See it to Protect It: Agentless Azure Workload Visibility

November 5, 2019

In this blog, we will explain how to better protect Azure by visualizing new flows from unmanaged workloads to see what must be secured with segmentation policy.


Organizations appreciate the flexibility and agility of the public cloud, but at times it catches us off guard when multiple teams have access to it.   Teams on their own accord can create cloud workloads whether or not network or security teams are aware of it – or even onboard.

It is impossible to gain a strong security posture if an organization is blind to everything happening in their cloud instances.  To properly secure environments like Azure, we must start with full visibility of all network traffic flows, between all workloads, even unmanaged ones.

To do this, we leverage Azure Network Security Group (NSG) flow logs for complete hybrid and cloud environment visibility. 

Astute readers would point out that Illumio already has visibility of Azure cloud workloads, if VENs are installed on them.   This is true. However, what about workloads without VENs or other unmanaged workloads such as Azure databases? This is where our Labs innovation comes into play, allowing us to take an important step towards even better visibility.

Let’s look at how we do it.

We begin by turning on the Azure NSG flow logs for cloud workloads using Azure Network Watcher service as shown (step 1) in the architecture diagram below. Details for turning on flow logs are mentioned here in our Github repository.

Next, we trigger a new Azure function (step 3) using source code provided in the Github repo.  The function gets triggered when the Azure NSG flow logs (step 1) are written to Azure Blob Storage (step 2). This Azure function (step 3) is responsible for collecting, parsing and sending specific flow logs to Illumio Policy Compute Engine (PCE) (step 4). 

At this point, step 5, our PCE does its magic and creates the Illumination application visibility map showing all Azure workloads with or without VENs.




Please watch our screencast to see the integration in action.

This visibility is the vital foundation for good security.  With this in place, Illumio then can automate segmentation policy enforcement based on powerful visibility.  This is the most modern, effective way to protect Azure and your entire data center and cloud environment) from attacker lateral movement.

Great! We now hope that you not only understand how this all works but may have also gotten it up and running using the instructions on Github.

Sign up for our month-long free Test Drive to gain full Azure visibility for free.  For those who already have Illumio, you’ll see your Illumination map reflect all Azure workloads.

We would love to hear how you get on with this project, so please send us a note to our Slack channel,