Ruleset and Labeling Guidelines for Endpoints
Caution
Illumio strongly recommends that you follow these guidelines creating rulesets and labels for endpoints. When you enforce policy on servers for clients that change their IP addresses frequently, the policy enforcement points (PEPs) continuously need to update security rules for IP address changes. These frequent changes can cause performance and scale challenges and the ipsets of protected workloads to churn.
Label Endpoints
Because endpoints paired to a Core PCE appear like any other workload, label them in a way that makes them easily distinguishable from other workloads. Illumio recommends that you label endpoints with a single Application label such as "Endpoints" and use the Role label type for endpoint sub-groups. Use these conventions consistently throughout your implementation.
About Rulesets That Use Workload Subnets for Endpoints
When you create policies that allow endpoints to communicate with destination servers, Illumio recommends that you use the endpoints’ subnets for enforcement on the servers rather than the individual IP addresses. You can do this using the “Use Workload Subnets” option when writing rules that apply to endpoints. In general, take this approach:
Write your endpoint to server policies using labels, as you would write any other policy.
If the provider or consumer of a rule includes endpoints (either by using the endpoint label directly, or by using “All Workloads), select “Use Workload Subnets” on that side of the rule. You can do this by enabling “Advanced Options” in the provider/consumer drop down, and then clicking on “Use Workload Subnets”.
Be careful with broad, label-based rulesets that do not use endpoint subnets, such as All | All | All that specify broad environments or locations, or rulesets that involve large sets of server workloads. Providers in these situations are particularly susceptible to frequent policy changes caused by changes to endpoint network connectivity. As an example for scenarios to avoid, suppose your endpoints are consuming services provided by Active Directory (AD) servers and your endpoint policies specify the AD server's labels without specifying Use Workload Subnets on the consumer. In this label-to-label policy scenario involving endpoints, any change in endpoint connectivity triggers policy updates on the AD servers. Because the network connections on endpoints tend to change frequently, firewall policy on the AD servers also change frequently. Depending on the size of your implementation, churn could be significant. However, if Use Workload Subnets is enabled, the firewall policy on the AD servers only needs to be updated when the list of subnets change, not when individual IPs change. This leads to significantly fewer firewall updates, faster policy convergence, and potentially a better experience for end users who are connecting to applications from Illumio-managed endpoints.
Use Workload Subnets
When Use Workload Subnets is selected, the PCE auto-detects the subnets based on the IP addresses and netmasks reported by all VENs with those labels. For example, if Use Workload Subnets is used with the
A:Endpointapplication label, the peer servers are programmed with the subnets from all workloads with theA:Endpointlabel.If Use Workload Subnets is used with the
A:Endpointapplication label and theL:USlocation label, the peer servers are programmed with the subnets from all workloads with both theA:EndpointandL:USlabels.If workloads with the labels
A:EndpointandL:EUare in a disjoint subnet from theA:EndpointandL:USworkloads, the EU subnets are not programmed on the peer servers.
Create Rulesets that Use Workload Subnets for Endpoints
Add or edit a rule:
Go to Rulesets and Rules > Rulesets.
Click on a ruleset > Rules.
Locate a consumer and click the edit (pencil) icon > under Consumers.
Click the down arrow and choose Use Workload Subnets.