FQDN Visibility
Illumio requires no new configuration to gain visibility into outbound traffic towards FQDNs. However, you can create Illumio policy objects representing an FQDN or a list of FQDNs. Illumination presents outbound FQDN flows in the following example when no policy objects have been created. A web server is fetching updates from us-west-1.ec2.archive.ubuntu.com.
You can create an Illumio policy object, such as an IP list or a virtual service representing the FQDN.
Create Policy Objects for FQDNs
IP List
By default, IP lists can describe IP ranges, groups, and subnets. From the 19.1.0 release on, IP lists can also describe FQDNs.
You can use the previous example (us-west-1.ec2.archive.ubuntu.com) to create an IP list for FQDNs:
From the PCE web console menu, choose Policy Objects > IP Lists.
Click Add.
Enter a name (can be a custom name).
In the IP Addresses and FQDNs field, enter one or multiple FQDNs (wildcards are supported).
Click Save.
Provision the changes.
Important
The provided checkbox can be selected to "Disable validation of IP addresses and FQDNs." When working with large sets of IP Addresses and FQDNs, it is recommended that you disable real-time IP address and FQDN validation for performance reasons.
The following methods of describing the specific FQDN are supported:
Supported examples
us-west-1.ec2.archive.ubuntu.com
*.ec2.archive.ubuntu.com
*.*.archive.ubuntu.com
*.*.*.ubuntu,com
You can use a wildcard in the IP list, such as *.ec2.archive.ubuntu.com.
Virtual Service
When you have created an IP list to describe the FQDN, you do not need to create a virtual service to describe the same FQDN.
You should only create a virtual service for an FQDN when you do not want to create an IP list:
From the PCE web console menu, choose Policy Objects > Virtual Services.
Click Add.
Enter a name.
Enter a service or port.
Enter your R-A-E-L labels for the FQDN.
Click Add FQDN and enter an FQDN.
Click Save.
Provision the changes.
Based on the example above, these methods of describing the specific FQDN are supported or unsupported.
Supported
us-west-1.ec2.archive.ubuntu.com
us-west-1.ec2.*.ubuntu.com
*.ec2.*.ubuntu.com
us-*.ec2.archive.ubuntu.com
The syntax below is supported, but does not describe the FQDN in the example.
ubuntu.com
*.ubuntu.com
Write Policies to Allowlist FQDNs
IP List
The syntax and ruleset structure for IP list policies does not change for FQDNs.
Ruleset Scope Example | |||
Application | Environment | Location | |
HRM | Production | All Locations | |
Intra-Scope Rule Example | |||
Destination | Providing Service | Source | Note |
*.ec2.archive.ubuntu.com (IP List object) | All Services | Web | You can use 80 TCP as the providing service |
Virtual Service
Writing a policy against a virtual service for an FQDN is the same as writing a policy for an IP-based virtual service.
See the following example that uses the Ubuntu Repo (*.ec2.archive.ubuntu.com):
Ruleset Scope Example | |||
Application | Environment | Location | |
HRM | Production | All Locations | |
Intra-Scope Rule Example | |||
Destination | Providing Service | Source | Note |
Ubuntu repo (Virtual Service role label for *.ec2.archive.ubuntu.com + Uses Virtual Services Only | Derived from Destination Virtual Service | Web | There are two objects selected in the Destination column; one is for the Role label, and the other is called "Uses Virtual Services Only" |