Labels and Label Groups
Create a Label
From the PCE web console menu, choose Policy Objects > Labels.
On the Labels page, click Add.
Enter a label name (such as "Web") and select a label type (such as "Role").
Click Save.
Rules for Naming Labels
If you create an additional label type with a space in the 'key' (such as ven type), you can not group by that label type.
The label will initially display, but when you add a check mark and apply the new label, it will be unchecked.
To make sure any new label types are properly added, keep the following rules in mind:
Style | Name | Key | Correct Yes/No |
|---|---|---|---|
Ven Type | Ven Type | ven type | No |
new_label | new_label | newLabel | Yes |
t e s t | t e s t | t e s t | No |
name space | name space | namespace | Yes |
keyspace | keyspace | key space | No |
Make sure that the Key does not contain spaces.
Label Types
Label | Description |
|---|---|
Role  | This label type allows you to describe the “role” (or function) of a workload. In a simple two-tier application consisting of a web server and a database server, there would be two roles: Web and Database. You can use the same role as many times as you want in other rulesets for different applications. |
Application  | This label type allows you describe the application that a workload supports. When two servers in a two tier application have a relationship with one another because one provides a service (like a database) to another, they likely constitute an application. If an organization has 100 applications, and each application has a separate web role and separate database role, the application role separates each one of the Web and Database role. |
Environment  | This label type allows you to describe a workload based upon its stage in the product development lifecycle, such as QA, staging and production. |
Location  | This label type allows you to describe a workload based on its location. For example, Germany, the US, Europe, and Asia. Or, Rack #3, Rack #4, Rack #5; or data center AWS-east1, AWS-east2, and so on. |
Additional Dimensions
A given workload cannot have more than one label per type. It’s possible to allow a workload that uses a service or services or across boundaries to communicate; for example, if a server is playing multiple roles, such as a database server used by two different applications, Illumio recommends that you create different role labels for that workload.
Label Workloads
You apply labels to workloads to identify their function or purpose in an application (Role label), the application they belong to (Application label), their network environment (Environment label), and their location (Location label). After a workload is labeled, you can write rules using the labels you applied.
After you create a label, you can label a workload in two ways:
Automatically label the workloads when you pair them by adding labels in the pairing profile. (See "Pairing Profiles" in VEN Installation and Upgrade Guide for the Core 21.2.3 VEN.)
Add labels to the workload on the"workloads" page. Select from the left navigation menu in the PCE web console panel, and click Edit to select any or all of the four label types to apply to the workload.
Edit Labels for Multiple Workloads
You can add, modify, or remove labels on multiple workloads. This approach saves time when you want to apply or remove the same label or set of labels to more than one workload at a time. Previously, if you wanted to delete a Label and it was in use by a Virtual Server, you would not know if it was in use or not. In the Illumio Core 20.1.0 release and higher, on the Labels page, the "In use by" column includes Virtual Servers. The Labels' summary page also displays the "In Use By Virtual Servers Yes/No" field.
Note
Keep in mind that label changes do not require provisioning, so mass label changes can potentially have a major impact on your rulesets, rules, and overall security policy.
From the PCE web console menu, choose Workloads and VENs > Workloads.
From the left side of the Workloads list, select the workloads you want to change labels for.
From the top of the Workloads list, click Edit Labels.
A dialog box appears asking if you are sure you want to edit labels for multiple workloads.
Click OK.
In the Edit Labels dialog box, you can add or remove labels assigned to the selected workloads. The top of the dialog indicates how many workloads will be affected by the label change. Depending on the assigned labels, you have three general options:
When the selected workloads share the exact same label of a specific type (for example, Role), you can change the current label by clicking the little X on the label to remove it. Then, you can type or select a new label assignment.
When the selected workloads have different labels of the same type, faded text in the Label field indicates that the workloads contain multiple labels of that type. You can click in the Label field and add a new label.
When you remove a label assignment, that label is removed from all selected workloads.
When you are finished, click OK.
