Labels and Label Groups
Create a Label
From the PCE web console menu, choose Policy Objects > Labels.
On the Labels page, click Add.
Enter a label name (such as "Web") and select a label type (such as "Role").
Click Save.
Rules for Naming Labels
If you create an additional label type with a space in the 'key' (such as ven type), you can not group by that label type.
The label will initially display, but when you add a check mark and apply the new label, it will be unchecked.
To make sure any new label types are properly added, keep the following rules in mind:
Style | Name | Key | Correct Yes/No |
|---|---|---|---|
Ven Type | Ven Type | ven type | No |
new_label | new_label | newLabel | Yes |
t e s t | t e s t | t e s t | No |
name space | name space | namespace | Yes |
keyspace | keyspace | key space | No |
Make sure that the Key does not contain spaces.
Label Types
Label | Description |
|---|---|
Role | This label type allows you to describe a workload's role (or function). In a simple two-tier application consisting of a web server and a database server, there would be two roles: Web and Database. You can use the same role many times as you want in other application rule sets. |
Application | This label type allows you to describe the application that a workload supports. When two servers in a two-tier application have a relationship because one provides a service (like a database) to another, they likely constitute an application. If an organization has 100 applications, each with a separate web role and a separate database role, the application role separates each web and database role. |
Environment | This label type allows you to describe a workload based on its stage in the product development lifecycle, such as QA, staging, and production. |
Location | This label type allows you to describe a workload based on its location. For example, Germany, the US, Europe, and Asia. Or, Rack #3, Rack #4, Rack #5; or data center AWS-east1, AWS-east2, and so on. |
Flexible labels | You can define custom label types to reflect additional characteristics of the workloads in your installation. Create any label type that meets your organization's business needs. For example, you might label workloads according to their operating systems. The maximum number of labels is 20. |
Additional Dimensions
A given workload cannot have more than one label per type. It’s possible to allow a workload that uses a service or services across boundaries to communicate; for example, if a server plays multiple roles, such as a database server used by two different applications, Illumio recommends creating different role labels for that workload.
Create a Label Type
Illumio Core provides the default label types Role, Application, Environment, and Location. You can define custom label types to reflect additional characteristics of the workloads in your installation. Create any label type that meets your organization's business needs. For example, you might want to label workloads according to their operating systems. The maximum number of labels is 20.
To create a new label type:
From the PCE web console menu, choose Settings > Label Settings.
On the Label Settings page, click Add.
Enter a unique Key. The PCE will use this key to identify the label internally. For example, OS.
Enter singular and plural versions of the Display Name (for example, Operating System and Operating Systems).
Enter a label type initial, a one- or two-character unique initial to be displayed with the icon (for example, OS).
Choose an icon.
Choose foreground and background colors to be used when the label is displayed.
Click Save.
The new label type will now appear in the web console UI wherever the default label types would appear, such as in the Type dropdown selector when you are creating a new label.
Edit Labels for Multiple Workloads
You can add, modify, or remove labels on multiple workloads. This approach saves time when you want to apply or remove the same label or set of labels to more than one workload at a time. Previously, if you wanted to delete a Label and it was in use by a Virtual Server, you would not know if it was in use or not. In the Illumio Core 20.1.0 release and higher, on the Labels page, the "In use by" column includes Virtual Servers. The Labels' summary page also displays the "In Use By Virtual Servers Yes/No" field.
Note
Keep in mind that label changes do not require provisioning, so mass label changes can potentially have a major impact on your rulesets, rules, and overall security policy.
From the PCE web console menu, choose Workloads and VENs > Workloads.
From the left side of the Workloads list, select the workloads you want to change labels for.
From the top of the Workloads list, click Edit Labels.
A dialog box appears asking if you are sure you want to edit labels for multiple workloads.
Click OK.
In the Edit Labels dialog box, you can add or remove labels assigned to the selected workloads. The top of the dialog indicates how many workloads will be affected by the label change. Depending on the assigned labels, you have three general options:
When the selected workloads share the exact same label of a specific type (for example, Role), you can change the current label by clicking the little X on the label to remove it. Then, you can type or select a new label assignment.
When the selected workloads have different labels of the same type, faded text in the Label field indicates that the workloads contain multiple labels of that type. You can click in the Label field and add a new label.
When you remove a label assignment, that label is removed from all selected workloads.
When you are finished, click OK.
Filtering Labels and Label Groups
To find the label or labels groups you are looking for, you can use the property filter at the top of the Policy Objects > Labels or Label Groups pages.
On the Labels page, you can filter by label type and exact label name. Similarly, you can filter by label name, description, provision status, and type on the Label Groups page. For example, if you want to only see Location labels, you can select Type: Location in the Label property filter.
Label Workloads
You apply labels to workloads to identify their function or purpose in an application (Role label), the application they belong to (Application label), their network environment (Environment label), their location (Location label), and any custom purpose you have defined (flexible labels; for example, OS). After a workload is labeled, you can write rules using the labels you have applied to the workload.
