Skip to main content

Getting Started with Illumio Core

Illumio Core Overview

The Illumio Core consists of two key components — the Policy Compute Engine (PCE) and the Virtual Enforcement Node (VEN).

architecture.png

The PCE is the server side of the Illumio platform. It is the segmentation policy controller and the central manager for the VEN.

The VEN is the agent that is installed on your workloads.

For systems where the agent cannot be installed, you can create unmanaged workloads in the PCE to represent traffic and to use in policy. See "Unmanaged Workloads" in Security Policy Guide for more information.

For information about the operating systems supported for the PCE and VEN, see the OS Support and Package Dependencies pages in the Illumio Support portal.

Workloads

In the Illumio Core, a workload is defined as an OS endpoint where applications and services are running and a VEN resides (when managed). Workloads can be running on bare-metal, in a virtual machine, or as a host platform for containers. Workloads can be running in private datacenters or in cloud environments.

Managed versus Unmanaged Workloads

Managed: When you “pair” a workload with the PCE, the Illumio VEN is installed on it so that the VEN can manage the workload's native host firewall. A workload that has a VEN installed on it is called a managed workload.

Unmanaged: To create an unmanaged workload, you configure all the details of the workload in the PCE but you do not install a VEN on it, and it is not considered “paired” with the PCE.

How the VEN Runs on Workloads

The VEN has several modes it can run in:

  • Idle: VEN doesn't take control of the host-based firewall on the workload and reports a netstat snapshot every 10 minutes.

  • Illuminated: In build or test mode, the VEN controls the host-based firewall and reports real-time traffic roll ups every 10 minutes to the PCE. Illumio allows all traffic to reach the workload.

  • Enforced: Only Illumio rules provisioned to the workload are enforced. All other traffic is dropped.

See "About VEN Administration on Workloads" in VEN Administration Guide

Coexistence mode allows multiple firewalls to coexist, but this is usually for specialized cases and must be enabled on the PCE. See "Firewall Coexistence" in PCE Administration Guide.

Understanding Illumio Traffic Flows

In the Illumio Core, traffic flows are network traffic in your environment flowing between VENs and other entities in your network.

Traffic flows from the VEN get processed in the PCE by matching them to objects in the following order:

Managed Workloads → Unmanaged Workloads → IP Lists → Unknown

When the PCE can't match the traffic flow to an object, it reports the traffic as unknown and displays a cloud icon in the visualization maps.

Additionally, Illumio divides traffic by its endpoint: traffic Source and traffic Destination.

  • Source:

    Sources can be any workload, unmanaged workloads, virtual services, or IP addresses that provide a service as specified in the Destination section of a rule when you define who or what is allowed to communicate with a workload. Sources cannot initiate connections to Destinations.

  • Destination:

    Destinations can be groups of workloads, unmanaged workloads, virtual services, or IP addresses that can initiate a connection to a Source or consume a service as specified in the Destination section of a rule when you define who or what is allowed to communicate with a workload.

The PCE captures the following types of traffic:

  • Allowed

    • Reported View: The reported traffic is allowed because a rule exists to allow it and the rule is provisioned to the workload.

    • Draft View: The reported traffic is allowed because a rule exists to allow it but the rule is not provisioned to the workload.

  • Potentially Blocked

    • Reported View: The PCE is reporting the traffic as potentially blocked because a rule to allow it either doesn't exist or wasn't provisioned to the workload. If the VEN on this workload was moved into enforcement mode, this traffic would be blocked.

    • Draft View: The PCE is reporting the traffic as potentially blocked because a rule to allow it doesn't exist.

  • Blocked

    • Reported View: The VEN is in enforcement mode and a rule doesn't exist or hasn't been provisioned to the workload to allow the traffic.

See "Reported and Draft Views" in Visualization Guide for more information about how the Illumination map displays allowed and blocked traffic.

See also: