This article walks through the various policy creation workflows available in Cloud Control Center.
Section 1 - Prerequisite Knowledge/Helpful Links
Section 2 - Manual Policy Creation
- Create Policy button works within the context of the currently selected Policy Set.
Section 3 - Policy Creation through the Policy Matrix
- Main workflow
- Traffic Flow View
- Multiselect (Link)
Prerequisites
You should be familar with the building blocks of Elisity policy and the constructs involved with policy creation and management prior to deploying policies. See the following links to articles for each component.
Manual Policy Creation
Go to the Policies dashboard, select a Policy Set, and click the + Create Policy button.
Fill out the required information on the Create Policy page.
| Policy Name/Description | Give your policy a name that clearly defines the source and destination, and an optional description. The Policy Name field has a 131-character limit, and description has a 255-character limit. |
| Source and Destination Policy Group | Select a policy group for both your source and destination. Only previously created Policy Groups will appear here, meaning if you have not yet created a Policy Group for the set of assets you want to use as a policy endpoint, you need to exit and define your Policy Groups. |
| Security Profile | Select the button for Existing Security Profile to choose a pre-defined security profile, or create a new Security Profile on the fly. See the article on creating Security Profiles for more information on this step. |
| Final Policy Action |
Final Policy Action determines how any IP traffic not explicitly defined in the security profile is handled. This is either Deny or Allow. This is used in conjunction with custom Security Profiles that either deny or allow specific protocols, with the Final Policy Action denying or allowing the remaining traffic. Example: Allow SSH with Final Policy Action Deny would allow only SSH traffic and deny all other traffic between the source and destination Policy Groups. |
| Create Return Path Policy Enforcement | Choose whether to enable bidirectional enforcement of the given policy by creating a return path policy. . When the box is unchecked, you create a uni-directional policy that only impacts traffic flows in the specified direction - determined by your source and destination Policy Groups. |
Note: The created return path policy, indicated by the arrows on the policy in the Policy Matrix, uses the security profile from the original policy. To create a return policy with a different security profile, you can deploy two uni-directional policies on the policy matrix; just click the cells with the opposite source/destination of your first policy.
Click Deploy or Save as Simulation to finish deploying or saving your policy.
Deploying Policies Using the Policy Matrix
The Policy Matrix offers a visual representation of all Policies deployed within a given Policy Set, mapping Source Policy Groups (X-axis) to Destination Policy Groups (Y-axis). Deploying policies directly from the Policy Matrix provides several major operational benefits:
Benefits of Deploying from the Policy Matrix
Source and Destination Pre-Filled During Policy Creation
Selecting an empty cell in the Policy Matrix automatically opens the policy creation page with the Source and Destination Policy Groups pre-filled. This eliminates manual input, reduces the risk of errors, and speeds up the creation process.
Deploy Policies with Visibility into Traffic Flows
Switching the Policy Matrix to Traffic Flow View displays observed communication between Policy Groups. Administrators can deploy policies based on real-world traffic patterns, improving the effectiveness of segmentation and reducing the risk of unintended disruptions.
Multi-Select Policy Deployment
The Policy Matrix allows multiple cells to be selected at once for batch deployment of policies.
This is ideal for scaling segmentation across many Policy Groups efficiently.
(For detailed instructions, see Multi-Select Policy Deployment).
Steps
Follow these steps to deploy a policy directly from the Policy Matrix:
Step 1: Open the Policy Matrix
-
Navigate to Policies > Policy Matrix in Cloud Control Center.
-
Ensure the correct Policy Set is selected.
Step 2: Select an Empty Cell
-
In Graphical View, locate a cell without an existing policy.
-
Click on the empty cell where the Source Policy Group (row) intersects with the Destination Policy Group (column).
Step 3: Complete the Policy Creation Form
The Source and Destination fields will be automatically populated based on the selected cell.
Fill out the remaining details required to deploy the policy. See the chart below for more information on each field:
| Policy Name/Description | The Policy Name is pre-filled using the format SOURCE_PG > DEST_PG. This field has a 131-character limit, and description has a 255-character limit. |
| Source and Destination Policy Group | The source and destination Policy Groups are determined by the cell that was selected for Policy Creation and are unchangeable. If incorrect, click cancel and select a different cell in the Policy Matrix. |
| Security Profile | Select the button for Existing Security Profile to choose a pre-defined security profile, or create a new Security Profile on the fly. See the article on creating Security Profiles for more information on this step. |
| Final Policy Action |
Final Policy Action determines how any IP traffic not explicitly defined in the security profile is handled. This is either Deny or Allow. This is used in conjunction with custom Security Profiles that either deny or allow specific protocols, with the Final Policy Action denying or allowing the remaining traffic. Example: Allow SSH with Final Policy Action Deny would allow only SSH traffic and deny all other traffic between the source and destination Policy Groups. |
| Create Return Path Policy Enforcement | Choose whether to enable bidirectional enforcement of the given policy by creating a return path policy. . When the box is unchecked, you create a uni-directional policy that only impacts traffic flows in the specified direction - determined by your source and destination Policy Groups. |
Step 4: Review and Submit
-
Review the policy configuration summary.
-
Click Submit to create and deploy the policy.
-
The new policy will appear immediately in the Policy Matrix and be distributed according to your Policy Set and Site Label mappings.
Multi-Select Policy Deployment
The Policy Matrix supports selecting multiple empty cells at once to create and deploy multiple policies simultaneously.
This is useful for environments where many Source to Destination relationships require similar policies.
Each selected cell will generate an individual policy creation workflow, with Source and Destination fields pre-filled.
(For detailed instructions, refer to Multi-Select Policy Deployment.)