Creating a SmartGroup

To create a SmartGroup:

  1. In the CoPilot UI, go to Groups > SmartGroups.

  2. Click + SmartGroup.

  3. Provide the following information about your SmartGroup:

    Parameter Description

    Name

    Name of the new SmartGroup.

    Resource Type

    The resource(s) that comprise the SmartGroup as specified by resource type and matching resource properties, or by IP address/CIDR.

    You can add the following resource types: Virtual Machine, Subnet, VPC/VNet, IPs/CIDRs, External Connections (S2C), or Hostname (non-HTTP/non-TLS traffic). Typically you will only have resources of the same type in a SmartGroup (for example, you can have more than one VM based filter).

    Resource Types VM, Subnet, and VPC/VNet are supported only in public AWS, Azure, and GCP.
    You should only select an External Connection resource type if you plan to use this SmartGroup in a DCF rule, and if Enforcement on External Connections is enabled in Security > Distributed Cloud Firewall > Settings.

    Resource Type - Virtual Machine, Subnets, VPC/VNets

    Enter the matching criteria for resources that will be part of this SmartGroup. You can match conditions based on:

    • The properties Name, Region, or Account Name, if you want to match against all resources within an account or region. The values for the selected condition(s) are populated automatically.

    • The CSP tags that you have defined for your Cloud resources. Some examples of tags are: Backup, Controller, Aviatrix-Created-Resource, and Type. The CSP tags change depending on the selected Resource Type.

    Resource Type - IPs/CIDRs

    Can enter multiple IPs or CIDRs.

    Resource Type - Hostnames

    Type in or select hostnames (must be a valid FQDN). No wildcards are allowed.

    You must set your DNS mapping for the hostname and IPs before selecting a Hostname as a Resource Type. See the Groups Settings topic for more information.

    Resource Type - External Connections (S2C)

    Type in or select pre-existing external connections.

    An External Connection SmartGroup will resolve to either the remote CIDRs defined for a static route external connection, or the BGP-advertised CIDRs for BGP-based external connections.

    Preview Resources

    After entering your Resource Type, you can use the Preview Resources toggle switch to see the selected resources that map to the SmartGroup.

  4. Toggle on the Resource Selection slider to show the resources that match the configured criteria.

  5. Click Save. The new Smart Group is now in the SmartGroups list.

Viewing Resource and Reference Data

You can click a SmartGroup name in the list to view its resources and Rule References in the right-hand pane.

On the Rule References tab, clicking on a rule opens this rule on the Distributed Cloud Firewall > Rules tab.

Creating SAP SmartGroups

You can also create SmartGroups based on discovered SAP instances:

  1. Go to SmartGroups and click Discovered SAP Service Instances in the top right.

  2. Mark the checkbox next to every SAP instance to include in the SmartGroup.

  3. Click the Actions dropdown menu in the top left and select Create SmartGroup.

  4. Enter a name for the group. The IP Addresses/CIDRs are automatically populated based on the SAP instances you selected.

  5. Click Save.

  6. Click Close.

The new SmartGroup appears in the table.