Skip to main content
SmartGroups are a core component of the Aviatrix Distributed Cloud Firewall (DCF) that enable you to define and organize your network resources for security policy enforcement.

Overview

SmartGroups allow you to create logical groupings of resources based on various attributes and criteria. These groups serve as the source and destination endpoints in your distributed firewall rules, enabling you to define security policies that are dynamic and automatically adapt as your infrastructure changes.

Key Features

Dynamic Membership

SmartGroups automatically update their membership based on the defined criteria. When new resources are deployed that match the group’s criteria, they are automatically included in the group without manual intervention.

Flexible Matching Criteria

You can define SmartGroups using various attributes:
  • Tags: Match resources based on cloud provider tags (key-value pairs)
  • CIDR Blocks: Define groups based on IP address ranges
  • Resource Types: Group resources by their type (VPCs, VNets, instances, etc.)
  • Cloud Accounts: Match resources belonging to specific cloud accounts
  • Regions: Group resources by geographic region

Multi-Cloud Support

SmartGroups work consistently across all supported cloud providers (AWS, Azure, GCP, OCI), enabling you to create unified security policies for your multi-cloud environment.

Creating SmartGroups

To create a SmartGroup:
  1. Navigate to Security > Distributed Cloud Firewall > SmartGroups in CoPilot.
  2. Click + SmartGroup to create a new group.
  3. Provide a descriptive name for the group.
  4. Define the matching criteria using one or more filters.
  5. Save the SmartGroup.

SmartGroup Types

Application SmartGroups

Group resources based on application-specific tags or naming conventions. For example, create a SmartGroup for all resources tagged with app=web-frontend.

Environment SmartGroups

Organize resources by deployment environment such as production, staging, or development.

Network SmartGroups

Define groups based on network attributes like CIDR ranges or subnet classifications.

Best Practices

  • Use consistent tagging: Implement a standardized tagging strategy across your cloud environments to maximize the effectiveness of SmartGroups.
  • Keep groups focused: Create SmartGroups with specific purposes rather than overly broad criteria.
  • Document naming conventions: Establish clear naming conventions for SmartGroups to improve manageability.
  • Review membership regularly: Periodically audit SmartGroup membership to ensure accuracy.

Using SmartGroups in Firewall Rules

Once created, SmartGroups can be referenced in distributed firewall rules as source or destination endpoints. This allows you to create policies like:
  • Allow traffic from web-servers SmartGroup to database-servers SmartGroup on port 3306
  • Deny all traffic from development SmartGroup to production SmartGroup
  • Allow HTTPS traffic from any to public-facing-apps SmartGroup