Skip to main content

Cloud

  • Cloud
  • Policy
  • Policy enforcement and resource types

Policy enforcement and resource types

Illumio Segmentation for the Cloud supports writing policy for the following types of resources. Note that policy enforcement is done through Security Groups on AWS and through Network Security Groups on Azure. For a list of all resource types that appear in the Inventory page, and additional details such as flow support, map support, and attached resources, see Illumio visibility for resource types.

AWS

Category

Resource Type

Compute

EC2 Instance

Containers

EKS Cluster

Databases

ElastiCache CacheCluster

Databases

MemoryDB Cluster

Databases

RDS DB Cluster

Databases

RDS DB Instance

Data Warehouse

Redshift Cluster

Network Routing

ElasticLoadBalancingV2 Load Balancer

Serverless

Lambda Function

Azure

Category

Resource Type

Compute

Virtual Machine (inclusive of "spot" VM)

Databases

CosmosDB

Databases

DocumentDB Database Account

Databases

DBforPostgreSQL Flexible Server

Databases

DBforPostgreSQL Server

Databases

SQL Managed Instance

Databases

SQL Server (Microsoft.Sql/servers)

Network Management

Private Link Service: The following resources are attached to a subnet via a private link service. See note below table.

  • Load Balancer

Network Routing

Load Balancer

Network Routing

Private Endpoint: The following resources are attached to a subnet via a private endpoint. See note below table.

  • App Service (Web App, Function App)

  • DocumentDB/MongoDB Cluster

  • DocumentDB/Database Account

  • Cosmos DB

  • SQL Managed Instance

  • SQL Server (Microsoft.Sql/servers)

  • Storage Account

  • Key Vault

Network Security

Azure Firewall

Note

Illumio Segmentation for the Cloud does not support Classic Azure Firewall.

GCP

Category

Resource Type

Compute

Cloud SQL Instance. See note at bottom of page.

Container

GKE Cluster

Database

SQL Instance. See note at bottom of page.

OCI

By participating in the BETA program for OCI features you agree that your company’s use of the BETA version of OCI features will be governed by Illumio’s Beta Terms and Conditions.

Category

Resource Type

Compute

Instance. See note at bottom of page.

AWS ENI Considerations

Note

Because Illumio Segmentation for the Cloud may not always discover elastic network interfaces (ENIs), a flow search based on resource IDs will not work for the following supported resources if their Details page does not display the ENI. The workaround is to search using the IP address of the associated ENI, if known:

  • AWS RDS DBInstances

  • AWS RDS DBClusters

  • ElasticLoadBalancingV2 Load Balancers

  • AWS MemoryDB Clusters

  • AWS ElastiCache for Redis Clusters

  • AWS Redshift Clusters

  • AWS Lambda Functions

Azure, OCI, and GCP Considerations

Note

Illumio Segmentation for the Cloud applies policies for the different resources listed under Private Endpoints and Private Link Services by applying rules to the NSG on the subnet that hosts them.

Note

Azure PaaS databases must have private endpoint connectivity for Illumio Segmentation for the Cloud to enforce policies on private endpoint NSGs.

Note

Illumio enforces policies on OCI instances only if they have NSGs attached.