Skip to main content

Cloud

Policy preferences

Learn about setting your policy preferences. This feature lets you define your security control preferences at the tenant level. The default for Azure is to have both Subnet and NIC Network Security Groups (NSGs) selected. The default value for AWS is to have Security Groups (SGs) selected.

For Azure NSGs, you can choose to apply rules at the NIC-level, subnet-level, or Azure Firewall-level (beta-only).

Note

Illumio Segmentation for the Cloud does not support Classic Azure Firewall.

For AWS environments, you can choose between configuring Security Groups, Network Access Control Lists (NACLs), or both. For example, if you switch from programming rules at both the Subnet and NIC levels (i.e., NACLs and SGs) to the NIC-level (SGs), Illumio Segmentation for the Cloud removes all the written rules from the NACLs. However, the Security Group rules remains intact and continues to get updated whenever there are changes to the policy or inventory resources. Conversely, if you switch from a NIC configuration to both NIC and subnet-level security controls, the NACLs are reprogrammed with Illumio Segmentation for the Cloud-written rules to reflect the updated policy.

An error is displayed if the rule limits are exceeded. In such cases, Illumio Segmentation for the Cloud does not apply the updated policy, and the last enforced policy remains active.

Set your enforcement points

  1. To set your preferences for enforcement points, browse to Settings > Policy Preferences in the left-hand navigation panel. As each cloud environment can vary, this feature lets you choose a setting that covers your cloud environments best.

  2. Click Edit to set your enforcement points to include different settings as described following. When you select a setting for a given CSP, explanatory text appears next to that selection. If you choose a default value, a message displays, saying that those are recommended. If you choose a non-default value, a different message displays, saying that there may be a potential effect on traffic flows until your changes take effect.

    Azure

    • All Azure Enforcement Points

    • NIC NSGs

    • Subnet NSGs

    AWS

    • Both NACLs and SGs

    • Security Groups

    • Network Access Control List (NACLs)

  3. Click Save when you are done. This exits the editing mode, with only the current values displayed.

For information on policies, see Policy Model, Writing Application Policy, Writing Organization Policy, and Writing Azure Firewall Policy.