The policy generation feature in Contrail Release 5.1 automates the task of policy creation based on observed traffic flows. Contrail creates and enforces intent-based policies. In many cases, Contrail Security is deployed in brownfield environments, in which inter-applications and intra-application traffic policies are pre-existing. However, in greenfield deployments and in complex environments, where many applications are communicating internally and externally, creating policies one-by-one is a tedious and time consuming task. Sometimes, manually created policies do not perform as per expectations in real-time traffic or sometimes you might create extra policies which are never used by the applications. The policy generation feature simplifies this process of creating policies by automating the generation of policies based on application communication.
The policy generation feature aids in the creation of policies based on observed traffic, without enforcing any new policies. In order to generate policies, workloads VMs or Containers need to be grouped within Contrail objects like virtual networks and Projects. Subsequently, tags must be created and associated with Projects, virtual networks or ports. In the policy generation mode, traffic from selected applications is allowed to pass for a selected period of time. The vRouter observes and forwards all traffic between the selected applications because the implicit rule is to allow all traffic to pass. On the basis of this observation, the vRouter generates a draft policy which is saved in the policy draft mode. You can review the draft policy and edit it as required before enforcing the policy. The policy generation feature significantly reduces the burden of policy creation from scratch.
To use the policy generation feature, the sequence of high level steps are as listed here:
Associate tags with projects, virtual networks (VNs) or ports.
Edit the generated policies available in draft mode.
Commit the (optionally) edited policies to enforce them