Policy Optimization
This feature lets you define your security control preferences at the tenant level.
For Azure NSGs, you can choose to apply rules at the NIC-level, subnet-level, or both.
For AWS environments, you can choose between configuring Security Groups, Network Access Control Lists (NACLs), or both. For example, if you switch from programming rules at both the Subnet and NIC levels (i.e., NACLs and SGs) to only the NIC-level (SGs), Illumio Cloud removes all the written rules from the NACLs. However, the Security Group rules remains intact and continues to get updated whenever there are changes to the policy or inventory resources. Conversely, if you switch from a NIC-only configuration to both NIC and subnet-level security controls, the NACLs are reprogrammed with Illumio Cloud-written rules to reflect the updated policy.
An error is displayed if the rule limits are exceeded. In such cases, Illumio Cloud does not apply the updated policy, and the last enforced policy remains active.
Set your Enforcement Points
To set your preferences for enforcement points, browse to Settings > Policy Optimization in the left-hand navigation panel. As each cloud environment can vary, this feature lets you choose a setting that covers your cloud environments best.
Click Edit to set your enforcement points to include different settings as described following. When you select a setting for a given CSP, explanatory text appears next to that selection. If you choose a default value, a message displays, saying that those are recommended. If you choose a non-default value, a different message displays, saying that there may be a potential effect on traffic flows until your changes take effect.
Azure
Both Subnet and NIC NSGs (default)
Only Subnet NSGs
Only NIC NSGs
AWS
Both NACLs and SGs
Only Network Access Control List (NACLs)
Only Security Groups (default)
Click Save when you are done. This exits the editing mode, with only the current values displayed.