Deployment: From Plan to Reality
The Deployment page is where your visually defined security posture is translated into live cloud configuration. This process is broken down into clearly defined steps to ensure you have full control and visibility over every change.
Overview
The deployment workflow follows three stages:
Generate Plan --> Prepare Deployment --> Deploy Approved Changes
(Abstract ACLs) (Provider-Specific) (Live API Calls)Step 1: Generate Plan
The first step is to generate an abstract deployment plan.
- Click the Generate Plan button.
- The system analyzes your current Zones and Flows.
- It generates a list of high-level, provider-agnostic security rules called "Abstract ACLs".
The Generated Abstract Rules table shows you the intended security posture in a human-readable format. Each row represents a rule:
| Column | Description |
|---|---|
| Source | The source zone or CIDR range |
| Destination | The destination zone or CIDR range |
| Protocol | The allowed protocol (e.g., TCP) |
| Port | The allowed port number |
| Action | Always allow for defined flows |
This plan is the "source of truth" derived directly from your diagrams.
Step 2: Prepare Deployment
The next step translates the abstract plan into concrete API calls.
- Click the Prepare Deployment button.
- The system performs a translation and validation process:
Translation
Each abstract ACL is converted into one or more specific actions for the relevant cloud provider:
- Create Security Groups
- Add Ingress rules with
AuthorizeSecurityGroupIngress - Add Egress rules with
AuthorizeSecurityGroupEgress - Associate Security Groups with subnets/instances
Validation
The system communicates with your cloud accounts to check if the proposed rules or security groups already exist, preventing duplicate configurations.
Step 3: Review and Approve
The results are displayed in the Deployment Approval section. Each card represents a specific API call.
Action Statuses
| Status | Meaning | Action Required |
|---|---|---|
Pending | New rule that needs to be created | Approve or Deny |
Exists | Rule already exists in your cloud account | None |
Approved | You approved this action for deployment | Will be deployed |
Denied | You denied this action | Will be skipped |
For each Pending action, you have two choices:
- Click the Check button to mark it as Approved.
- Click the X button to mark it as Denied.
You can also use the Approve All Pending button to quickly approve all new changes.
Always review the proposed changes carefully before approving. Each approved action will result in a live API call that modifies your cloud environment.
Step 4: Deploy Approved Changes
Once you have reviewed and approved the necessary changes:
- Click the Deploy Approved Changes button.
- The system iterates through only the actions you marked as
Approvedand executes them via live API calls.
Deployment Status Updates
As the deployment runs, the status of each action updates in real-time:
| Status | Meaning |
|---|---|
Deploying... | Action currently being executed |
Deployed | API call successful, change applied |
Error | API call failed (error details shown) |
If an error occurs, the deployment process stops immediately to prevent a partially configured state. Review the error, correct the underlying issue (e.g., permissions, incorrect names), and re-run the deployment.
Audit Trail
Every deployment action -- generation, approval, execution, and result -- is recorded in the Audit Logs. This provides a complete trail for compliance and troubleshooting:
DEPLOYMENT_PLAN_GENERATED-- Abstract plan was createdDEPLOYMENT_PREPARED-- Provider-specific actions were translatedDEPLOYMENT_ACTION_APPROVED-- An individual action was approvedDEPLOYMENT_ACTION_DENIED-- An individual action was deniedDEPLOYMENT_EXECUTED-- Deployment was runDEPLOYMENT_ACTION_SUCCESS-- Individual action succeededDEPLOYMENT_ACTION_FAILED-- Individual action failed with error details
This multi-step process ensures that you always have final say and complete visibility over every change being made to your cloud environment.