Managing Security Zones
The Zones page is where you translate your abstract security architecture into a concrete, visual model. A security zone is a logical grouping of resources that share a common security context (e.g., "Web Servers", "Databases", "Management Tools").
The Concept of Zones
Instead of thinking about individual subnets or VMs, zones allow you to group resources by their function. This makes it easier to define and manage security policies. For example, you can create a rule that allows all resources in the "Application Zone" to talk to the "Data Zone".
The application comes with a set of pre-configured zones, but you can customize them to fit your specific needs.
The Unassigned Resources Zone
At the bottom of the page is the Unassigned Resources zone. This is a special zone that contains all the network resources discovered from your connected Profiles. Your primary task on this page is to assign these resources to your defined security zones.
Filtering Unassigned Resources
If you have many discovered resources, use the filter controls at the top of the page:
- Filter by Account -- Show only resources from specific connected profiles.
- Filter by Region -- Show only resources from specific cloud regions.
- Search -- Use the search bar within the "Unassigned Resources" card to find specific resources by name or IP address.
Assigning Resources to a Zone
Assigning a resource uses a simple drag-and-drop interaction:
- Locate the resource you want to assign in the Unassigned Resources zone (or any other zone).
- Click and drag the resource card.
- Drop the resource onto the card of the target security zone.
The application automatically saves this change. The resource is now part of the target zone, and any security policies applied to that zone will apply to this resource.
Resource assignments are saved in real-time. Every change is recorded in the Audit Logs for compliance tracking.
Creating and Configuring Zones
Adding a New Zone
- Click the Add Zone button at the top of the page.
- In the dialog, provide:
- Name -- A descriptive name for the zone (e.g.,
PCI Services). - Description -- A brief explanation of the zone's purpose.
- Ports/Protocols -- Define the protocols and ports allowed for intra-zone communication (communication between resources within this same zone).
- Icon and Color -- Choose a visual icon and color to help distinguish the zone.
- Name -- A descriptive name for the zone (e.g.,
- Click Save changes. The new zone appears on the page, ready for resource assignment.
Editing an Existing Zone
- Click the Configure Zone button on the card of the zone you wish to edit.
- Modify the name, description, icon, color, or intra-zone protocols as needed.
- Click Save changes.
Example Zone Configuration
| Zone Name | Description | Allowed Protocols | Color |
|---|---|---|---|
| Public DMZ | Internet-facing load balancers and web servers | TCP/80, TCP/443 | Blue |
| Application Zone | Application servers and microservices | TCP/8080, TCP/443 | Green |
| Data Zone | Databases and data stores | TCP/5432, TCP/3306 | Orange |
| Management Zone | Bastion hosts, monitoring, CI/CD | TCP/22, TCP/443 | Red |
| PCI-Compliance Zone | Payment processing systems | TCP/443 | Purple |
By organizing your resources into zones, you are building the foundation for defining your Data Flows and generating your security rules.