Workload groups

A Workload group is a logical collection of Xshield-managed workload assets. Workload assets can be grouped by multiple criteria such as asset attributes, Xshield tags (Role, Application, Location, and/or Environment), and network segments where the workloads (applications) are deployed. Grouping workload assets also lets you use the Visualizer and Policy Builder features of Xshield to build policies for the associated Workload groups.

For example, group workloads in a real-world, 3-tier HR application to a Workload group and build policies to allow HR users to use the application.

Workload groups - grouping criteria

Workload groups can be created based on one or more criteria. Multiple conditions are equivalent to a logical AND, and the group contains workload assets that meet the criteria.

Criterion Description Supported operators

Scope

Scope tags of the Asset Managers who will manage the workloads in the group.   

Asset attributes

Asset attributes available for grouping assets in Xshield. Attributes include inventory details collected by the agents on the workloads (such as System OS and System Model) and the Xshield tags assigned to the workload asset. 

are, are not

Subnets

Subnets where the workloads are located

Workload group page

All Workload groups in an instance are listed on the Groups > Workload page. You can see the following details of the Workload groups - name and description, number of workload assets in the group, number of policies assigned to or enforced on the group, and the status of the group (Observed or Enforced).

  • Click a Workload group to see its details in the fly panel. Some additional details shown in the fly panel are the grouping criteria for the group and the Policy templates for the group.

  • In the Status area in the fly panel, download the Unauthorized attempts or Prevented attempts connections log.

  • Click the number or click Add policies in the Assigned Policies column to see or assign policies to the Workload group.

  • Click the Visualizer icon in the Created column to see a focused view of traffic to and from a Workload group.

Policy templates and policies

It is not mandatory to assign Policy templates or policies at the time of creating a Workload group. Workload groups can be simply created using the supported criteria to prepare workloads for Policy simulation. You can assign one or all of these to create Access policies for Workload groups.

  • SPT - SPTs or Security policy templates help you define workload role-based Access policies within a Workload group.

  • CPT - CPTs or Corporate policy templates help you create Access policies to access the infrastructure services in your network.

  • Custom Access policies - custom Access policies are additional policies between Workload groups and between Workload groups and Endpoint groups (Xaccess policies).

Workload group status/mode

Workload groups can be set to one of the following statuses - Observed, Enforced, and Encrypted. The status determines the phase of Policy enforcement in the Policy building efforts for the Workload group.

Create Workload groups

Decide upon the criteria by which you want to group workloads in the Workload group. Also, ensure that you have tagged the workloads suitably. See some examples for grouping workloads into Workload groups and applying Security policy templates and Access policies to them. 

  1. Go to Groups > Workload.

  2. Click Create Workload Group.

  3. In the Name text box, enter a name for the Workload group.

  4. Add a useful description.

  5. In the Scope area, click Add and add the Asset Manager scopes for the workload assets in the group.

  6. In the Attributes area, click Add and add one or more attributes.

  7. In the Corporate Policy Template area, select one or more Corporate policy templates. You can also add new CPTs if you do not find what you are looking for.

  8. In the Security Policy Template area, select one or more Security policy templates. You can also add new SPTs if you do not find what you are looking for.

  9. In the Subnets area, click Add and add one or more subnets in the Classless Inter-Domain Routing (CIDR) format.

  10. Click Save.

Change Workload group status

Change the status of a Workload group to Enforced or Encrypted when you want to enforce the overall policies on the Workload group. Change it back to Observed for any reasons as required. 

Ensure that you know the impact of changing the status of a Workload group before you change it.

Edit Workload groups

Some of the cases to edit Workload groups are - add or remove workloads from a group (add workloads from additional locations to increase the capacity of the group), add or remove Policy templates or policies enforcement on the group (remove an SPT for SSH access allowed to the workloads), and change the status of Policy enforcement of the group. 

Policies updates for newly added workloads and for policy changes are made automatically. If workloads are moved out during the edit, policies are removed or not Observed anymore (whichever is applicable).

Editing Observed Workload groups does not impact the security status of the group; the changes are factored in the Unauthorized attempts tracked for the group. However, editing Enforced Workload groups can move critical workloads out of enforcement or remove secure Access policies from the group. So, we recommend that you guage the impact of the edit before you edit Enforced Workload groups.

  1. Click the Workload group.

  2. Click Edit in the fly panel.

  3. Make the changes and click Save

Delete Workload groups

The workloads in the Workload group you delete are no longer protected from Xshield. For an Enforced Workload group, deletion removes Xshield policies from all the workloads.

A prerequisite to delete a Workload group is that the group must not be functional. So, you must first delete the custom Xshield Access policies to Domain groups, to other Workload groups, and Xaccess policies (with Endpoint groups). 

Workload status alerts

Enable Xshield alerts, particularly the Workload status alert to receive alerts on the Alerts page when workloads (in all the Workload groups, Observed, Enforced, or Encrypted) go to the Suspended state and become reachable again.

Did this answer your question? Thanks for the feedback There was a problem submitting your feedback. Please try again later.