Skip to main content

Security Policy Guide 25.3

SecureConnect Rules and Visibility-Only State

Illumio employs an allowlist security model. By default, workload-to-workload communication is blocked unless explicitly permitted by defined Illumio policy rules. Administrators create these explicit rules to allow only necessary traffic, significantly enhancing security.

SecureConnect Rules

Note

SecureConnect rules are only applied to workloads where the VEN is in a non-idle enforcement state.

However, unlike other rules, SecureCionnect requires matching rules to be applied to workloads on both sides of any connection. Therefore, SecureConnect traffic is not supported between two workloads where a VEN on either side is in an idle state.

For SecureConnect rules in visibility-only state, it is essential to keep in mind that these rules are:

  • Applicable only to workloads in an enforced state (Visibility-only, Selective, or Full Enforcement).

  • Matching rules are required on both source and destination workloads.

  • Unsupported for workloads in Idle state.

The visibility-only state offers no enforcement and represents continuous monitoring and reporting of network traffic. It is ideal for initial policy planning and traffic analysis. However, it may disrupt applications dependent on NAT or IP forwarding.

Blocked + Allowed Logging Mode

This mode provides detailed logging of:

  • Allowed traffic (explicitly permitted by rules).

  • Blocked traffic (explicitly denied or not explicitly permitted).

  • Unlocked traffic (permitted without explicit rules).

Visibility Options by Enforcement Mode

These options are available for the selective and full enforcement modes:

Selective Enforcement Mode

Selective enforcement provides:

  • Off—There is no logging. The VEN does not collect any information about traffic connections. This option provides no Illumination detail and demands the least amount of system resources from a workload.

  • Blocked—Logs only blocked traffic. The VEN collects only the blocked connection details (source IP, destination IP, protocol, and source port and destination port), including all dropped packets. This option provides less Illumination detail but demands fewer system resources from a workload than high detail.

  • Blocked + Allowed – Logs both allowed and blocked traffic. The VEN collects connection details (source IP, destination IP, protocol, source port, and destination port). This applies to both allowed and blocked connections. This option provides rich Illumination detail but requires some system resources from a workload.

  • Enhanced Data Collection – Detailed logs with traffic flow metadata.

Full Enforcement Mode

Full enforcement blocks all non-explicitly allowed traffic, providing the highest level of security.

Visibility options mirror Selective Enforcement:

  • Off

  • Blocked

  • Blocked + Allowed

  • Enhanced Data Collection

Full enforcement is recommended after successful testing and validation of the allowlist model.

Enhanced Data Collection

As of release 25.2.10, Enhanced Data Collection is enabled in all enforcement modes. Before February 25, 2010, it could be enabled only in Full Enforcement mode.

Enhanced Data Collection allows the VEN to log byte counts and connection details for Allowed, Blocked, and Potentially Blocked traffic.