The Illumio Adaptive Security Platform® (ASP) delivers traffic visibility, vulnerability exposure insights, and micro-segmentation policy enforcement across any bare-metal, virtualized, and containerized workloads running in your existing data center and cloud environments.

Illumio ASP significantly simplifies the process of defining and enforcing micro-segmentation policies and continuously adapts those policies as applications are deployed and scaled and software vulnerabilities are discovered.


Illumio ASP architecture diagram



The Illumio ASP architecture is built to visualize how workloads communicate with one another, including if they are communicating over a vulnerable port, write natural language enforcement policies, and adapt to changes in real time. Illumio ASP also ingests context from hosts, vulnerability management tools, and other sources of information (CMDBs, orchestration, IPAM) to provide better context to its visibility and to help teams make micro-segmentation decisions.

Administrators can write natural language policies through a centralized Policy Compute Engine (PCE), which instruments enforcement through the native stateful firewalls that exist in your hosts. The ASP then augments that enforcement by:

  • Turning your load balancers into a point of visibility and a point of enforcement.
  • Allowing you to program your switches for those devices that don’t have host-based enforcement.
  • Making the ACLs in your cloud security groups manageable.

Illumio ASP is comprised of the following components:


PCE Icon

Policy Compute Engine (PCE)

The PCE is the “brain” that enables visibility and policy creation and distribution. The PCE can be deployed on premises or as a service hosted by Illumio.

The PCE collects workload context (IP addresses, services, open ports, and flow starts) from all VENs and uses it to build and display a live application dependency map called Illumination®. Illumination can be enriched with vulnerability data to create vulnerability maps that illustrate how exposed vulnerabilities are within a data center and cloud.

Security teams and application teams use intuitive workflows built into Illumination to write natural language security policy. For instance: "I want web tier workloads in my HR application to be able to connect to processing tier workloads in the same application. 

The PCE then translates those natural language policies into instructions used to program the native stateful firewalls that exist inside of your workloads. The PCE can augment host-based firewalls with Access Control Lists (ACLs) in load balancers, existing data center switches, and cloud security groups. Natural language security policies eliminate the need for administrators to use network constructs such as IP addresses or VLANs in the creation of adaptive micro-segmentation policy.

When vulnerability data is included, organizations can create compensating controls for unpatched vulnerabilities through micro-segmentation. ASP will dynamically tune policies to reduce the exposure of vulnerabilities without breaking applications.  

The PCE adapts to application changes such as auto-scaling, new software vulnerabilities, adding interfaces to applications, and new versions of applications by updating the Illumination view and automatically recalculating security policies to ensure consistent and continuous protection.


PCE Supercluster

Large enterprises with hundreds of thousands of workloads running across globally distributed data centers and clouds want to execute Zero Trust security throughout the entire organization but struggle to do so. Using a combination of SDN, data center firewalls, and networking technologies for micro-segmentation executed at scale is complex to deploy and operate. It also requires an expensive re-architecture of the network backbone and additional organizational overheads.

With PCE Supercluster, Illumio ASP offers visibility and micro-segmentation at scale from a centralized control plane – which no other solution can deliver. PCE Supercluster allows organizations to federate and centrally manage policies but enable on-site PCEs to manage workloads locally. Compared to a single PCE, a Supercluster provides multiple independent PCE failure domains and support for a greater numbers of workloads – more than 25,000 managed workloads and thousands more unmanaged workloads that are communicating with the managed workloads.

The PCE Supercluster architecture consists of a leader PCE and member PCEs. The leader PCE manages the global policies and syncs/distributes policy changes to member PCEs. Each member PCE calculates the firewall rules for all the VENs that are paired with that PCE.



Virtual Enforcement Node (VEN)

The VEN is a lightweight agent deployed in a workload (a.k.a. operating system). The operating system (e.g., Linux, Windows, Solaris, AIX) could be running on bare-metal servers, virtual machines within any hypervisor, or workload running containers in a private data center or any public cloud.

The VEN synchronizes with the PCE providing workload context which includes interface information, services running, and the ports, protocols, and IP addresses used for inbound and outbound communication.

This context allows the PCE to build the live application dependency map. The PCE combines natural language security policies with the context provided by the VEN to compute Layer-3/Layer-4 security policies for every host. 

The VEN receives security polices from the PCE. However, the VEN is not an enforcement point; instead, it activates the native stateful firewalls that exist in all of your workloads (Linux iptables, the Windows Filtering Platform, and IPFilter in AIX and Solaris).  

The VEN and PCE allow organizations to gain visibility and enforcement without any infrastructure upgrades or changes – enabling organizations to achieve uniform enforcement across data center and cloud environments.

VEN Icon

Labels & Policy Model

Rather than writing policies based on IP addresses, Illumio allows organizations to write natural language security policies enabled by labeling workloads. Labels give context to the live application dependency map. Instead of looking at IP addresses and lines, labels allow organizations to understand which applications, environments, and roles traffic comes from.


Labels with Workloads


Labels allow for classification of workloads in four dimensions:

  • Role – such as web, database, domain controller
  • Application – such ordering, point of sale, CRM
  • Environment – such as development, production, PCI,
  • Location – the data center or cloud provider that the workload resides in

Labels become the foundation of policy for a model that is both simple to define and adaptable to changes while eliminating dependencies on the infrastructure.

Labels can come from CMDBs, IP address management (IPAM) tools, orchestration tools, and through workflows built into the Illumio API. If the label data is wrong, the PCE has workflows built into it that help an organization to rapidly reconcile incorrect labels. 



Policies can be written manually or by using Policy Generator, which automatically recommends optimal policies and helps teams accelerate security workflows and reduce the risk of human errors.

Illumination allows organizations to model policies by workload, application, or environment before going into enforcement. Policy can be modeled in two states:

  • Build – overlays a proposed policy against collected traffic flows.
  • Test – writes policies down to each workload. A flow that does not conform to policy indicates a rule needs to be created. Test mode allows organizations to react to any violations without fear of breaking their applications.
Policy with Workload