Virtual Servers
Virtual servers in Illumio Segmentation for Data Centerscontain a Virtual IP address (VIP) and port for service exposure, along with local IP addresses used to communicate with backend servers.
Each virtual server is assigned labels and has IP addresses, but does not track traffic for Illumio Segmentation for Data Centers
Each virtual server has a single VIP, while the local IP addresses serve as source IP addresses connecting to pool members (backend servers) in SNAT or Auto mode. These IP addresses might be shared among multiple virtual servers on the server load balancer.
Virtual servers are identifiable by a set of labels. Sources and destinations can have different labels, placing them in the same or different groups within Illumination. Sources may have an incomplete label set, allowing them to be in all groups within a specified location. Therefore, a single virtual server may have sources in any group or number of groups within Illumination.
Virtual Server Members and Labels
When setting up PCE load balancers, they connect via the REST API. The PCE gathers all load balancer virtual server configurations and displays them in the Discovered Virtual Servers tab on the load balancer's details page. Any virtual servers linked to the load balancer can be transformed into managed virtual servers for PCE utilization.
Labels can be assigned to the virtual server within the PCE web console during configuration. After the virtual server is set up, you can create a rule to enable external clients to interact with it.
The members associated with a virtual server are identified by setting up a series of labels in the virtual server's configuration. Four Illumio labels can be added to the Virtual Server Members tab, mirroring the labels assigned to workloads within the virtual server's pool. Suppose any workloads within the virtual server pool share the same four labels specified under the Virtual Server Members tab. In that case, any rules created for the virtual server will also affect the workload members.
The diagram illustrates how workloads part of the virtual server pool exhibit identical labels as those specified on the Virtual Server Members tab.
Policy for Virtual Server
The rule you can write after you label a virtual server and its members:
Rule | ||
Source: Virtual Server (VIP) | Service from Source | Destination |
Configure Virtual Servers
To manage virtual servers once a load balancer is incorporated into the PCE, you can assign each virtual server the complete set of four Illumio labels: Role, Application, Environment, and Location. Including labels on the virtual server allows you to incorporate them into a rule.
These four Illumio labels are added to the Virtual Server's Members tab. If the labels set in the Virtual Server Members correspond to the labels on workloads within the virtual server pool, any rule established for the virtual server extends to the workload members.
The configuration of a load balancer's virtual servers involves three key settings:
Enforced or Not Enforced: Opting for 'Enforced' ensures that rules utilizing the labels linked to the virtual servers and their members are activated. Choosing 'Not Enforced' deactivates the labels, disabling any policies affecting the virtual server or its members.
Service: Select the service necessary for rules permitting virtual server accessibility, such as HTTPD 80 TCP.
Labels: The four Illumio labels—Role, Application, Environment, and Location—must be assigned to the virtual server. Label assignment is essential for integrating the virtual server into rules.
Note
Virtual servers are regarded as elements of a security policy. Therefore, any modifications made to a virtual server configuration require provisioning before they become active and take effect.
Virtual Server Limitations
Illumination does not support location-level and application-level maps.
The Illumination map does not render correctly if a single SNAT pool is shared between multiple virtual servers.
SNAT and Auto-map modes of F5 virtual servers are supported. Transparent mode is not supported.
Note
You must make your changes before any virtual server configuration takes effect.
Filter the Virtual Servers List
You can filter the Virtual Servers list by using the properties filter at the top of the list. For example, you can filter and search by label. You can also filter and search by the following objects:
Virtual server mode
Virtual IP address, the VIP port number, or VIP Protocol
Server Load Balancer
Configure a Load Balancer's Virtual Servers
Choose Policy Objects > Virtual Servers.
Categories by which you can filter Virtual Servers are:
Name
Labels
No Label
VIP
VIP Port number
VIP Protocol
Server Load Balancer
Enforcement
Virtual Server Load Balancers
Illumio Segmentation for Data Centers supports activation of enforcement on F5 BIG-IP Local Traffic Manager (LTM), BIG-IP Advanced Firewall Manager (AFM), and AVI Vantage systems.