About Access Groups
Access Groups are active when the WPC Topology is set to Custom. When they are active, a 'deny by default' approach is used, and Access Groups are configured to allow access.
The access policy for a newly created WPC is 'allow by default.' The WPC Topology indicates 'allow by default' when set to 'Full Mesh'. Refer to Set WPC Topology to control the applicability of access control. Full Mesh disables Access Groups and allows full access between all connected resources.
Access Groups are active when the WPC Topology is set to Custom. A 'deny by default' approach is used when WPC Topology is set to Custom, and Access Groups must be configured to allow access. A default full-mesh Access Group is present so that any ongoing traffic flows are not affected immediately when the setting changes. This default Access Group needs to be deleted or edited to allow your specific access policies to take effect.
Access Groups allow you to determine who (source) gets access to what (destination). User Groups, Hosts, and Networks and the source IP Services from those Networks act as sources for Access Groups. Shared Applications via AppHub, User Groups, Hosts, Networks and the IP Services and Applications reachable from the Networks or available from the Hosts act as destinations for Access Groups.
Access Groups are bidirectional in the sense that if one Access Group is configured to allow access between Network A (as source) and Network B (as destination), it is implied that Network B can also communicate with Network A. Another Access Group for the other direction is not needed.
CloudConnexa allows you to set access policies even for connected Networks and Hosts. Some examples where these Access Groups can be applied are:
API Access Control: Specific Hosts having a web frontend application can be given access to Hosts providing the database for the web application. Access to databases for another application will be blocked.
Site-to-Site Access Control: Only the Network at Site A can access the Network at Site B. Attempts to communicate with Site C will be blocked.
Site-to-Applications Access Control: The Network at Site A can access only one application reachable from the Network at Site B. Access to other applications reachable from Site B will be blocked.
IP Subnet-to-IP Subnet Access Control between Sites: You can further segment your connected networks by creating IP Services that act as a traffic source and then configure Access Groups to allow communication between two subnets (IP Services) in the same or different networks.