Illumio visibility for resource types
This page lists the resource types that Illumio Segmentation for the Cloud supports for metadata searches and for displaying in inventory once you onboard your Cloud Service Provider (CSP) accounts. In addition to appearing on the Inventory page, these resource types also appear on the Map and the Traffic pages. Policies can be written for a subset of these resources. See Policy Enforcement and Resource Types.
Illumio Segmentation for the Cloud supports the AWS, Azure, and OCI cloud resource types listed below along with the attached resources that appear in the Inventory resource details panel. A resource type is defined as the instances of the object types that Illumio Segmentation for the Cloud retrieves from the CSP SDKs or APIs. These attached resource types provide you an overview of the cloud infrastructure and help you visualize the resource types on the Map. Resource types not listed below are not supported.
Resource types come from the CSP (e.g., a resource type could be AWS::EC2::VPC is a VPC in the EC2 category. Illumio also defines resource categories (e.g., VPCs are placed under the Network Management category as seen in the AWS table below). A resource type can be defined as all the types that build up to a resource.
Note that some resource types that don't come directly from the CSP also appear on the Inventory page.
Illumio Segmentation for the Cloud's support for network traffic flows is tied to resource types, because categories such as "database" can include many different types of resources. Keep in mind that although traffic may appear on the Traffic page, not all flows are "decorated." Decoration means that flows are labeled with resource type details. For example, traffic between IPs such as 1.1.1.1 and 2.2.2.2 may be shown, but if Illumio hasn't associated those IPs with specific resource types, the flow appears undecorated. When Illumio does recognize and label the source and destination IPs with their resource types, it might show something like: 1.1.1.1 (vm1) → 2.2.2.2 (db1). See the image.
Decorated (top) vs. undecorated (bottom) flows
For AWS, Illumio Segmentation for the Cloud supports network traffic flows visibility to all supported resource types within the boundary of a VPC, if VPC flow logging is enabled and onboarded in Cloud. However this support is subject to the limitations of the CSP. See the Amazon Virtual Private Cloud Flow Log Limitations link below for information.
Illumio Segmentation for the Cloud's policy feature supports AWS resource types that have Security Group and NACL attachments. The Amazon AWS Security Documentation link below details whether Security Group and NACL enforcement is available for each resource type in the resource type page, under the infrastructure security section.
For Azure, Illumio Segmentation for the Cloud provides visibility into network traffic flows for supported resource types that have NSG attachments with NSG flow logs enabled, or when the resource types are within a VNET boundary with VNET flow logs enabled. Some limitations regarding NSG and VNET flow logs apply, as detailed in the Microsoft Azure Network Watcher Virtual Flow Logs and NSG Flow Logs below.
Illumio Segmentation for the Cloud policy supports all resource types in Azure with NSG attachments. For details, see the Microsoft Azure Security Baseline link.
AWS
Resource Types by Category | Resource Type Relationships (Attached resource types on Details Page) | Flow Support | Display on Map | Display in Inventory |
|---|---|---|---|---|
Compute | ||||
EC2 Instance | ENI, Subnet, VPC, Security Group (SG), Elastic IP, Elastic Block Storage (EBS) Volume, Target Group, Load Balancer, Route Table, EKS Node Group, EKS Cluster | Yes | Yes, on Subnet level | Yes |
EKS Cluster | Subnet, VPC, EKS Node Group, EKS Addon, EKS Fargate Profile, Security Group, ENI | Yes | Yes, on VPC level | Yes |
Databases | ||||
RDS DB Cluster | ENI, Subnet, VPC, SG, KMS Key | Yes | Yes, on VPC level | Yes |
ElastiCache CacheCluster | ENI, Subnet, VPC, Security Group, KMS Key | Yes | Yes | Yes |
MemoryDB Cluster | ENI, Subnet, VPC, Security Group, KMS Key | Yes | Yes | Yes |
RDS DB Instance | ENI, Subnet, VPC, SG, KMS Key | Yes | Yes on RDS DB Cluster level | Yes |
Network Routing | ||||
ElasticLoadBalancingV2 Load Balancer | ENI, Subnet, VPC, SG, Target Group | Yes | Yes | Yes |
NAT Gateway | Route Table, Elastic IP, ENI, VPC, Subnet | Yes | Yes | Yes |
Serverless | ||||
Lambda Function | Subnet, VPC, SG, Key Management Services (KMS) key, ENI | Yes, see the note at the bottom of this page | Yes, on VPC level | Yes |
Azure
Resource Types by Category | Resource Type Relationships (Attached resource types on Details Page) | Flow Support | Display on Map | Display in Inventory |
|---|---|---|---|---|
Compute | ||||
Virtual Machine | NIC, NSG , Subnet, VNet, VM ScaleSet | Yes | Yes, on Subnet level | Yes |
VirtualMachineScaleSet Virtual Machine | VM, VM ScaleSet VM | Yes | Yes, on VM ScaleSet level | Yes |
AKS Cluster | Network Public IP, Agent Pool, Private Link Service, Agent Pool Machine, Virtual machine Scale Set, Virtual Machine Scale Set Virtual Machine, Network Interface, Loadbalancer, Subnet, Virtual network, Route table, NSG, NSG Flow Log, Storage Account | Yes | Yes | Yes |
Databases | ||||
