Tags are free-form text labels attached to one or more systems in your account which allow administrators to group systems together which share similar characteristics (i.e. business unit, security level or function) in order to build connectivity between them.
Tags can be manually added to enrolled systems, or an Enrolment Key can be configured to apply an initial set of Tags to new systems as they enrol to your account.
Tags form the building blocks of policies and policies define connectivity between enrolled systems. Instead of directly attaching systems to a Policy, Administrators use Tags to freely group enrolled systems together which can be referenced once across many policies. The decoupling which Tags provide allows policies to be defined once and remain static, while the business shifts and evolves underneath.
For example, if an Administrator creates a developers Tag and a kubernetes-pods Tag, and then defines a
Kubernetes access Policy which allows developers direct access to kubernetes-pods; then systems in the developers Tag can change over time, so can members of the kubernetes-pods Tag as new instances are spun up and old instances are shutdown. The policy however (the business intent underpinning connectivity between those groups) remains in-place, constant and unchanged.
Managed vs. unmanaged systems: When one or more Tags are attached to a system, that system automatically switches into Managed mode. This means all connectivity for that system must be defined by Policy and that the Enclave software on that system will no longer accept commands from the local user(s). Conversely, if no Tags are attached to a system then the opposite is true; the system enters Unmanaged mode and users are able to configure and control the Enclave software locally.
It is considered best practice to define a naming pattern which reflects the structure and security model of your organisation, and group systems along those lines when defining Tags.
A valid Tag name is composed of lower-case characters (
0-9 without spaces) and may be up to 64 characters long. Valid separator characters include
Tags names should be made up of designators which represent your organisational structure. Consider designations for your organisation which group systems:
By user geography: uk, london or nyc-office
By business unit: developers, sales or marketing
By security level: staging, production or uat
By function: webservers, database-servers or intranet
By infrastructure: aws-eu-west-2 or dc-lax-11
By project: us-gov or f22-raptor
You may also decide to combine multiple designations into a single Tag. We suggest using the period character
. to include multiple designations as part of a single Tag name, with the most specific designator placed last.
Once defined, account Administrators can add member systems to Tags and compose Policies to create connectivity.
|Policy Name||Sender Tags||Receiver Tags|
|Access to Jira||all-staff
|Access to preprod db||uk.laptops.developers
|R22 prototype team||f22-raptor.rapid-prototype-team||f22-raptor.rapid-prototype-team|
Note: When the same Tag is applied to both the
Receiversides of the same policy Enclave will create connectivity between that Tag's member systems. In this case, forming a fully connected mesh and community of interest between members of the f22-raptor.rapid-prototype-team Tag. You should consider the capabilities of your underlying network infrastructure when deploying a fully connected mesh. Learn more.