Examples: Workload groups and SPTs

This topic lists some basic examples for creating Workload groups and using Security policy templates in Xshield. Some examples may use custom values of Xshield tags and custom Access policies for completeness.

Example 1: 3-tier application in a Workload group

This example assumes an application CRMapp with three workloads - Webserver1, Appserver1, and DBserver1.

  1. Tag the workloads with the relevant Xshield Role tags ( WEB, APP, and DB). Also, apply an Application tag CRMapp.

  2. Create a Workload group CRMapp using the Application = CRMapp grouping criteria.

  3. Create/use and apply an SPT with the following rules - WEB to APP (tcp:50000)), and APP to DB (tcp:3309)

    This translates to the following allowed traffic in the Workload group.

    • Webserver1 to Appserver1

    • Appserver1 to DBserver1

  4. Define custom Access policies with other integrated applications (other Workload groups) by selecting the apt role of the source and destination Workload groups

  5. Define custom Access policies with Endpoint groups of the authorized users (as the source) by selecting the WEB role for the CRMapp Workload group the tcp:80 or tcp:443 Access parameter. 

Example 2: Add more Web workloads for high availability

This example adds some additional Web workloads (shared or standalone) to the CRMapp Workload group created in Example 1.

  • Assign the CRMapp tag (and an optional custom tag High availability = Web servers for easier tracking) and assign the tag(s) to the additional Web workloads. The high-availability workloads receive the policies for the CRMapp Workload group. 

Example 3: Temporary SSH access to workloads

This example enables SSH access to all the workloads in the CRMapp Workload group.

  • Create a custom Access policy from an authorized administrators' Endpoint group ITadmins to CRMapp Workload group and port 22 and SSH protocol.

Example 4: 3-tier application in three separate Workload groups

This example assumes an application CRMapp that has workloads across three separate Workload groups (one each for WEB, APP, and DB tiers) - CRM-web, CRM-app, and CRM-DB. The groups have two workloads each (Webserver1, Webserver2, Appserver1, Appserver2, DBserver1, and DBserver2.

  1. Add a custom Xshield tag Tier and add the following values for the tag - CRM-web, CRM-app, and CRM-DB.

  2. Tag the workloads by their Tier tags.

  3. Create three Workload groups - CRM-web using the CRM-app tag, CRM-app using the CRM-app tag, and CRM-DB using the CRM-DB tag.

  4. Add three custom Access policies as follows:

    • Source group = CRM-web and destination group = CRM-app with Role = ALL for both groups using the tcp:50000 Access parameter

    • Source group = CRM-app and destination group = CRM-DB with Role = ALL for both groups using the tcp:3309 Access parameter.

    • Source group = authorized Endpoint groups and destination group = CRM-web with Role = ALL using the tcp:80 or tcp:443 Access parameter.

  5. Define custom Access policies with other integrated applications (Workload groups) if needed.

Example 5: Workload group of symmetric servers

This example assumes that two File server workloads Fileserver1 and Fileserver2 are grouped.

  1. Add a custom value FILE SERVER for the Application tag.

  2. Tag the File server workloads with the Application tag.

  3. Create a Workload group Fileservers with the grouping criteria as Application = FILE SERVER and other appropriate criteria (if needed).

  4. Add custom Access policies for selected Endpoint groups (Finance-users) to access the File server workloads.

Did this answer your question? Thanks for the feedback There was a problem submitting your feedback. Please try again later.