System Default “All” for Labels
When you log into the PCE for the first time as the organization owner, the following default labels are provided:
Label | Description |
|---|---|
Role | Web, Database, API, Mail, Single Node App, Load Balancer |
Environment | Production, Stage, Dev, Test |
Applications | None |
Location | None |
The built-in (default) Environment, Application, and Location labels are defined as “All,” which enables you to create broad policies to cover All Applications, All Environments, and All Locations.
To avoid confusing policy writers, Illumio recommends not creating labels named “All Applications,” “All Environments,” or “All Locations” (exactly as written in quotes).
When you attempt to create labels of these types with the exact name as the system defaults, for example “All Applications,” an “HTTP 406 Not Acceptable” error will be displayed.
Note
You can modify or delete these default labels at any time.
Label Groups
Label groups help you write your security policy more efficiently when you use the same labels repeatedly in rulesets. When you add those labels to a label group, the label group can be used in a rule or scope as a shortcut or an alias for multiple labels. The Label Groups list pages can contain up to 10,000 label groups and the individual Label Groups pages can contain up to 10,000 members. You can use filters to find labels or label groups.
For example, you have workloads residing in data centers in Dallas, New York, and Washington and you want to apply a rule to all those workloads. Instead of using the labels for Dallas, New York, and Washington in three separate rules, you can define a Location label group named US, add those three location labels to the label group, and use the US label group.
Label groups are displayed as a list that includes the following details:
Provision status
Name of the label group
Type (Role, Application, Environment, Location)
When it is currently in use by a ruleset, label group, and static policy
Last modified date and time
User who last modified the label group
Policy Calculation Using Label Groups
Label groups can be nested, so it is important to understand how label groups can affect policy.
Note
You cannot assign a label group to a workload - only individual labels can be applied to workloads. Label groups can only be used in rulesets.
Create a Label Group
Create label groups when you want to combine several labels that share common characteristics into a single label category. After the labels are added to a Label Group, you can use the label group in a rule.
From the PCE web console menu, choose Policy Objects > Label Groups.
On the Label Groups page, click Add.
In the Add Label Group page, choose the label type and enter a name for the label.
Click Save.
In the Members tab, enter a label name to find labels to add to the group, and then click Add. You can add as many labels (or label groups) of the same type to the group.
Use a Label Group in a Rule
When you use a label group in a rule, it is expanded into multiple rules. Cross-communication is allowed.
For example, the Non-Prod label group is used again here, but in the rule, not the scope, which allows for cross-communication.
Scope:
App: HRM
Env: All
Loc: US
Rule:
Providers: Non-prod DB
Services: MySQL
Consumers: Non-prod DB
This means “allow MySQL from Non-Prod DB to Non-Prod DB for the HRM application in All environments located in the US" and would allow the following communication:
HRM | Dev | US | DB ← HRM | Dev | US | DB
HRM | Dev | US | DB ← HRM | QA | US | DB
HRM | Dev | US | DB ← HRM | Stage | US | DB
HRM | QA | US | DB ← HRM | Dev | US | DB
HRM | QA | US | DB ← HRM | Stage | US | DB
Use a Label Group in a Scope
When you use a label group in a scope, it is expanded into multiple scopes. Cross-communication is not allowed.
For example, to create a scope that applies to all environments except production, first create a Non-Prod label group, which consists of labels for the Dev, QA, and Stage environments.
Scope:
App: HRM
Env: Non-prod
Loc: US
Rule:
Providers: DB
Services: MySQL
Consumers: DB
This means “workloads in all Non-Prod environments (Dev, QA, and Stage) can communicate within their environments with the DB using MySQL” and would allow the following communication:
HRM | Dev | US | DB ← HRM | Dev | US | DB
The following communication would not be allowed, since the Environment labels are different and cross-communication is not allowed:
HRM | Dev | US | DB ← HRM | QA | US | DB
and
HRM | Dev | US | DB ← HRM | Stage | US | DB
Filtering Labels and Label Groups
You can use the property filter at the top of the Policy Objects > Labels or Label Groups pages to find the label or labels groups you are looking for.
You can filter by label type and exact label name on the Labels or Label Groups page. Similarly, you can filter by label name, description, and provision status on the Label Groups page.
To filter Labels, select Name or Type.
Select Name, Description, Provision Status, or Type to filter Label Groups.