Architecture Overview

Illumio Core delivers real-time application dependency mapping and micro-segmentation to stop lateral movement inside data centers and cloud environments.

Illumio Core (formerly known as the Adaptive Security Platform) provides visibility into the connectivity between workloads across heterogeneous compute environments, generates optimal segmentation policies based on how workloads communicate, and programs the native stateful enforcement points in each host to enforce applicable firewall rules.

This all starts with a different approach to segmentation – at an architectural level. Illumio decouples segmentation from network infrastructure. This foundation eliminates the limitations and challenges of network-based segmentation.

Illumio Core Architecture



Core Components

Flexible Policy Compute Engine Deployment Model

You have several options for deploying the Policy Compute Engine (PCE):

  • Illumio Core Cloud: Illumio hosts and manages the PCE in a multi-tenant SaaS infrastructure.
  • Illumio Core On Premises:
    • PCE Virtual Appliance: Deployed as a virtual appliance in your data center or private cloud.
    • PCE Software: Deployed as software on the servers in your data center or private cloud.

PCE Supercluster enables centralized visibility and policy management for globally distributed environments at massive enterprise scale—environments with more than 25,000 managed workloads. PCE Supercluster supports a single administrative and visibility domain that spans multiple independent PCE regions. See it in action here.

Virtual Enforcement Nodes Everywhere

A Virtual Enforcement Node (VEN) is installed in discrete operating system instances for which an organization wants complete visibility and enforcement. It can run on a bare-metal server, in a virtual machine, within a containerized host, and on public cloud instances.

A VEN is not an enforcement point—it collects telemetry from the workload such as the operating system type, interface IP addresses, running processes, and the IP addresses to which those workloads are talking. It then transmits this information to the PCE. The PCE receives information from the VEN and creates a live visibility map of communication. This insight is used to build the segmentation policy. The PCE turns that policy into stateful firewall rules and transmits it to the VEN which then programs the native, host-based stateful firewalls within each workload. A VEN can program the following:

  • A VEN can program Layer 3 and 4 firewalls in the host operating system (Windows Filtering Platform, iptables on Linux, and IPFilter on AIX/Solaris) and supports Kubernetes and OpenShift as well.
  • The PCE can also program Access Control Lists (ACLs) in load balancers (F5 and AVI) and switches (Cisco and Arista).

Multi-Dimensional Labeling

The Illumio Core policy model does not use network constructs like VLANs, zones, subnets, and IP addresses to tie security to the underlying network. Instead, you assign four-dimensional labels to workloads to identify: Role, Application, Environment, and Location.

  • A workload can be a bare-metal server, a virtual machine, a container, or a process running on a host.
  • Labeling is not based on IP addresses or subnets.
  • Labels can come from configuration management databases (CMDBs), IP address management (IPAM) tools, orchestration tools, and through workflows built into the Illumio Core.

Simplified Policy Development and Modeling

Policies can be written manually or by using Policy Generator, which simplifies policy creation by recommending the optimal segmentation policies for applications based on historical traffic. Policy Generator accelerates security workflows to reduce the risk of human error when creating segmentation policies. Illumio Core's real-time application dependency map, Illumination, allows you to model policies before going into enforcement.

Policies can be modeled in the following ways:

  • Build mode: Superimposes a proposed policy against the collected traffic flows.
  • Test mode: Enables you to test and evaluate policy against existing traffic flows without enforcement—effectively turning each workload into a sensor that detects policy violations. In test mode, you receive alerts for any deviations from policy. These deviations may represent production traffic not previously viewed or unauthorized attempts to connect to workloads.

Rich Rest APIs and UI

You can choose to interact with the PCE using the Illumio UI or via well-documented REST APIs. The Illumio Core REST API allows you to interact with Illumio Core from any application that can send an HTTPS request. All API access to the PCE is conducted through HTTPS and accessed through the same URL that is used to log in to the PCE web console. REST APIs enable you to automate key IT operations and IT security workflows.

October 16 2019

“We did a security audit due to HIPAA. When we saw how much was involved in setting up traditional firewalls between our applications/servers...we discovered micro-segmentation. Illumio was by far the best choice."

- Sr. Network Administrator

Read More

Try Illumio Edge

The browser you are using doesn't support our submission form. Please consider an alternative browser or disabling the private browsing feature.

A phone call works too: 1-855-426-3983

Swag Request

The browser you are using doesn't support our submission form. Please consider an alternative browser or disabling the private browsing feature.

A phone call works too: 1-855-426-3983

Try Illumio Core

The browser you are using doesn't support our submission form. Please consider an alternative browser or disabling the private browsing feature.

A phone call works too: 1-855-426-3983