Manage SmartGroups

This section describes SmartGroups and how they can be used for implementing different Aviatrix features.

What is a SmartGroup?

A SmartGroup is a reusable construct created in Aviatrix PaaS that is a logical grouping of your resources that are managed by Aviatrix. The grouping of resources may represent various departments or business units or other aspects of your organization based on how you group your resources.

The resource(s) you include in a SmartGroup can span different subscriptions, cloud accounts, regions, and VPC/VNets within your Aviatrix multicloud network.

A SmartGroup is a reusable construct. It can be queried against to support various Aviatrix features.

A SmartGroup can be made up of one or multiple resources.

When you create your SmartGroups, you can classify them based on:

  • CSP resource tags: these tags identify resources you can group. This is the preferred classification method, as this automatically includes new resources created in the Cloud with the same set of tags. In GCP you configure 'labels' that can be selected as tags when creating your SmartGroup.

  • Resource attributes: classify by account or region.

  • IP addresses or CIDRs: for resources that are not tagged, you can directly specify IP addresses or CIDRs.

Aviatrix Gateway IP addresses will not be included in any SmartGroup, even if a SmartGroup filter matches an Aviatrix Gateway IP address. If a subnet or VPC/VNet is added to an app domain, the Aviatrix Gateway IP addresses are removed from the corresponding CIDRs.

Tips for Creating SmartGroups

  • A SmartGroup can consist of one or multiple Resource Types. Some planning may be required to ensure that your SmartGroups produce the desired results.

  • AND logic is applied to the conditions you add to a Resource Type. All the conditions within the Resource Type must be met.

  • If you add more than one Resource Type (the same type as before, or a different type), OR logic is applied between the multiple Resource Types. The DCF rule that contains this SmartGroup will match all the conditions in the first Resource Type, OR match all the conditions in the second Resource Type, and so on.

System-Defined SmartGroups

For convenience, Aviatrix PaaS provides two system-defined (default) SmartGroups:

  • Anywhere (0.0.0.0/0) - Represents all CIDR ranges or IP addresses.

  • Public Internet - Represents non-RFC 1918 IP ranges, or the public Internet. This is always used as the Destination when creating DCF Egress rules.

System-defined SmartGroups cannot be deleted.

Features that use SmartGroups

Aviatrix features that use SmartGroups include:

  • Aviatrix Cloud Distributed Cloud Firewall (DCF)

    Distributed Cloud Firewall provides granular network security policies for distributed applications in the Cloud. Distributed Cloud Firewall enables network policy enforcement between SmartGroups you define in a single Cloud or across multiple Clouds. You can configure rules to filter traffic between applications residing in the SmartGroups.

Related Topics