About Groups
Groups in CoPilot serve as versatile constructs for organizing and managing Aviatrix resources within multicloud networks. These groupings allow for the logical organization of resources across different subscriptions, cloud accounts, regions, and VPC/VNets, catering to various organizational structures or aspects. They are reusable and support seamless querying for diverse Aviatrix features. While some groups focus on filtering and securing internet-bound traffic, others aid in threat protection or provide geographical context for implementing location-based policies. Together, these groups offer a comprehensive solution for resource organization, security, and management within Aviatrix deployments.
You can clone SmartGroups and GeoGroups by clicking the vertical ellipsis icon next to the group and selecting Clone SmartGroup or Clone GeoGroup.
You must create the groups (SmartGroups, WebGroups, ThreatGroups, and GeoGroups) and external connections you need before creating any Distributed Firewall rules that utilize these groups or external connections. WebGroups, GeoGroups, and ThreatGroups are only visible if the Distributed Cloud Firewall feature is enabled. |
Managing SmartGroups
This section describes SmartGroups and how they can be used for implementing different Aviatrix features.
What is a SmartGroup?
A SmartGroup is a reusable construct created in CoPilot that is a logical grouping of your resources that are managed by Aviatrix. The grouping of resources may represent various departments or business units, or other aspects of your organization based on how you group your resources.
The resource(s) you include in a SmartGroup can span different subscriptions, cloud accounts, regions, and VPC/VNets within your Aviatrix multicloud network.
When you create your SmartGroups, you can classify them based on the following resource types:
-
CSP resource tags (Cloud Tags): these tags identify resources you can group. This is the preferred classification method, as this automatically includes new resources created in the Cloud with the same set of tags. In GCP you configure 'labels' that can be selected as tags when creating your SmartGroup.
Tagged SmartGroups will not resolve for remote sites. -
Resource attributes: classify by account or region.
-
IP addresses or CIDRs: for resources that are not tagged, you can directly specify IP addresses or CIDRs.
At this time the maximum number of CIDRs that can be enforced in a SmartGroup is 10,000. This includes both CIDRs in CIDR groups and resolved CIDRs in tagged groups. See DCF Capabilities for details on ranges supported in the latest Controller release.
-
External connections (S2C): select the previously created external connection (ensure that the Enforcement on External Connections option is enabled first).
Aviatrix Gateway IP addresses will not be included in any SmartGroup, even if a SmartGroup filter matches an Aviatrix Gateway IP address. If a subnet or VPC/VNet is added to an app domain, the Aviatrix Gateway IP addresses are removed from the corresponding CIDRs.
Tips for Creating SmartGroups
-
A SmartGroup can consist of one or multiple Resource Types. Some planning may be required to ensure that your SmartGroups produce the desired results.
-
AND logic is applied to the conditions you add to a Resource Type. All the conditions within the Resource Type must be met.
-
If you add more than one Resource Type (the same type as before, or a different type), OR logic is applied between the multiple Resource Types. The DCF rule that contains this SmartGroup will match all the conditions in the first Resource Type, OR match all the conditions in the second Resource Type, and so on.
System-Defined SmartGroups
For convenience, CoPilot provides two system-defined (default) SmartGroups:
-
Anywhere (0.0.0.0/0) - Represents all CIDR ranges or IP addresses.
-
Public Internet - Represents non-RFC 1918 IP ranges, or the public Internet.
System-defined SmartGroups cannot be deleted.
Viewing SmartGroup Details
You can click the SmartGroup name in the list to view its Group information (VM, IP/CIDR, or External Connection), Resources, and Rule References in the right-hand pane.
Features that use SmartGroups
Aviatrix features that use SmartGroups include:
-
Aviatrix Distributed Cloud Firewall (DCF)
Distributed Cloud Firewall uses micro-segmentation to provide granular network security policies for distributed applications in the Cloud. Distributed Cloud Firewall enables network policy enforcement between SmartGroups you define in a single Cloud or across multiple Clouds. You can configure policies to filter traffic between applications residing in the SmartGroups.
For more information about using SmartGroups for DCF, see Secure Networking with Distributed Cloud Firewall.
Managing WebGroups
If the Distributed Cloud Firewall (DCF) feature is disabled, WebGroups are not available. |
WebGroups are groupings of domains or URLs, inserted into DCF rules, that filter (and provide security to) Internet-bound traffic. WebGroups in DCF are only supported on Spoke Gateways and Public Subnet Filtering (PSF) Gateways.
From this tab you can save views, filter intrusion results, and download the results in a CSV file.
To filter HTTP or HTTPS traffic with a URL-based WebGroup, TLS Decryption must be enabled in the rule where the WebGroup is used. Non-TLS or non-HTTP traffic will not match the rule that uses the WebGroup and will be evaluated against later rules. |
System-Defined WebGroup
When you navigate to Security > Distributed Cloud Firewall > WebGroups, a system-defined WebGroup, 'All-Web', has already been created for you (if no other WebGroups exist). This predefined WebGroup cannot be deleted.
This is an "allow-all" WebGroup that you must select in a Distributed Cloud Firewall rule if you do not want to limit the Internet-bound traffic for that rule, but you still want to log the FQDNs that are being accessed.
Prior to Release 7.1.3006, the default WebGroup was named 'Any-Web' and was created by CoPilot. If you still have this WebGroup, you can modify it (if it is being used by Distributed Cloud Firewall rules) or delete it (if it is not used by any Distributed Cloud Firewall rules) so that it is not confused with the default 'Any-Web' WebGroup created by Controller. |
Managing ThreatGroups
If the Distributed Cloud Firewall (DCF) feature is disabled, ThreatGroups are not available. |
The Default ThreatGroup can be used in DCF rules to ensure that traffic meeting the ThreatGroup criteria is blocked. When traffic triggers that rule, its DCF rule references are shown on the Groups > ThreatGroups tab.
The Default ThreatGroup is regularly updated with data from the Proofpoint Global Threat Database.
You cannot have a ThreatGroup as both a source and a destination in a DCF rule. |
Managing GeoGroups
If the Distributed Cloud Firewall (DCF) feature is disabled, GeoGroups are not available. |
A GeoGroup is a grouping of countries or custom geographical locations. The Groups > GeoGroups tab displays a Countries list and a Custom list. The Countries list is populated from the MaxMind GeoIP® database, and the Custom list displays a list of custom GeoGroups that you create (groups of countries or geographical areas).
You cannot have a GeoGroup as both a source and a destination in a DCF rule. If the same public CIDR is present in a VPC/VNet and in a Custom GeoGroup, and the DCF rule containing this Custom GeoGroup is blocking traffic, the inter-VPC/VNet traffic that uses this public CIDR may get blocked as well. |
Custom GeoGroups
The Groups > GeoGroups > Custom tab shows custom GeoGroups (groups of countries or geographical areas). If a Custom GeoGroup is selected in a DCF rule; that DCF rule is enforced and logged; and traffic is encountered against that rule, the Custom tab displays the number of rule references.
Custom GeoGroups used in rules cannot be deleted.
You can clone a Custom GeoGroup.