dimensional labels to workloads to identify: Role, Application, Environment, and Location.

  • A workload can be a bare-metal server, a virtual machine, a container, or a process running on a host.
  • Labeling is not based on IP addresses or subnets.
  • Labels can come from configuration management databases (CMDBs), IP address management (IPAM) tools, orchestration tools, and through workflows built into the Illumio ASP. 


Policies can be written manually or by using Policy Generator, which simplifies policy creation by recommending the optimal micro-segmentation policies for applications based on historical traffic. Policy Generator accelerates security workflows to reduce the risk of human error when creating micro-segmentation policies. Illumio ASP's real-time application dependency map, Illumination, allows you to model policies before going into enforcement.


Policies can be modeled in the following ways:

  • Build mode: Superimposes a proposed policy against the collected traffic flows.
  • Test mode: Enables you to test and evaluate policy against existing traffic flows without enforcement—effectively turning each workload into a sensor that detects policy violations. In test mode, you receive alerts for any deviations from policy. These deviations may represent production traffic not previously viewed or unauthorized attempts to connect to workloads.


You can choose to interact with the PCE using the Illumio UI or via well-documented REST APIs. The Illumio ASP REST API allows you to interact with Illumio ASP from any application that can send an HTTPS request. All API access to the PCE is conducted through HTTPS and accessed through the same URL that is used to log in to the PCE web console. REST APIs enable you to automate key IT operations and IT security workflows.