Enforcement Boundaries
Warning
Enforcement Boundaries are still available in 24.2 APIs. However, they are being replaced by the Deny rules explained in the topic https://docs.illumio.com/core/24.2/Content/Guides/security-policy/create-security-policy/rules.htm
Enforcement Boundaries in the REST API
The RBAC roles Global Org Owner and Global Admin can manage Enforcement Boundaries without restrictions.
You can only use Enforcement Boundaries with managed workloads. You cannot apply Enforcement Boundaries to NEN-controlled or other unmanaged workloads.
One or more ports on a workload are enforced ("port enforcement"), leaving the remaining ports unenforced. Instead of configuring workloads directly, enforcement is controlled using policies.
Workloads have to be placed in selective mode when using Enforcement Boundaries. Therefore, to use an Enforcement Boundary, you need to perform two separate configurations:
Set the workload policy state to
selective.Create a security policy with a scope that includes the workload.
Enforcement Boundaries Methods
Functionality | HTTP | URI |
|---|---|---|
View the configured enforcement boundaries. |
|
|
Edit the specified enforcement boundary. |
|
|
Create a new enforcement boundary. |
|
|
Delete the specified enforcement boundary |
|
|
Enforcement Boundaries Reference
This topic covers examples of enforcement boundaries.
Warning
APIs for Enforcement Boundaries are still available in release 24.2.
Parameters
Parameter | Description | Type | Required | |
|---|---|---|---|---|
| Organization ID | Integer | Yes | |
| Security Policy Version | String | Yes | |
| List of lists of label URIs, encoded as a JSON string | String | No | |
| Maximum number of Rule Sets to return | Integer | No | |
| Filter by name supports partial matching | String | No | |
| Service URI | String | No | |
| Specify port or port range to filter results. The range is from -1 to 65535. | String | No | |
| Protocol to filter on | Integer | No | |
| Enforcement boundary ID | Integer | Yes |
Properties
Property | Description | Type | Required |
|---|---|---|---|
| URI of the selective enforcement rule | String | Yes |
| Name of the selective enforcement rule | String | Yes |
|
..........Label URI. The required parameter is
...........Label group URI. The required parameter is
..........IP List URI. The required parameter is
...........Label group URI. The required parameter is | Array | Yes |
|
..........Label URI. The required parameter is
...........Rule actors are all workloads ('ams').
..........IP List URI. The required parameter is
..........Rule actors are all workloads ('ams'). | Array | Yes |
| Collection of services that are enforced
The port number, or the starting port of a range. If unspecified, this will apply to all ports for the given protocol. minimum: 0, maximum: 65535
Upper end of port range; this field should not be included if specifying an individual port. minimum: 0, maximum: 65535
Transport protocol (numeric) enum: 6,17 | Array | Yes |
| Timestamp when this Enforcement Boundary was first created. Format | String date/time | No |
| Timestamp when this Enforcement Boundary was last updated. Format | String date/time | No |
| Timestamp when this Enforcement Boundary was deleted | String date/time | No |
| A user who originally created this Enforcement Boundary Required parameter | String | No |
| A user who last updated this Enforcement Boundary Required parameter | String | No |
| A user who deleted this Enforcement Boundary Required parameter | String | No |
| Type of update. | String | No |
| For For | Boolean | No |
Examples
Get Enforcement Boundaries
curl -i -X GET https://pce.my-company.com:8443/api/v2/orgs/1/sec_policy/draft/enforcement_boundaries -H "Accept: application/json" -u $KEY:$TOKEN
Response
In this response, the former scope property is replaced with providers, and another property destinations was added. The required properties are: name, providers, destinations, and ingress_services(formerly enforced_service).
{
"href":"/orgs/1/sec_policy/draft/enforcement_boundaries/1",
"created_at":"2021-09-21T21:48:40.228Z",
"updated_at":"2021-09-21T21:48:40.241Z",
"deleted_at":null,
"created_by":{
"href":"/users/1"
},
"updated_by":{
"href":"/users/1"
},
"deleted_by":null,
"update_type":"create",
"name":"Dev to Prod separation",
"providers":[
{
"label":{
"href":"/orgs/1/labels/7",
"key":"env",
"value":"Production"
}
}
],
"destinations":[
{
"label":{
"href":"/orgs/1/labels/9",
"key":"env",
"value":"Development"
}
}
],
"ingress_services":[
{
"href":"/orgs/1/sec_policy/draft/services/1",
"created_at":"2021-09-21T16:31:16.266Z",
"updated_at":"2021-09-21T16:31:16.292Z",
"deleted_at":null,
"created_by":{
"href":"/users/0"
},
"updated_by":{
"href":"/users/0"
},
"deleted_by":null,
"update_type":null,
"name":"All Services",
"service_ports":[
{
"proto":-1
}
]
}
],
"caps":[
"write",
"provision"
],
"workload_counts":{
}
}Create Enforcement Boundaries
curl -i -X POST https://pce.my-company.com:8443/api/v2/orgs/1/sec_policy/draft/enforcement_boundaries -H "Content-Type: application/json" -u $KEY:$TOKEN -d '{"name": "eb1", "providers": [{"actors": "ams"}], "destinations": [{"actors": "ams"}], "ingress_services": [{"port": 1, "proto": 6}]}'Edit Enforcement Boundaries
curl -i -X PUT https://pce.my-company.com:8443/api/v2/orgs/1/sec_policy/draft/enforcement_boundaries/1 -H "Content-Type: application/json" -u $KEY:$TOKEN -d '{"name": "a4"}'{
"name": "a name here",
"providers": [
{"label": "/orgs/1/labels/13"},
{"label": "/orgs/1/labels/15"},
{"ip_list": "/orgs/1/sec_policy/draft/ip_lists/22"}
],
"destinations": [
{"actors": "ams"}
],
"ingress_services": [
{"href": "/orgs/1/sec_policy/draft/services/20"},
{"port": 22, "proto": 6},
{"port": 8080, "to_port": 8088, "proto": 6}
]
}