Skip to main content

Security Policy Guide 24.5

IP Lists

IP lists allow you to define an allowlist of trusted IP addresses, IP address ranges, or CIDR blocks you want to allow into your data center to access workloads and applications in your network.

Overview of IP Lists

After you define an IP list, you can use it in rulesets to create rules for workload traffic flows. When you provision the rulesets, the workload only allows IP addresses in the IP list to access workload services.

The default IP list Any represents all IPv6 addresses as well as all IPv4 addresses. Rules that use IP lists are only programmed on one side of the connection. IP lists can be used as a source or a destination.

Note

To allow outbound access to IP lists, Illumio recommends using an intra-scope rule to prevent the application of the rule to a broader set of workloads than intended.

Example of IP List Usage

For example, the following ruleset (scope + rules):

Scope:

  • App: HRM

  • Env: Prod

  • LOC: US

Rule:

  • Source: DB

  • Services: SSH

  • Destination: Corp-HQ

This means “allow SSH from Corp-HQ to the database.”

This ruleset:

Scope:

  • App: All

  • Env: Prod

  • Loc: All

Rule:

  • Source: Corp-HQ

  • Services: SSH

  • Destination: DB

This means “allow SSH from the database to Corp-HQ.”

This ruleset:

Scope:

  • App: All

  • Env: Prod

  • Loc: All

Rule:

  • Source: Any

  • Services: Any

  • Destination: Any

This means “do not apply Any IP list to anything.”

Create an IP List

  1. From the PCE web console menu, choose Policy Objects > IP Lists.

  2. Click Add.

  3. Enter a name for the IP list.

  4. IP Addresses: Add IP addresses, IP address ranges, or CIDR blocks to define the list.

    Tip

    You can copy and paste lists of IP addresses from other sources.

  5. FQDN: Type or paste in fully qualified names

IP List Exclusions

In IP lists, you can exclude IP addresses or subnets from a broader IP subnet.

For example, you might want to exclude a list of IP addresses within an IP range that should not access specific workloads. Or, you could open up a set of workloads to any IP address (0.0.0.0/0 and ::/0), but exclude a set of IP addresses that keep attempting unauthorized access to your workloads.

Note

Any (0.0.0.0/0) refers to IP addresses not associated with workloads while All workloads refers to workloads within a scope.

When you use an IP list with exclusions in a rule, any IP addresses marked as exclusions are not allowed, while all the others in the IP list are allowed.

To create IP list exclusions:

  • To add an IP address or subnet exclusion, use an exclamation point followed by the IP address, CIDR block, or IP range. The excluded IP addresses must be within the included IP range.

    For example, if you added 192.16.0.0/12 as an allowed IP address and you want to exclude an IP address from this CIDR block, enter the following value:

    !192.31.43.0-192.31.43.100

  • To add a CIDR block but exclude a portion of the CIDR block, enter the following values:

    10.0.0.0/8 !10.1.0.0/24

    In this example, the first block would be included, and the second block would be excluded.

Filter IP Lists

You can filter the IP list page using the Select properties for filter view field at the top. Enter an IP list name, description, IP address, FQDN, and provision status (draft or active).