This article walks through the policy creation workflows available in Cloud Control Center, including creating policies from the Policy Matrix, using the Create Policy form, and filtering policies across views.
Prerequisites
Before creating policies, you should be familiar with the building blocks of Elisity policy. See the following articles for each component:
- Anatomy of an Elisity Policy
- Policy Groups
- Security Profiles
- Policy Sets and Site Labels
- Policy Matrix
Policy Types
Each policy in Cloud Control Center is one of the following types, determined by the Security Profile and configuration applied during creation. The policy type is visible as color-coded cells in the Policy Matrix and as a dedicated column in the Table view.
Deny All – Blocks all IP traffic between the Side A and Side B Policy Groups. Uses the built-in Deny All Security Profile.
Allow All – Permits all IP traffic between the Side A and Side B Policy Groups. Uses the built-in Allow All Security Profile with no protocol restrictions.
Custom Policy – Applies a custom Security Profile that defines specific L3/L4 rules governing which protocols and ports are allowed or denied. The Final Policy Action determines how traffic not explicitly matched by the Security Profile is handled.
Independent Control – Indicates that traffic between the Side A and Side B Policy Groups is managed by an external enforcement point rather than by Elisity policy. Independent Control policies do not have a Security Profile or Final Policy Action — these fields display as “––” in the Policy Matrix and Table views.
Side A and Side B
Elisity policies define communication rules between two sets of assets, referred to as Side A and Side B. Each side is represented by a Policy Group.
Side A – Displayed on the vertical axis (rows) of the Policy Matrix and as the first Policy Group column in the Table view.
Side B – Displayed on the horizontal axis (columns) of the Policy Matrix and as the second Policy Group column in the Table view.
This terminology is consistent across the Policy Matrix, Policy Table view, Traffic Analytics, policy filters, and CSV/XLSX exports.
The Policy Matrix
The Policy Matrix provides a visual representation of all policies within a Policy Set. Side A Policy Groups are listed along the vertical axis and Side B Policy Groups along the horizontal axis. Each cell represents the policy relationship between two Policy Groups, color-coded by policy type.
Empty (white) cells indicate no policy exists between those two Policy Groups. Hovering over a Policy Group name displays details including matched assets, group tag value, and description.
Creating a Policy from the Policy Matrix
Clicking an empty cell in the Policy Matrix opens the Create Policy form with the Side A and Side B Policy Groups pre-filled based on the row and column of the selected cell. This eliminates manual selection and reduces the risk of misconfiguration.
Step 1: Open the Policy Matrix
- Navigate to Policies > Policies in Cloud Control Center.
- Select the Matrix view toggle (grid icon) in the upper left.
- Ensure the correct Policy Set is selected from the dropdown.
Step 2: Select an Empty Cell
Click on an empty (white) cell where the Side A Policy Group (row) intersects with the Side B Policy Group (column). The Create Policy form opens with the Side A and Side B fields pre-filled and the policy name auto-generated using the format Side A PG > Side B PG.
Note: Clicking a cell that already contains a policy opens the policy details view, not the creation form.
Step 3: Complete the Create Policy Form
Fill out the following fields:
Policy Name – Auto-generated from the Side A and Side B Policy Group names. Can be customized. 131-character limit.
Policy Description – Optional description for the policy. 255-character limit.
Audit Comment – A comment recorded with the policy creation for audit trail purposes. Required when the Enforce Audit Comments setting is enabled on the Policy Set.
Independent Control – Toggle this on to designate the policy as externally controlled. When enabled, the Security Profile and Final Policy Action fields are removed — Elisity does not enforce traffic rules for this policy relationship.
Security Profile – Select an existing Security Profile or create a new one inline. The Security Profile defines the L3/L4 rules applied to traffic between the two Policy Groups. See Security Profiles for details.
Final Policy Action – Determines how IP traffic not explicitly defined in the Security Profile is handled: Allow or Deny. For example, a Security Profile that allows SSH combined with a Final Policy Action of Deny permits only SSH traffic and blocks everything else.
Create Return Path Policy Enforcement – When checked, creates a bidirectional policy by automatically generating a return path policy (Side B → Side A) using the same Security Profile. When unchecked, the policy is unidirectional and only applies in the Side A → Side B direction.
Note: To create a return path policy with a different Security Profile, deploy two separate unidirectional policies with opposite Side A and Side B assignments.
Step 4: Deploy or Simulate
Click Create to review the policy configuration. You are presented with the option to save the policy as a Simulated Policy or deploy it as an active policy. The confirmation dialog displays all Virtual Edge Nodes impacted by the policy. If deployed as active, enforcement begins immediately on the listed nodes.
Creating a Policy from the Policies Page
Policies can also be created without using the Policy Matrix by clicking the + Create Policy button in the upper right corner of the Policies page.
- Navigate to Policies > Policies in Cloud Control Center.
- Click the + Create Policy dropdown button.
- In the Create Policy form, manually select the Side A and Side B Policy Groups from the dropdowns. Only previously created Policy Groups appear in these lists.
- Complete the remaining fields (Security Profile, Final Policy Action, Return Path) as described above.
- Click Create to review, then deploy or save as simulation.
Multi-Select Policy Deployment
The Policy Matrix supports selecting multiple empty cells at once to create and deploy multiple policies simultaneously. This is useful when many Side A to Side B relationships require the same or similar policies. Each selected cell generates an individual policy, with Side A and Side B fields pre-filled.
For detailed instructions, see Multi-Select Policy Deployment in the Policy Matrix article.
Policy Matrix Filtering
The Policy Matrix and Table view share a filtering system that narrows the displayed policies based on Policy Group attributes, policy properties, and custom criteria. Filters persist when switching between Matrix and Table views. Click the Filters button to open the filter panel.
The filter panel contains four tabs:
Side A – Filter the Side A (row) Policy Groups by attributes such as Policy Group Name, Genre, Security Level, or other properties.
Side B – Filter the Side B (column) Policy Groups using the same attribute options.
Additional Filters – Filter by policy-level properties such as Policy Status (Active, Simulated), Policy Type (Allow All, Deny All, Custom, Independent Control), or other policy metadata.
Saved Filters – Access previously saved filter configurations for quick reuse.
Each filter row has three components: Search Type (the attribute to filter on), Condition (Equals, Contains, etc.), and Value. Click + Add New Filter to add additional filter rows within a tab.
Saving and Importing Filters
Save Filter – Saves the current filter configuration for future use. Saved filters appear in the Saved Filters tab.
Import Filter – Imports a previously saved filter configuration.
Clear Filters – Removes all active filters and returns to the unfiltered view.
Filters in the Table View
The same filter panel is available in the Table (list) view. Filters applied in the Matrix view carry over when switching to the Table view, and vice versa.
The Table view displays policies in a flat list with columns for Side A Policy Group, Side B Policy Group, Policy Type, Security Profile, Final Action, and Status. Use the Search bar for quick text filtering and the From A-Z sort option to reorder Policy Groups alphabetically.
Multi-Edit
The Multi-Edit button in the upper right of the Policy Matrix enables bulk modifications to existing policies. Select multiple policy cells in the matrix, then click Multi-Edit to apply changes across all selected policies simultaneously.
Traffic Flow View
Switch the Policy Matrix to Traffic Flow View to overlay observed communication patterns between Policy Groups onto the matrix. This allows you to deploy or adjust policies based on actual network behavior.
Traffic Analytics displays Side A and Side B Policy Groups alongside service names, application protocols, actions taken (Allow, Deny), and policy status for each observed flow.