About SmartGroups

This section describes SmartGroups and how they can be used for implementing different Aviatrix features.

What is a SmartGroup?

A SmartGroup is a construct created in CoPilot that is a logical grouping of your resources that are managed by Aviatrix. The grouping of resources may represent various departments or business units or other aspects of your organization based on how you group your resources.

The resource(s) you include in a SmartGroup can span different subscriptions, cloud accounts, regions, and VPC/VNets within your Aviatrix multicloud network.

A SmartGroup is a reusable construct. It can be queried against to support various Aviatrix features.

A SmartGroup can be made up of one or multiple resources.

Transit Gateways are not supported as a SmartGroup resource.

When you create your SmartGroups, you can classify them based on:

  • CSP resource tags: these tags identify resources you can group. This is the preferred classification method, as this automatically includes new resources created in the Cloud with the same set of tags. In GCP you configure 'labels' that can be selected as tags when creating your SmartGroup.

  • Resource attributes: classify by account or region.

  • IP addresses or CIDRs: for resources that are not tagged, you can directly specify IP addresses or CIDRs.

  • Edge sites (for policy-based routing): select an Edge Site ID used in a previously created Edge Gateway.

Aviatrix Gateway IP addresses will not be included in any SmartGroup, even if a SmartGroup filter matches an Aviatrix Gateway IP address. If a subnet or VPC/VNet is added to an app domain, the Aviatrix Gateway IP addresses are removed from the corresponding CIDRs.

Default SmartGroups

For convenience, CoPilot provides two default SmartGroups:

  • Anywhere (0.0.0.0/0) - Represents all CIDR ranges or IP addresses.

  • Public Internet - Represents non-RFC1918 IP ranges, or the public Internet.

Features that use SmartGroups

Aviatrix features that use SmartGroups include:

  • Aviatrix Distributed Cloud Firewall (DCF)

    Distributed Cloud Firewall uses micro-segmentation to provide granular network security policies for distributed applications in the Cloud. Distributed Cloud Firewall enables network policy enforcement between SmartGroups you define in a single Cloud or across multiple Clouds. You can configure policies to filter traffic between applications residing in the SmartGroups.

    For more information about using SmartGroups for DCF, see Secure Networking with Distributed Cloud Firewall.

SmartGroups Use Case Example

The following is an example of using SmartGroups:

Angel creates three SmartGroups:

  • Smart Group 1 = SAP_BW

  • Smart Group 2 = SAP_CRM

  • Smart Group 3 = Public CIDR of Hosted S4Hana

Angel has the following business objectives:

  • Allow BW and CRM to talk to PaaS endpoint S4Hana on port 443

  • Deny all traffic between BW and CRM

To achieve Distributed Cloud Firewall (DCF) objectives, Angel does the following in CoPilot Home > Security > Distributed Cloud Firewall:

  • Builds firewalling policies that allow traffic from Smart Group 1 and 2 to talk on port 443 to Smart Group 3.

  • Creates a Deny All Policy for Smart Group 1 to talk to Smart Group 2. Note that after a SmartGroup is part of a policy, all traffic for that SmartGroup is denied unless explicitly allowed by DCF rules.