Illumio ASP significantly simplifies the process of defining and enforcing security policy while improving control and delivering consistent, up-to-date protection of applications running on bare-metal, virtualized platforms, containerized workloads, or behind network devices on premises or deployed in the cloud.


Illumio ASP architecture diagram



The Illumio ASP patented architecture is built to scale, adapt to changes in real time, and protect applications with centralized policy and coordinated enforcement of adaptive segmentation policy in the workload, network, and through cloud security controls. The Illumio platform is comprised of the following components:



Policy Compute Engine (PCE)

The PCE is the central point of visibility and policy that is deployed on premises or available as a SaaS service hosted by Illumio.

The PCE continually collects and aggregates workload context (IP addresses, services, ports, traffic flows) from all VENs across application environments and uses it to build and display the live Illumination application map.

The PCE translates declarative, natural language policy into instructions used to program pre-existing firewalls on the workloads, Access Control Lists (ACLs) in data center switches, or cloud security groups in cloud services for enforcement­­­ – eliminating the need for administrators to use network constructs such as IP addresses or VLANs in the creation of adaptive segmentation policy.

The PCE adapts to changes across the application environment by updating the Illumination view and automatically recalculating policy to ensure consistent and continuous protection.


Virtual Enforcement Node (VEN)

The VEN is a lightweight agent deployed in a workload (a.k.a. operating system) or on a networking device. The operating system (e.g., Linux, Windows, Solaris, AIX) could be running on bare-metal servers, virtual machines on any hypervisor, or container platforms in a private data center or any public cloud.

The VEN is in continuous contact with the Illumio PCE to provide up-to-date workload context across the application environment.

The VEN receives up-to-date instructions from the PCE to program the pre-existing local firewall on the workloads (iptables, Windows Filtering Platform or IPFilter), or ACLs in data center switches to enforce the adaptive segmentation policy at every enforcement point in or across private data centers or the cloud.


Labels & Policy Model

Illumio's unique approach to labeling workloads enables application-centric visibility and a simplified, understandable, and adaptable model for policy.




Labels allow for classification of workloads in four dimensions using Role, Application, Environment, and Location.

With labels, the application environment can now be organized and visualized with more context showing a view of applications and their components.

Labels become the foundation of policy for a model that is both simple to define and adaptable to changes while eliminating dependencies on the infrastructure.



Policy Generator automatically recommends the security policy, helping security teams quickly determine the optimal policy for the environment and enforce protection within minutes, accelerating security workflows and reducing the risk of human errors.

Illumio ASP creates security policies using declarative, natural language – without network constructs, such as VLANs, zones, and IP addresses – for a model that is easy to create and easy for all security, infrastructure, or application teams to understand.

Create once and enforce everywhere with policy that automatically adapts to changes in the application environment.