Grant flow log access to your CSPs

Learn how to allow Illumio Segmentation for the Cloud access to your AWS and Azure cloud account flow logs.

Note

Granting OCI flow log access is different than granting flow log access to other CSPs. See Grant OCI flow log access.

To set up flow logs before you grant flow log access, see Set up Flow Logs.

To review your destinations before granting flow log access, see Review destinations before granting flow log access.

Grant flow log prerequisites

Review the prerequisites for your CSP. See Prerequisites for granting flow log access to your CSPs.

Grant AWS and Azure flow log access in Illumio Segmentation for the Cloud

Granting access to flow logs is done using the onboarding page. For AWS you can enable SG flow logs, and for Azure you can enable Azure Firewall, NSG, and VNET flow logs. For a digest of instructions on how to enable flow log access in Illumio Segmentation for the Cloud, see the in-application help.

First review your flow log access to determine whether you see the flow logs that you expect. See Review destinations before granting flow log access.

AWS:

Azure:

For best results, Illumio recommends viewing videos in Chrome.

Steps for granting Azure and AWS flow log access

Click Flow Log Access on the Onboarding page to open the Flow Log Access page.
Find the account name you want.
Grant access by first selecting individual or grouped accounts.
1. Confirm that the flow log destinations you want are selected. If you wish to grant access to flow log destinations within this account or incoming from external accounts:
2. Click Grant Access and use the above prerequisites information in the Grant Access... dialog box, as explained in the in-application help.

Note

If you wish to grant access to external flow log destinations, use this set of steps instead.

Click the Outgoing to external destinations tile.
Browse to Onboarding > Flow Log Access and find the account that contains the destination resource.
Click Grant Access and use the above prerequisite information in the Grant Access... dialog box, as explained in the in-application help.

Grant GCP flow log access in Illumio Segmentation for the Cloud

Granting access to flow logs is done using the onboarding page. For GCP you can enable VPC and Firewall flow logs.

For a digest of instructions on how to enable flow log access in Illumio Segmentation for the Cloud, see the in-application help. First review your flow log access to determine whether you see the flow logs that you expect. See Review destinations before granting flow log access.

For best results, Illumio recommends viewing videos in Chrome.

When you execute the script, Illumio Segmentation for the Cloud enables the following permissions:

Project level permissions:
- pubsub.subscriptions.consume
- pubsub.subscriptions.create
- pubsub.subscriptions.delete
Topic level permissions:
- pubsub.topics.attachSubscription
- Read access to the topic paths for your topics
  When granting flow log access, Illumio Segmentation for the Cloud creates two roles with the following bindings and permissions:
  - Role: IllumioFlowAccessRole
    Binding: topic level permission: pubsub.topics.attachSubscription
  - Role: IllumioPubSubAccessRole
    Binding: project level permission: pubsub.subscriptions.consume, pubsub.subscriptions.create, pubsub.subscriptions.delete

Use the following steps to grant GCP flow log access:

Click Flow Log Access on the Onboarding page to open the Flow Log Access page.
Find the account name you want.
Grant access by first selecting individual or grouped accounts.
1. Confirm that the flow log destinations you want are selected. If you wish to grant access to flow log destinations within this account or incoming from external accounts:
2. Click Grant Access and use the above prerequisite information in the Grant Access... dialog box, as explained in the in-application help.

Note

If you wish to grant access to external flow log destinations, use this set of steps instead.

Click the Outgoing to external destinations tile.
Browse to Onboarding > Flow Log Access and find the account that contains the destination resource.
Click Grant Access and use the above prerequisite information in the Grant Access... dialog box, as explained in the in-application help.

Limitations for granting flow log access

To get traffic flow visibility in the Illumio Segmentation for the Cloud Map and Traffic pages, you need to provide access to flow logs. Once the flow logs are configured in the cloud console, the flow details will be displayed in the flow log access page of Illumio Segmentation for the Cloud. By granting access to flow logs, you will allow Illumio Segmentation for the Cloud to read the flows and provide details about network traffic in the traffic page.

Note

To grant access to flow logs stored in a different account than the one you onboarded, you must also onboard the account containing those flow logs. See Onboarding AWS Cloud, Onboarding Azure, and Onboarding OCI.

For example, do you have central log storage or cross-account storage? This is where flow logs generated from one account are stored in a destination belonging to another account.

In this case, you must onboard the account with the destinations first, and then onboard the account with flow logs. Otherwise, Illumio Segmentation for the Cloud does not properly map the flow logs. This may prevent you from granting access to the flow logs despite enabling them.

For example, first onboard the account with the storage account that contains the flow logs (such as "account A1"). Then onboard the accounts that are sending flow logs to the storage accounts in "account A1."

Note

Regarding AWS flow log access: Once you select your S3 buckets and Illumio generates a Cloud Formation Template, the template is available to download or run for only 15 minutes. After 15 minutes, you have to re-start the grant flow log access process to generate the template again.

Note

The following are known limitations of Cloud's flow log reading capability:

In AWS, Illumio Segmentation for the Cloud supports reading flow logs that are stored in S3 buckets only. Currently, other storage destinations are not supported.
For both AWS and Azure, if the VPC/NSG flow logs from one account are configured to be stored in S3/storage accounts in another account, then the destination account should be onboarded into Illumio Segmentation for the Cloud. If the account that owns the S3 bucket is not onboarded, Illumio Segmentation for the Cloud will not be able to fetch the flow logs of that S3 bucket.
Every two minutes the Map ingests traffic flows in 15-minute chunks. Flows are shown only for completed chunks. This means that if flow log access has just been enabled, you would need to wait at least 15 minutes to see the flows in the Map, Traffic, and Inventory pages. However, if you enabled flow log access some time ago and already have previous 15-minute flow chunks, you would see the updated flow within two minutes.

Cloud