Skip to main content

Integrations

About the Containment Switch Playbook

This playbook has a collection of procedures that do the following:

  1. Run an explorer query: This step runs an explorer query over the last week for a given port-protocol combination to find traffic to workloads that is marked as potentially blocked or unknown.

  2. Get a list of visibility-only workloads: This step parses the response from Step 1 and identifies the visibility-only workloads.

  3. Create a deny rule: This step creates a deny rule from all IPs to all workloads for given port-protocol combination and provisions the object.

  4. Create a virtual service: This step creates a virtual service for given port-protocol combination and provisions the object.

  5. Create workload bindings: This step binds workloads to the virtual service created in Step 4.

  6. Create allow rule: This step creates an allow rule from workloads to the virtual service.

  7. Change enforcement state: This step changes the enforcement state of visibility-only workloads to the selective state.

    Note

    The Containment Switch playbook will make changes on the PCE.

Each of the preceding steps are built into functions that are part of a function app.

During the deployment of a playbook, the function app needs specific context to execute properly. It uses the following environment variables:

....
,{
    "name": "PCE_FQDN",
    "value": "[variables('pceFQDN')]"
},
{
    "name": "PORT",
    "value": "[variables('port')]"
},
{
    "name": "ORG_ID",
    "value": "[variables('orgId')]"
},
{
    "name": "API_KEY",
    "value": "[variables('apiKey')]"
},
{
    "name": "API_SECRET",
    "value": "[variables('apiSecret')]"
},....

This playbook allows users to isolate a workload. It does the following:

  1. Queries the Illumio PCE for potentially blocked or unknown traffic for a given port-protocol combination.

    The following is an example of input to a playbook:

    {
 "protocol": 17, "port": 5354, "applyChanges": true
}

    Here, "applyChanges" can be used to control whether or not the playbook should create objects on the PCE.

    • If this value is set to true, this playbook will create and provision changes, including workload enforcement changes.

    • If this value is set to false, the playbook will skip the create or modify object steps and will provide a summary of what will be done.

    Traffic Query results will still be available and visibility-only workloads will still be parsed from the response.

  2. After the query has completed, visibility-only workloads are parsed from the response.

  3. A deny rule is created where the source is "Any (0.0.0.0/0 and ::/0)" and the destination is All workloads.

  4. The workloads parsed from the response to the query in Step 1 are converted to the selective enforcement state.

  5. A virtual service is created for the port-protocol combination from Step 1 and the workloads identified in Step 1 are bound to the virtual service.

  6. A ruleset is created in which an allow rule from "Any (0.0.0.0/0 and ::/0)" to the virtual service from Step 5 is created and provisioned.