Labels and Label Groups
The Illumio Core policy model is a label-based system, which means that the rules you write don't require the use of an IP address or subnet, like traditional firewall solutions. You control the range of your policy by using labels. This helps you categorize your workloads more quickly and makes it easier to set up your policy.
Label Types
Label | Description |
|---|---|
Role  | This label type allows you to describe the “role” (or function) of a workload. In a simple two-tier application consisting of a web server and a database server, there would be two roles: Web and Database. You can use the same role as many times as you want in other rulesets for different applications. NoteThe Role label cannot be used to define the scope. |
Application  | This label type allows you to describe the application that a workload supports. When two servers in a two-tier application have a relationship with one another because one provides a service (like a database) to another, they likely constitute an application. If an organization has 100 applications, and each application has a separate web role and separate database role, the application role separates each one of the Web and Database role. |
Environment  | This label type allows you to describe a workload based upon its stage in the product development lifecycle, such as QA, staging and production. |
Location  | This label type allows you to describe a workload based upon its location. For example, Germany, US, Europe, Asia. Or, Rack #3, Rack #4, Rack #5; or datacenter AWS-east1, AWS-east2, and so on. |
Flexible labels | You can define custom label types to reflect additional characteristics of the workloads in your installation. Create any label type that meets your organization's business needs. For example, you might want to label workloads according to their operating systems. The maximum number of labels is 20. |
Additional Dimensions
A given workload cannot have more than one label per type. It’s possible to allow a workload that used a service or services or across boundaries to communicate; for example, if a server is playing multiple roles, such as a database server used by two different applications, Illumio recommends that you create different role labels for that workload.
System Default “All” for Labels
When you log into the PCE for the first time as the organization owner, the following default labels are provided:
Label | Description |
|---|---|
Role | Web, Database, API, Mail, Single Node App, Load Balancer |
Environment | Production, Stage, Dev, Test |
Applications | None |
Location | None |
The built-in (default) Environment, Application, and Location labels are defined as “All,” which enables you to create broad policies to cover All Applications, All Environments, and All Locations.
To avoid confusing policy writers, Illumio recommends not creating labels named “All Applications,” “All Environments,” or “All Locations” (exactly as written in quotes).
When you attempt to create labels of these types with the exact name as the system defaults, for example “All Applications,” an “HTTP 406 Not Acceptable” error will be displayed.
Note
You can modify or delete these default labels at any time.
Filtering Labels and Label Groups
You can use the property filter at the top of the Policy Objects > Labels or Label Groups pages to find the label or labels groups you are looking for.
You can filter by label type and exact label name on the Labels or Label Groups page. Similarly, you can filter by label name, description, and provision status on the Label Groups page.
To filter Labels, select Name or Type.
Select Name, Description, Provision Status, or Type to filter Label Groups.
Create a Label Type
Illumio Core provides the default label types Role, Application, Environment, and Location. You can define custom label types to reflect additional characteristics of the workloads in your installation. Create any label type that meets your organization's business needs. For example, you might label workloads according to their operating systems. The maximum number of labels is 20.
To create a new label type:
From the PCE web console menu, choose Settings > Label Settings.
On the Label Settings page, click Add.
Enter a unique Key. The PCE will use this key to identify the label internally. For example, OS.
Enter singular and plural versions of the Display Name (Operating System and Operating Systems).
Choose an icon, and enter a one- or two-character unique initial to be displayed with the icon (such as OS).
Choose foreground and background colors to be used when the label is displayed.
Click Save.
The new label type will appear in the web console UI wherever the default label types appear, such as in the Type dropdown selector when creating a new label.
Create a Label
From the PCE web console menu, choose Policy Objects > Labels.
On the Labels page, click Add.
Name: Enter a label name.
Type: Select one of the types such as Environment, Application, Role, Business Unit, or
Click Save.
You cannot create a label name that already exists, regardless of its alphabetic case. For example, you cannot create a new label named "WINDOWS" if "Windows" already exists.
Label Workloads
You apply labels to workloads to identify their function or purpose in an application (Role label), the application they belong to (Application label), their network environment (Environment label), their location (Location label), and any custom purpose you have defined (flexible labels; for example, OS). After a workload is labeled, you can write rules using the labels you have applied to the workload.
After you Create a Label, you can label a workload in two ways:
Automatically label the workloads when you pair them by adding labels in the pairing profile. (See "Pairing Profiles and Scripts" in VEN Installation and Upgrade Guide.
Add labels to the workload on the Workload Summary page. In the PCE web console, select Workloads and VENs > Workloads from the left navigation menu. Select a workload, and in the details panel click Edit to select any or all of the label types to apply to the workload.
