App Groups
An App Group is a logical grouping of workloads associated with an application instance, which is defined by the labels assigned to the workloads in it. This section describes the types of App Groups, the App Group Map, and how to configure App Groups.
App Group features allow application owners to see all workloads for an application instance in a single App Group, even when the workloads are not currently communicating with each other. This is helpful when building or validating security policies for traffic between workloads because it allows application owners to focus only on the workloads that belong to their applications, regardless of location.
Ways to View App Groups
App Groups List Page
The App Group List Page is the first page that displays when you click App Groups in the left navigation. It lists all the App Groups in your PCE.
The Edit App Group Type option on the list page allows you to configure whether App Groups comprise Application and Environment labels or Application, Environment, and Location labels. This is a global setting for all App Groups.
Click an App Group in the list to view the traffic, group members, rule coverage, and vulnerability data associated with that App Group.
App Groups Traffic Table
The App Groups Traffic table displays details about the App Group in a traditional table format, including the traffic, group members, rule coverage, and vulnerability data associated with that App Group.
You can use the Traffic table to query the PCE's traffic database to analyze traffic flows for auditing, reporting, and troubleshooting. You can query for traffic flows between workloads or hosts, labeled workloads, or IP addresses, and you can restrict the query by specific port numbers and protocols.
The VEN decorates the flow summary logs with DNS names when it sends them to the PCE. In the Traffic table, the PCE appends the DNS names to the flow logs so that auditors and SOC analysts can look at these DNS names instead of performing reverse look-ups on random IP addresses.
For more information, see Traffic Table.
App Groups Mesh View
The Mesh view displays traffic flows as a vertical list of Destinations, Sources, and the port being used in the flows.
You can click any item in the query results to focus on specific flows. You can also sort the results to view results based on port number or number of traffic flows. From the Mesh view, you can drill down to filter, brush to filter, and then go to the Table view to write rules.
For tips on how to filter the data in your Mesh view, click the Filtering Tips link in the bottom-right corner of the page for a pop-up tooltip.
For more information about the Mesh, see Mesh View.
App Groups Map
The App Groups Map displays the workloads and traffic in your data center. The Map takes time to render with large-scale deployments. However, some users, such as application owners, prefer to think about their data center in terms of traffic between workloads that belong to different application instances rather than between physical locations.
For more information, see Map View.
You can search for specific App Groups and see the associated workloads, traffic, and rule coverage between members in the group and other Source and Destination App Groups that provide or consume its services, as well as rule coverage for the traffic between App Groups.
Source App Groups: Use services provided by the current application
Destination App Groups: Provide services used by the current application
Note
If you click an App Group that contains more than 1,000 workloads, an alert message appears and the workloads are not displayed.
When you click an App Group in the Map, the workloads and their associated traffic in that App Group displays, as well as a pop-up list of other App Groups communicating with that App Group either as the source or destination of services.
Connected to the App Group by arrows are the Source App Groups that initiate connections to this application instance and the Destination App Groups that provide services for this application instance. To view a list of the source or destination App Groups, single-click its circular representation on the map. A pop-up window displays the name of each App Group along with its Environment and Location label.
Note
If the App Group does not have any connections, the Destination and Source App Groups do not display.
When you click a Source or Destination App Group in the pop-up, an oval representing the expanded App Group displays in the App Group Map. Lines representing the traffic links between the App Groups display in either red for blocked traffic or green for allowed traffic. Source App Groups display above the original App Group and Destination App Groups display below the original App Group.
If an expanded Source or Destination App Group is currently displayed in the App Group Map, you can view the next or previous connected App Groups by clinking the Next or Previous links in the App Group's circle.
When you select an App Group, the list of all observed services between any workloads in that App Group displays. When you click a specific line between two workloads, all services between the selected workloads display.
When you have virtual servers, you can view their details in the App Group Map command panel in both Reported and Draft views.
When you click a traffic line between two App Groups and click Create Ruleset, the auto-populated name is a combination of the labels for the selected App Group.
When a ruleset already exists for this traffic, click View Rulesets to display it.
Note
In previous releases, this feature was referred to as “Segmentation Rulesets.” In Illumio Core 21.5.0 and later releases, this feature is now referred to as “Rulesets.” This image still displays the previous feature name.
Application owners can write both intra- and extra-scope rules to allow others to use the application instance. However, as an application owner, you can only write rules when you are the owner of the Destination App Group to allow other Source App Groups to access your application workloads.