Rulesets and Rules
Illumio's security policy includes three rule types: intra-scope rules, extra-scope rules, and custom iptables rules. The scope of a ruleset determines which workloads receive the ruleset's rules:
Intra-scope rules allow communication between providers and consumers within a specific scope.
Extra-scope rules permit communication between applications. You can write rules so that consumers within or outside a specified scope can access the providers within a scope. For extra-scope rules, the labels used in the scope must match the labels used by the Source.
Custom iptables rules are needed for your applications as part of the rules managed by the PCE. These rules help preserve configured iptables from native Linux host configurations by allowing you to include them with the rules for your policy.
Warning
Enforcement Boundaries are still available in 24.2 APIs. However, they are being replaced by the Deny rules explained in the topic https://docs.illumio.com/core/24.2/Content/Guides/security-policy/create-security-policy/rules.htm
Enforcement Boundaries Reference
This topic covers examples of enforcement boundaries.
Warning
APIs for Enforcement Boundaries are still available in release 24.2.
Parameters
Parameter | Description | Type | Required | |
|---|---|---|---|---|
| Organization ID | Integer | Yes | |
| Security Policy Version | String | Yes | |
| List of lists of label URIs, encoded as a JSON string | String | No | |
| Maximum number of Rule Sets to return | Integer | No | |
| Filter by name supports partial matching | String | No | |
| Service URI | String | No | |
| Specify port or port range to filter results. The range is from -1 to 65535. | String | No | |
| Protocol to filter on | Integer | No | |
| Enforcement boundary ID | Integer | Yes |
Properties
Property | Description | Type | Required |
|---|---|---|---|
| URI of the selective enforcement rule | String | Yes |
| Name of the selective enforcement rule | String | Yes |
|
..........Label URI. The required parameter is
...........Label group URI. The required parameter is
..........IP List URI. The required parameter is
...........Label group URI. The required parameter is | Array | Yes |
|
..........Label URI. The required parameter is
...........Rule actors are all workloads ('ams').
..........IP List URI. The required parameter is
..........Rule actors are all workloads ('ams'). | Array | Yes |
| Collection of services that are enforced
The port number, or the starting port of a range. If unspecified, this will apply to all ports for the given protocol. minimum: 0, maximum: 65535
Upper end of port range; this field should not be included if specifying an individual port. minimum: 0, maximum: 65535
Transport protocol (numeric) enum: 6,17 | Array | Yes |
| Timestamp when this Enforcement Boundary was first created. Format | String date/time | No |
| Timestamp when this Enforcement Boundary was last updated. Format | String date/time | No |
| Timestamp when this Enforcement Boundary was deleted | String date/time | No |
| A user who originally created this Enforcement Boundary Required parameter | String | No |
| A user who last updated this Enforcement Boundary Required parameter | String | No |
| A user who deleted this Enforcement Boundary Required parameter | String | No |
| Type of update. | String | No |
| For For | Boolean | No |
Examples
Get Enforcement Boundaries
curl -i -X GET https://pce.my-company.com:8443/api/v2/orgs/1/sec_policy/draft/enforcement_boundaries -H "Accept: application/json" -u $KEY:$TOKEN
Response
In this response, the former scope property is replaced with providers, and another property consumers was added. The required properties are: name, providers, consumers, and ingress_services(formerly enforced_service).
{
"href":"/orgs/1/sec_policy/draft/enforcement_boundaries/1",
"created_at":"2021-09-21T21:48:40.228Z",
"updated_at":"2021-09-21T21:48:40.241Z",
"deleted_at":null,
"created_by":{
"href":"/users/1"
},
"updated_by":{
"href":"/users/1"
},
"deleted_by":null,
"update_type":"create",
"name":"Dev to Prod separation",
"providers":[
{
"label":{
"href":"/orgs/1/labels/7",
"key":"env",
"value":"Production"
}
}
],
"consumers":[
{
"label":{
"href":"/orgs/1/labels/9",
"key":"env",
"value":"Development"
}
}
],
"ingress_services":[
{
"href":"/orgs/1/sec_policy/draft/services/1",
"created_at":"2021-09-21T16:31:16.266Z",
"updated_at":"2021-09-21T16:31:16.292Z",
"deleted_at":null,
"created_by":{
"href":"/users/0"
},
"updated_by":{
"href":"/users/0"
},
"deleted_by":null,
"update_type":null,
"name":"All Services",
"service_ports":[
{
"proto":-1
}
]
}
],
"caps":[
"write",
"provision"
],
"workload_counts":{
}
}Create Enforcement Boundaries
curl -i -X POST https://pce.my-company.com:8443/api/v2/orgs/1/sec_policy/draft/enforcement_boundaries -H "Content-Type: application/json" -u $KEY:$TOKEN -d '{"name": "eb1", "providers": [{"actors": "ams"}], "consumers": [{"actors": "ams"}], "ingress_services": [{"port": 1, "proto": 6}]}'Edit Enforcement Boundaries
curl -i -X PUT https://pce.my-company.com:8443/api/v2/orgs/1/sec_policy/draft/enforcement_boundaries/1 -H "Content-Type: application/json" -u $KEY:$TOKEN -d '{"name": "a4"}'{
"name": "a name here",
"providers": [
{"label": "/orgs/1/labels/13"},
{"label": "/orgs/1/labels/15"},
{"ip_list": "/orgs/1/sec_policy/draft/ip_lists/22"}
],
"consumers": [
{"actors": "ams"}
],
"ingress_services": [
{"href": "/orgs/1/sec_policy/draft/services/20"},
{"port": 22, "proto": 6},
{"port": 8080, "to_port": 8088, "proto": 6}
]
}