Skip to main content

Cloud

  • Cloud
  • Define
  • Cloud Tag to Label Mapping

Cloud Tag to Label Mapping

Learn about the purpose of the Illumio Segmentation for the Cloud cloud tag to label mapping feature, and see a general example of how you would use it. To learn about viewing system-created labels with the Category Labels and Service Role Labels tabs, see View System Labels.

Important

Cloud tags are required to use this feature. For instructions on how to use the cloud tag to label mapping interface, see the pop-up notes in the Cloud UI.

Use Case and Example

If you have a tagging strategy in your cloud environment, this feature lets you associate more than application and environment labels with your resources. You can use this feature to associate additional labels with your resources too, allowing for more granularity when writing policies. You can create up to 20 such mappings.

Note that tag to label mapping can map labels to resources that are not part of an application. In this way, application approval is not required to complete the tag to label mapping process. Unlike the application approval process, the tag to label mapping process occurs immediately, without the need for approval.

For example, if you have cloud tags such as Risk, Cost Center, Compliance, and so forth, you can map those cloud tags to Illumio labels. Once you map these additional tags to Illumio labels, you will be able to associate these labels with resources in Illumio. In this example, if you have resources that have the cloud tag Risk, those resources will associate them with the Illumio Risk label. The following diagram illustrates how you could use this feature:

cloud-tag-to-label-flow.png

In the diagram, cloud tag keys (Risk, Threat, and RiskStatus) are mapped to the Illumio label type Risk. This mapping enables different values of cloud tag keys to automatically map to the value of the Illumio label key. The following instructions simplify the process steps by focusing on mapping the cloud tag key Risk to the Illumio label Risk.

  1. The first part of the sequence is to create one or more tag to label mappings, such as the following mapping:

    • Cloud tag key Risk mapped to Illumio Label Risk

    For example, if your resource has a cloud tag like Risk:Critical, you would map it to corresponding Illumio labels by specifying the tag key in the tag to label mapping. If you created a mapping using the tag key Risk, the resource would have the Illumio label Risk:Critical.

    You can also map multiple cloud tag keys to one Illumio label type, such as mapping cloud tag keys Compliance, Regulations, or Guidelines to the Illumio label type Compliance. Note that the relationship between cloud tags to label types is that you can have multiple mappings using the same cloud tag keys, but there can be only one mapping for each label type. Defining the mapping from a cloud tag key to an Illumio label type automatically assigns the corresponding cloud tag values to Illumio label values. These Illumio labels can then be associated with resources in Illumio.

    The following example supposes that you have an application that you wish to define using resources that you have associated with tag to label mappings.

  2. Any cloud tags that were mapped to Illumio labels for the desired resources will then be notionally associated with any applications or deployments using those resources. Note that although the labels are notionally associated with an application possessing those resources in order to provide context, such labels are not in fact functionally associated with the application. These mapped labels are functionally associated with the resources only.

    Assume the label Application: Payment has the following deployments: env:dev/staging/prod.

    If any resources within the Payment application are mapped to the label Risk:Critical, the Illumio “Risk” label will be notionally associated to the application. The Tag to Label Mapping page will show the Illumio label type and the labels to which you have mapped your CSP cloud tag keys.

  3. Then, you could write granular policies using specific labels, such as the Illumio “Risk” label. Note that those polices will reference only the resources in question, and not the notionally associated application itself.

    Cloud tags are required for this degree of granularity. Without cloud tag to label mapping, you can still write policies, but those policies would be coarser with broad Illumio labels such as app or environment.

Note

Illumio recognizes GCP labels under Illumio cloud tags. This means that when you use the tag to label mapping feature for GCP, cloud tags appear in the dropdown menu with the relevant prefix that indicates it is a GCP tag or label. For example, cloud tags for GCP may have values like label/gcp-key:gcp-value.

Illumio supports GCP resource manager tags and labels at this time. Because GCP label values are optional, you may occasionally see empty tag values.