Identity-Based Microsegmentation Guide
LAST UPDATED: October 8, 2021

October 8, 2019

New production features

Better performance at scale

We have optimized the resource utilization of the control plane and enforcers for better performance at scale.

New beta features

Federated service identity

Aporeto can now act as an OpenID Connect (OIDC) identity provider, enabling single sign on for applications. Authorized applications can obtain an OIDC ID token from the Aporeto control plane and use it to authenticate to an OIDC-compliant third party.

Our AWS integration app now uses this method to connect to AWS.

  1. It passes its Aporeto token to the Aporeto control plane, requesting an OIDC ID token.
  2. The control plane checks the app’s authorization, then returns the ID token.
  3. The app exchanges the ID token for temporary AWS credentials, using the AWS AssumeRoleWithWebIdentity API.

Define the protocols and ports of external networks as pairs

The Control Plane API offers a new ServicePorts attribute. The ServicePorts attribute allows you to define the protocol and port of an external network as a pair.

As of October 8, the protocols and ports attributes are deprecated. We will remove protocols and ports in a future release.

You cannot use both ServicePorts and protocols/ports in the same external network definition.

All protocols must share the same port or set of ports. For example, you can set a ServicePorts value of [tcp/80,udp/80] but not [tcp/80,udp/90]. We will lift this restriction in a future release.

Only the API exposes ServicePorts at this time.

Splunk and GCP integration apps

Under Integrations > Apps in the Aporeto web interface, we offer two new apps:

  • Splunk Application: allows you to send flow and processing unit logs to a specified Splunk REST API endpoint.

  • GCP Instance Monitor: monitors your Google Cloud Platform (GCP) instances to ensure that each one has a running enforcer. If the app locates an instance without an operational enforcer, it triggers an alarm in the Aporeto web interface. If you have instances that you wish to exclude from monitoring, you can identify these using tags.

SAML integration

You can now configure a SAML identity provider for SSH and control plane user authentication.

Known issues

Red Hat Enterprise Linux 8+ requires special configuration to work with the SSH access control feature. If you require this distribution, contact us for assistance.