DBforPostgreSQL Flexible Server | Private Endpoint, NIC, Subnet, VNet, NSG, DBforPostgreSQL Flexible Server Database | Both NSG and VNET flows for Private Endpoint Configuration. See the note at the bottom of this page. | Yes | Yes |
DBforPostgreSQL Server | Private Endpoint, NIC, Subnet, VNet, NSG, DBforPostgreSQL Server Database | Both NSG and VNET flows for Private Endpoint Configuration. See the note at the bottom of this page. | Yes | Yes |
DBforPostgreSQL ServerGroup V2 | DBforPostgreSQL ServerGroup V2 Server | Both NSG and VNET flows for Private Endpoint Configuration. See the note at the bottom of this page. | Yes | Yes |
DocumentDB Database Account | Private Endpoint, NIC, Subnet, VNet, NSG, SQL Database, DocumentDB Table, Document DB Gremlin Database, DocumentDB Cassandra Keyspace, DocumentDB Mongo Database | Both NSG and VNET flows for Private Endpoint Configuration. See the note at the bottom of this page. | Yes | Yes |
DocumentDB Mongo Cluster | Private Endpoint, NIC, Subnet, VNet, NSG, DocumentDB Database Account | Both NSG and VNET flows for Private Endpoint Configuration. See the note at the bottom of this page. | Yes | Yes |
Redis Cache | VNet, Subnet, Private Endpoint | Both NSG and VNET flows for Private Endpoint Configuration. See the note at the bottom of this page. | Yes | Yes |
SQL Managed Instance | SQL Managed Instance Private Endpoint Connection, Subnet, Private Endpoint, VNET, NIC, NSG | Yes | Yes | Yes |
SQL Server | Private Endpoint, NIC, Subnet, VNet, NSG, SQL Server Database | Both NSG and VNET flows for Private Endpoint Configuration. See the note at the bottom of this page. | Yes | Yes |
Network Security | ||||
Azure Firewall | Azure Firewall Policy, Diagnostic Settings, Subnet, Network Public IP | Yes | Yes, on VNET level | Yes |
Security Infrastructure | ||||
Key Vault | Key Vault Private Endpoint Connection, Subnet, Private Endpoint, VNET, NIC, NSG | Both NSG and VNET flows for Private Endpoint Configuration. See the note at the bottom of this page. | Yes | Yes |
App Service (Web App, Function App) | Function App Function, App Service Private Endpoint Connection, Subnet, Private Endpoint, VNET, NIC, NSG | Both NSG and VNET flows for Private Endpoint Configuration. See the note at the bottom of this page. | Yes | Yes |
Storage | ||||
Storage Account | Private Endpoint, NIC, Subnet, VNet, NSG | Both NSG and VNET flows for Private Endpoint Configuration. See the note at the bottom of this page. | Yes | Yes |
GCP
Resource Types by Category | Resource Type Relationships (Attached resource types on Details Page) | Flow Support | Display on Map | Display in Inventory |
|---|---|---|---|---|
Compute | ||||
Instance | Network, Subnetwork, Instance Template, Instance Group Manager, Instance Group, Autoscaler, Disk, Routes, Target Pool, Cluster, Node Pool | Yes | Yes | Yes |
Containers | ||||
Cluster | Network, Subnetwork, Node Pool, Instance group, Instance | Yes | Yes | Yes |
Network Management | ||||
Subnetwork | Network, Instance, Disk, Instance Template, Instance Group, Cluster, Node Pool, Address, Network Attachment, Network Endpoint Group, Router | Yes | Yes | Yes |
OCI
Resource Types by Category | Resource Type Relationships (Attached resource types on Details Page) | Flow Support | Display on Map | Display in Inventory |
|---|---|---|---|---|
Compute | ||||
Compute Instance | VNIC, VNIC Attachment, Subnet, VCN | Yes | Yes on Subnet level | Yes |
Database | ||||
Autonomous Database | Subnet, NSG, VCN, Database Tools Connection, Private Endpoint, VNIC | Yes, for private IPs | Yes, on Subnet level | Yes |
Notes about resource type visibility
Note
If an ENI is associated with a single Lambda function, the flow logs will clearly identify the corresponding Lambda. However, due to the design of AWS Lambda architecture, complete flow visibility may not be achievable in Illumio Segmentation for the Cloud under the following conditions:
Multiple ENIs that share the same subnet and VPC security group are associated with a single Lambda function
Multiple Lambda functions that share the same subnet and VPC security group are associated with a single ENI
Multiple ENIs associated with different Lambda functions that share the same subnet and VPC security group
Note
Although they will appear, EKS Clusters/Nodegroups and S3 buckets will not have flows. Only AWS EC2 instances, AWS RDS DBClusters, AWS RDS DBInstances, and Azure VMs will have flows.
Note
Azure PaaS offerings in the Data, Database, Storage, Serverless, and Security Infrastructure categories log both NSG and VNET traffic only when a private endpoint is configured. Traffic to private endpoints can only be captured at the source VM. See Microsoft Q&A documentation.
The traffic is recorded with source IP address of the VM and destination IP address of the private endpoint. Illumio Segmentation for the Cloud cannot record traffic at the private endpoint itself due to platform limitations. See the Microsoft Azure documentation: NSG Flow Logs Overview - Azure Network Watcher
Note
Azure network IP configurations are no longer a visibility-supported resource type. However, they appear in the Microsoft network interface Inventory details tab. It may take time for existing IP configuration resources to stop displaying, so they may temporarily display as resources.
Note
For GCP, Illumio supports egress from a virtual machine's NIC to the load balancer's proxy infrastructure, which is captured in the VPC flow logs.