Skip to main content
This section describes SmartGroups and how they can be used for implementing different Aviatrix features.

What is a SmartGroup?

A SmartGroup is a reusable construct created in CoPilot that is a logical grouping of your resources that are managed by Aviatrix. The grouping of resources may represent various departments or business units, or other aspects of your organization based on how you group your resources. The resource(s) you include in a SmartGroup can span different subscriptions, cloud accounts, regions, and VPC/VNets within your Aviatrix multicloud network. When you create your SmartGroups, you can classify them based on the following resource types:
  • Virtual Machines
  • Subnets
  • VPC/VNets
The above resource types are only supported in public AWS, Azure, and GCP.
For each of the above, you can match by Cloud Tags (configured in your cloud provider) or Properties (Name, Region, Account Name). Cloud Tags identify resources you can group. This is the preferred classification method, as this automatically includes new resources created in the Cloud with the same set of tags.
In GCP you configure ‘labels’ that can be selected as tags when creating your SmartGroup.
  • IP addresses or CIDRs: for resources that are not tagged, you can directly specify IP addresses or CIDRs. Enter FQDNs in the DNS Hostnames resource type field.
At this time the maximum number of CIDRs that can be enforced in a SmartGroup is 10,000. This includes both CIDRs in CIDR groups and resolved CIDRs in tagged groups. See DCF Capabilities for details on ranges supported in the latest Controller release.
  • DNS Hostnames: Enter Fully Qualified Domain Names (FQDNs).
  • External connections (S2C): select the previously created external connection (ensure that the Enforcement on External Connections option is enabled first). You should only select an External Connection resource type if you plan to use this SmartGroup in a DCF rule, and if Enforcement on External Connections is enabled in Security > Distributed Cloud Firewall > Settings.
  • Kubernetes Workloads (Namespace, Cluster, and/or Service).
  • Kubernetes Nodes
Aviatrix Gateway IP addresses will not be included in any SmartGroup, even if a SmartGroup filter matches an Aviatrix Gateway IP address. If a subnet or VPC/VNet is added to an app domain, the Aviatrix Gateway IP addresses are removed from the corresponding CIDRs.

System-Defined SmartGroups

For convenience, CoPilot provides two system-defined (default) SmartGroups:
  • Anywhere (0.0.0.0/0) - Represents all CIDR ranges or IP addresses.
  • Public Internet - Represents non-RFC 1918 IP ranges, or the public Internet.
System-defined SmartGroups cannot be deleted.

Viewing SmartGroup Details

You can click the SmartGroup name in the list to view its Group information (VM, IP/CIDR, or External Connection), Resources, and Rule References in the right-hand pane. On the Rule References tab, clicking on a rule opens this rule on the Distributed Cloud Firewall > Policies tab.

Features that use SmartGroups

Aviatrix features that use SmartGroups include:
  • Aviatrix Distributed Cloud Firewall (DCF)
Distributed Cloud Firewall uses micro-segmentation to provide granular network security policies for distributed applications in the Cloud. Distributed Cloud Firewall enables network policy enforcement between SmartGroups you define in a single Cloud or across multiple Clouds. You can configure policies to filter traffic between applications residing in the SmartGroups. For more information about using SmartGroups for DCF, see Secure Networking with Distributed Cloud Firewall.