Edit Labels for Multiple Workloads
You can add, modify, or remove labels on multiple workloads. This approach saves time when you want to apply or remove the same label or set of labels to more than one workload at a time. In the Illumio Core 20.1.0 release and higher, if you want to delete a Label and it was used by a Virtual Server, you can determine whether it was in use. The "In use by" column on the Labels page includes Virtual Servers. The Labels' summary page also displays the "In Use By Virtual Servers Yes/No" field.
Note
Remember that label changes do not require provisioning, so mass label changes can potentially have a major impact on your rulesets, rules, and overall security policy.
From the PCE web console menu, choose Workloads.
Select the checkboxes next to the workloads you want to change labels.
Click Edit Labels.
Add or remove labels assigned to the selected workloads in the Edit Labels dialog box. The top of the dialog indicates how many workloads will be affected by the label change. Depending on the assigned labels, you have three general options:
When the selected workloads share the same label of a specific type (for example, Role), you can change the current label by clicking the little X on the label to remove it. Then, you can type or select a new label assignment.
When the selected workloads have different labels of the same type, faded text in the Label field indicates that the workloads contain multiple labels. You can click in the Label field and add a new label.
When you remove a label assignment, that label is removed from all selected workloads.
When you are finished, click OK.
Label Groups
Label groups help you write your security policy more efficiently when you use the same labels repeatedly in rulesets. When you add those labels to a label group, the label group can be used in a rule or scope as a shortcut or an alias for multiple labels. The Label Groups list pages can contain up to 10,000 label groups and the individual Label Groups pages can contain up to 10,000 members. You can use filters to find labels or label groups.
For example, you have workloads residing in data centers in Dallas, New York, and Washington and you want to apply a rule to all those workloads. Instead of using the labels for Dallas, New York, and Washington in three separate rules, you can define a Location label group named US, add those three location labels to the label group, and use the US label group.
You can customize the columns to display labels as follows:
Container Settings
Deny Rules
IP Forwarding
Label Groups
Last Modified By
Last Modified On
Loopback Interfaces
Name
Provision Status
RBAC
Reject Connections
Rulesets
Statis Policy
Type
Type (Role, Application, Environment, Location, or a custom-defined Flexible Label type)
Policy Calculation Using Label Groups
Label groups can be nested, so it is important to understand how label groups can affect policy.
Note
You cannot assign a label group to a workload - only individual labels can be applied to workloads. Label groups can only be used in rulesets.
Create a Label Group
Create label groups when you want to combine several labels that share common characteristics into a single label category. You can use the label group in a rule after the labels are added to a Label Group.
From the PCE web console menu, choose Policy Objects > Label Groups.
On the Label Groups page, click Add.
In the Add Label Group page, choose the label type and enter a name for the label. You cannot create a label group name that already exists, regardless of its alphabetic case. For example, you cannot create a new label group named "WINDOWS" if the label group name "Windows" already exists.
Click Save.
In the Members tab, enter a label name to find labels to add to the group, and then click Add. You can add as many labels (or label groups) of the same type to the group as desired.
You cannot create a label group name that already exists, regardless of its alphabetic case. For example, you cannot create a new label group named "WINDOWS" if the label group name "Windows" already exists.
Use a Label Group in a Scope
When you use a label group in a scope, the label group is expanded into multiple scopes. Cross-communication is not allowed.
For example, to create a scope that applies to all environments other than production, first create a Non-Prod label group which consists of the labels for the Dev, QA, and Stage environments. The following ruleset (scope + rule):
Scope:
App: HRM
Env: Non-prod
Loc: US
Rule:
Providers: DB
Services: MySQL
Consumers: DB
This means “workloads in all Non-Prod environments (Dev, QA, and Stage) can communicate within their environments with the DB using MySQL” and would allow the following communication:
HRM | Dev | US | DB ← HRM | Dev | US | DB
The following communication would not be allowed, since the Environment labels are different and cross-communication is not allowed:
HRM | Dev | US | DB ← HRM | QA | US | DB
and
HRM | Dev | US | DB ← HRM | Stage | US | DB
Use a Label Group in a Rule
When you use a label group in a rule, the label group is expanded into multiple rules. Cross-communication is allowed.
For example, the Non-Prod label group is used again here, but in the rule and not the scope, which allows cross-communication. The following ruleset (scope + rule):
Scope:
App: HRM
Env: All
Loc: US
Rule:
Providers: Non-prod DB
Services: MySQL
Consumers: Non-prod DB
This means “allow MySQL from Non-Prod DB to Non-Prod DB for the HRM application in All environments located in the US" and would allow the following communication:
HRM | Dev | US | DB ← HRM | Dev | US | DB
HRM | Dev | US | DB ← HRM | QA | US | DB
HRM | Dev | US | DB ← HRM | Stage | US | DB
HRM | QA | US | DB ← HRM | Dev | US | DB
HRM | QA | US | DB ← HRM | Stage | US | DB