Identity-Based Microsegmentation Guide
LAST UPDATED: November 8, 2021

Before you begin

Domain name

We strongly recommend using a fully qualified domain name for the Microsegmentation Console.

You will require three different DNS records, for example:

  • https://ui.microsegmentation.acme.com or https://microsegmentation.acme.com for the web interface
  • https://api.microsegmentation.acme.com for the API
  • https://monitoring.microsegmentation.acme.com for the monitoring if you choose to deploy it (recommended)

NOTE

Most Kubernetes providers assign service IPs and URLs only at the time of deployment. You will then need to make the link between the URL above and what is assigned. Voila will help you with that process.

IMPORTANT

If you are using an Amazon ELB you cannot use its URL as the full qualified domain name for the services as it will cause issues with cookie policies in the web browser.

Using custom certificates

By default, the Microsegmentation Console uses a certificate signed by a certificate authority (CA) generated in the Voila environment. They won’t be trusted by browsers and other clients unless you choose to deploy and trust the certificate authority (CA) to the machine that will access the web interface or the API.

If you wish to supply the Microsegmentation Console with custom certificates, complete the following preliminary steps.

Given the following Microsegmentation Console DNS records above:

  • User interface accessible from microsegmentation.acme.com or ui.microsegmentation.acme.com
  • API accessible from api.microsegmentation.acme.com
  • (optional) Monitoring accessible from monitor.microsegmentation.acme.com

Request an X.509 certificate issued by a trusted CA with the following information:

  • Common name (CN): microsegmentation.acme.com
  • Subject alternative names (SAN): ui.microsegmentation.acme.com api.microsegmentation.acme.com, monitoring.microsegmentation.acme.com

NOTE

Note: You can use a wildcard *.microsegmentation.acme.com as well if needed.

Once done you should have the following certificates in X.509 format:

  • A CA chain with intermediate chain if any named public-ca.pem
  • A certificate issued the above CA named public-cert.pem
  • A private key not protected by passphrase named public-key.pem