Based on the traffic scope that you selected at the time of starting to generate a recommendation, the Recommendation service job selects unmicrosegmented ingress (inbound), egress (outbound), or intra-application traffic flows from and between the entities of the selected recommendation boundary.

The flows are then aggregated by the service (port or protocol) on which these flows are communicating. The sources and destinations for each of the flows for a particular service are then grouped together. While grouping, an attempt is made to reuse existing groups that already exist in the inventory based on the user-specified threshold for matching ratio.

If no existing group is found that can satisfy the set grouping threshold, then a new group is created.

Based on the value that you set for the Create Rules for option, only the traffic flows in a specific direction is considered when generating a recommendation rule. If the scope of the traffic flow was all traffic, incoming and outgoing, or incoming and intra-application, then the traffic flows in these directions will be aggregated together to form the rule, based on the service.

Take these flows, for example.

  • Boundary is set using VM1 and VM2

  • Groups: CG with VM1 and VM2 as members

  • Groups: G3 with VM3 and VM4 as members

  • Assuming Match threshold : 50%

The unsegmented traffic flows are as follows.

  • VM3 to VM1 using SSH

  • VM1 to VM2 using SSH

The following is the resulting microsegmentation recommendation , which is a single rule for SSH.

New Source Group

Destination Group

Service

Applied-to Group

Group with VM1 and VM3 as members

CG with VM1, VM2 as members

SSH

Group CG with VM1 and VM2 as members

If the traffic flows are originating from outside the configured mask of private IP addresses, then the flows from and to such IP addresses that are not included in the private IP prefix list will be marked as “ANY”.

Consider the following unsegmented flows.

  • ANY flows to VM1 using SSH

  • Flows from VM1 to VM3 using SSH

  • Boundary is set using VM1 and VM2

  • Group defined is CG with VM1 and VM2 as members

In this case, when the ingress and egress flows are aggregated, they become ANY flows from VM1 to VM1 and VM3, using SSH.

This in turn results in the following micro-segmentation rule.

Source

Destination

Service

Applied To

ANY

[VM1] in CG, [VM3] in G3

SSH

CG [VM1, VM2]
Note:

All the rules are always applied only to the members of the recommendation boundary that you had specified before generating the recommendation. The reason aggregation is used is to reduce the number of rules that would result based on the service.