Skip to main content

Security Policy Guide 22.5

Manage Enforcement Boundaries

The topics in this section explain how to set up and manage Enforcement Boundaries in your data center.

Prerequisites and Limitations

Prerequisites

  • VENs must be installed on the workloads (must be “managed”); Enforcement Boundaries are not supported for NEN-controlled or other unmanaged workloads.

  • The VEN must be at release 21.2.0 or later.

  • Workloads must be in the Selective Enforcement state for Enforcement Boundaries to apply to them.

Limitations for Virtual Services

Enforcement Boundaries do not apply to virtual services directly. Virtual services are enforced at the workload level. As a result, Enforcement Boundaries do not directly affect virtual services; instead, they impact the workloads that virtual services comprise.

FQDN-based Rules and Enforcement Boundaries

In Illumio Core, the PCE doesn't prevent you from creating IP lists containing FQDNs. In the PCE, you can create a rule for a destination and an IP list. For example, you create the following IP list and rule in the PCE:

IP list 1:10.2.1.0/24

Rule 1:*.dev.illumio.com

Rule scope: IP list 1 ¬ 80 TCP ¬ Environment: Production

Result: Workloads in the Production environment will allow 80/tcp traffic outbound to both 10.2.1.0/24 and *.dev.illumio.com (whatever the IP addresses that FQDNs matching the pattern resolve to).

FQDN-based rules are not fully supported in Enforcement Boundaries. The PCE doesn't prevent you from adding FQDNs to an IP list impacted by an Enforcement Boundary. You can use the IP list in an Enforcement Boundary. However, the PCE drops the FQDN component when an Enforcement Boundary results in an outbound deny rule to an IP list with FQDNs, and the PCE writes a policy error to its log file.

Based on the example above, the Enforcement Boundary only denies traffic not previously allowed by the rule to 10.2.1.0/24 and not to FQDNs matching the *.dev.illumio.com pattern. Instead, the PCE generates the error message “partial policy delivered.”

Workflow for Deploying an Enforcement Boundary

To implement an Enforcement Boundary in your data center, complete the following tasks:

  1. Install VENs on the workloads you want to protect with an Enforcement Boundary.

    An Enforcement Boundary will only block traffic for managed workloads in the PCE. For information about installing a VEN on a host, see Workload Setup Using PCE Web Console. See alsoVEN Installation and Upgrade Guide for detailed information about installing VENs on hosts.

  2. Assign the correct labels to each workload.

    For example, you must correctly assign the Environment label to all necessary workloads to prevent traffic from your development environment from reaching your production environment.

    Tip

    Using an Enforcement Boundary to fulfill the security mandate for traffic between development and production is more efficient than deploying a full allowlist model, as you only need to roll out the Environment label, rather than defining all four label types for your workloads and in your rule set scopes.

  3. Create rulesets and rules for the workloads you want to protect with an Enforcement Boundary.

    See Rulesets and Rules for information.

    Warning

    Before creating an enforcement boundary, you must create the necessary rulesets and rules because traffic crosses the boundary, and when you create it before putting rules in place, the PCE will drop the workload traffic until the rules are in place.

  4. For the workloads you want to block traffic, move them into the Selective Enforcement state.

    See Place a Workload in Selective Enforcement State for information.

  5. Create an Enforcement Boundary that specifies the labels or IP lists (any IP range or subnet) to identify which workloads will be impacted by the boundary. Additionally, the boundary specifies specific services (or all services) to block traffic for.

    Important

    If you have not created any rules when you add an Enforcement Boundary, the PCE web console displays a message that the boundary has zero rules. Please correct this issue as soon as possible.

    After you save a new Enforcement Boundary, the PCE calculates the impact of the new boundary, and the PCE web console page refreshes to display the Blocked Connections tab for that boundary.

    The Blocked Connections tab lists all traffic that crosses the new boundary.

  6. Review the list of traffic that currently crosses the new boundary and determine which connections need exceptions to the boundary. You can add rules for those exceptions at this point; then, remove them later as you refine your managed environment as you progress to a Zero Trust Security model.

  7. Provide the new Enforcement Boundary and any rules you added for traffic crossing the boundary.

    See Provisioning for information.

Place a Workload in a Selective Enforcement State

  1. From the PCE web console menu, choose Workloads and VENs > Workloads.

    The Workloads page appears.

  2. From the Enforcement state drop-down list, choose Selective.

    A confirmation dialog box appears listing the impacted workloads.

  3. Click OK.

  4. To apply the enforcement state change to these workloads, provision the state change. See Provisioning for information.