After you Create a Label, you can label a workload in two ways:
Automatically label the workloads when you pair them by adding labels in the pairing profile. (See "Pairing Profiles and Scripts" in VEN Installation and Upgrade Guide.
Add labels to the workload on the Workload Summary page. In the PCE web console, select Workloads and VENs > Workloads from the left navigation menu. Select a workload, and in the details panel click Edit to select any or all of the label types to apply to the workload.
System Default “All” for Labels
When you log into the PCE for the first time as the organization owner, the following default labels are provided:
Label | Description |
|---|---|
Role | Web, Database, API, Mail, Single Node App, Load Balancer |
Environment | Production, Stage, Dev, Test |
Applications | None |
Location | None |
The built-in (default) Environment, Application, and Location labels are defined as “All,” which enables you to create broad policies to cover All Applications, All Environments, and All Locations.
To avoid confusing policy writers, Illumio recommends not creating labels named “All Applications,” “All Environments,” or “All Locations” (exactly as written in quotes).
When you attempt to create labels of these types with the exact name as the system defaults, for example “All Applications,” an “HTTP 406 Not Acceptable” error will be displayed.
Note
You can modify or delete these default labels at any time.
Label Groups
Label groups help you write your security policy more efficiently when you use the same labels repeatedly in rulesets. When you add those labels to a label group, the label group can be used in a rule or scope as a shortcut or an alias for multiple labels. The Label Groups list pages can contain up to 10,000 label groups and the individual Label Groups pages can contain up to 10,000 members. You can use filters to find labels or label groups.
For example, you have workloads residing in data centers in Dallas, New York, and Washington and you want to apply a rule to all those workloads. Instead of using the labels for Dallas, New York, and Washington in three separate rules, you can define a Location label group named US, add those three location labels to the label group, and use the US label group.
Label groups are displayed as a list that includes the following details:
Provision status
Name of the label group
Type (Role, Application, Environment, Location)
When it is currently in use by a ruleset, label group, and static policy
Last modified date and time
User who last modified the label group
Policy Calculation Using Label Groups
Label groups can be nested, so it is important to understand how label groups can affect policy.
Note
You cannot assign a label group to a workload - only individual labels can be applied to workloads. Label groups can only be used in rulesets.
Create a Label Group
Create label groups when you want to combine several labels that share common characteristics into a single label category. After the labels are added to a Label Group, you can use the label group in a rule.
From the PCE web console menu, choose Policy Objects > Label Groups.
On the Label Groups page, click Add.
In the Add Label Group page, choose the label type and enter a name for the label. You cannot create a label group name that already exists, regardless of its alphabetic case. For example, you cannot create a new label group named "WINDOWS" if the label group name "Windows" already exists.
Click Save.
In the Members tab, click Add.Use the dropdown list to find existing labels. You can also enter a label name to create a new label, click Save, then add the new label to the group. You can add as many labels (or label groups) of the same type to the group as desired.
Click OK.
You cannot create a label group name that already exists, regardless of its alphabetic case. For example, you cannot create a new label group named "WINDOWS" if the label group name "Windows" already exists.
Use a Label Group in a Rule
When you use a label group in a rule, the label group is expanded into multiple rules. Cross-communication is allowed.
For example, the Non-Prod label group is used again here, but in the rule and not the scope, which allows cross-communication. The following ruleset (scope + rule):
Scope:
App: HRM
Env: All
Loc: US
Rule:
Providers: Non-prod DB
Services: MySQL
Consumers: Non-prod DB
This means “allow MySQL from Non-Prod DB to Non-Prod DB for the HRM application in All environments located in the US" and would allow the following communication:
HRM | Dev | US | DB ← HRM | Dev | US | DB
HRM | Dev | US | DB ← HRM | QA | US | DB
HRM | Dev | US | DB ← HRM | Stage | US | DB
HRM | QA | US | DB ← HRM | Dev | US | DB
HRM | QA | US | DB ← HRM | Stage | US | DB
Use a Label Group in a Scope
When you use a label group in a scope, the label group is expanded into multiple scopes. Cross-communication is not allowed.
For example, to create a scope that applies to all environments other than production, first create a Non-Prod label group which consists of the labels for the Dev, QA, and Stage environments. The following ruleset (scope + rule):
Scope:
App: HRM
Env: Non-prod
Loc: US
Rule:
Providers: DB
Services: MySQL
Consumers: DB
This means “workloads in all Non-Prod environments (Dev, QA, and Stage) can communicate within their environments with the DB using MySQL” and would allow the following communication:
HRM | Dev | US | DB ← HRM | Dev | US | DB
The following communication would not be allowed, since the Environment labels are different and cross-communication is not allowed:
HRM | Dev | US | DB ← HRM | QA | US | DB
and
HRM | Dev | US | DB ← HRM | Stage | US | DB