Illumio — Key concepts¶

This page introduces the core technical concepts needed to understand the Illumio solution.

1) PCE and VEN: responsibilities¶

PCE (Policy Compute Engine)¶

The PCE is the policy authority:

defines and governs the label model and the security policy
computes and distributes policy to agents
provides visibility and audit capabilities
exposes APIs for integrations and automation

VEN (Virtual Enforcement Node)¶

The VEN is the workload agent:

periodically communicates with the PCE to exchange policy and collected information
enforces policy using the OS native firewall (no traffic proxy)

Diagram — VEN ↔ PCE (image)¶

2) Workloads and labels¶

Workloads¶

Workloads are the managed systems (servers/endpoints) in scope. A workload becomes enforceable once it runs a VEN and is labeled.

Labels (scope and identity)¶

Labels express identity and scope (commonly App / Env / Role / Location). They are used to:

group workloads consistently across environments
keep policy stable when IPs change
keep rulesets readable and maintainable

3) Policy model (high level)¶

Default posture is to restrict what is not explicitly required.
Allow rules describe application dependencies (source/destination labels + service/port).
Rulesets organize rules by scope and intent.

4) Enforcement via OS firewall¶

Illumio uses the OS native firewall for enforcement. The VEN programs firewall rules, but it does not proxy traffic. This design reduces operational risk during installation/upgrade and improves stability.

5) VEN agent modes (phasing enforcement)¶

Four modes are used to progress safely. Different workloads can coexist with different modes.

Idle: compatibility/health checks after install (no enforcement)
Visibility: visibility only (no communication control)
Selective enforcement: enforce with targeted denies (blacklist-style)
Full enforcement: allow only explicitly required communications (whitelist-style)