What Are SmartGroups? Identity-Based Cloud Workload Security at Scale

TL;DR

• SmartGroups are Aviatrix's mechanism for grouping cloud workloads by identity and enforcing east-west communication policy at scale.

• Unlike IP-based firewall rules, SmartGroups use workload attributes (AWS tags, Kubernetes labels, service accounts) that remain stable as workloads scale and change.

• SmartGroups make Communication Governance operational. They're how the “only reach what you're permitted to” policy gets enforced across dynamic cloud environments.

• They work across AWS, Azure, and GCP with a single policy framework.

• SmartGroups eliminate the need to update firewall rules when workloads change IPs or scale horizontally.

 Definition 

If you've ever tried to write east-west firewall rules against IP addresses in a cloud environment, you've probably hit the same wall: by the time the rule clears review and gets deployed, the IP it was written for has already changed. Workloads in cloud environments don't have stable IP addresses the way servers in data centers do. They scale up, scale down, restart, and move. SmartGroups are Aviatrix's solution to this problem. Rather than defining east-west security policy by IP address, SmartGroups group workloads by their identity attributes: AWS tags, Kubernetes labels, GCP labels, IAM service accounts, or application context. Policies are applied to SmartGroups, so they follow the workload regardless of where it runs, what IP it has, or how many instances are running.

Why IP-Based Policy Fails at Cloud Scale

Traditional firewall rules are IP-based: permit traffic from source IP X to destination IP Y. In on-premises environments with stable infrastructure, IP-based rules are manageable. In cloud environments, they become unworkable.

Cloud workloads change IPs constantly. Containers restart with new IPs. Auto-scaling groups launch new instances. Blue-green deployments shift traffic between IP ranges. In a dynamic cloud environment, maintaining accurate IP-based firewall rules requires constant manual updates and stale rules are security gaps.

SmartGroups solve this by making the policy identity-based. The policy is “all workloads in the Payment Processing SmartGroup can communicate with workloads in the Transaction Database SmartGroup”, not “IP 10.0.1.5 can reach 10.0.2.8.” The policy remains accurate regardless of what IPs those workloads have.

How SmartGroups Work

Defining a SmartGroup

A SmartGroup is defined by workload identity attributes: any combination of AWS tags, Kubernetes namespace and label selectors, GCP labels, Azure resource tags, IAM role ARNs, or application name and environment. Any workload matching the SmartGroup definition is automatically included in its policies.

Applying Communication Governance Policy

East-west policies are defined as SmartGroup-to-SmartGroup permissions: “SmartGroup A is permitted to reach SmartGroup B on port 443.” All other SmartGroup-to-SmartGroup communication is blocked by default-deny. The policy is simple to read, maintain, and audit.

Multi-Cloud Enforcement

Aviatrix enforces SmartGroup policies consistently across AWS, Azure, and GCP. The same policy definition applies regardless of which cloud a workload runs in: a single control plane for multicloud east-west security.

SmartGroups and Communication Governance

SmartGroups are the operational implementation of Communication Governance. The Communication Governance principle, every workload can only reach what it's explicitly permitted to reach is enforced through SmartGroup policies.

Without SmartGroups (or an equivalent identity-based policy mechanism), Communication Governance is a policy concept with no practical enforcement mechanism at cloud scale. SmartGroups make it real.

Frequently Asked Questions 

Q: What are SmartGroups in Aviatrix?

SmartGroups are Aviatrix's identity-based workload grouping mechanism. They group cloud workloads by identity attributes (AWS tags, Kubernetes labels, service accounts) and apply east-west communication policies to those identity groups, enabling Communication Governance enforcement at scale without IP-based firewall rules.

Q: How do SmartGroups differ from traditional firewall rules?

Traditional firewall rules are IP-based: they permit or deny traffic based on source and destination IP addresses that change constantly in cloud environments. SmartGroups are identity-based: policies use workload attributes that remain stable even as IPs change, workloads scale, or containers restart.

Q: Can SmartGroups work across multiple clouds?

Yes. SmartGroups use workload identity attributes that are portable across cloud providers. The same east-west policy framework works across AWS, Azure, and GCP, enforcing Communication Governance consistently regardless of cloud provider.

Q: How do SmartGroups support Communication Governance?

SmartGroups are the operational mechanism for Communication Governance enforcement. By defining which SmartGroups can communicate with which others and enforcing those policies through Aviatrix's distributed cloud firewall, SmartGroups make the “only reach what you're permitted to reach” principle operational at cloud scale.

Q: What attributes can define a SmartGroup?

SmartGroups can be defined by: AWS/Azure/GCP resource tags, Kubernetes labels and namespace selectors, IAM role ARNs and service account identities, VPC or virtual network membership, application name and environment (prod/staging/dev), or any combination of these attributes.