Pair VENs in a Supercluster
A Supercluster allows you to control which PCE you want your workloads to pair with and be managed by, depending on your needs. You can pair one set of workloads with a PCE in Europe, for example, and you can pair another set of workloads with a PCE in the United States.
Sometimes, you might need to reassign some workloads (and their VENs) to be managed by a different PCE than the one they were initially paired with. In some instances of a PCE failure, you might want workloads to temporarily fail over to another healthy PCE. In both cases, another PCE manages a set of workloads.
VENs Paired to Disconnected PCE
A PCE that loses connectivity to its VENs maintains its “online” status from the VEN's perspective and retains the workloads in the policy. This condition can be corrected by taking the following general steps:
Determine the cause of the PCE failure and correct it.
Restore the failed PCE.
In the case of a failed leader, promote a member to the leader.
For a failed member, uninstall or unpair the VEN on the affected workloads.
(Optional) Delete records of the incorrectly marked “online” VENs using the PCE web console or the REST API. This step is an option because, after the VEN heart beating resumes, the proper state of the VEN will be re-established.
Pair Workloads with Leader or Member
This section discusses pairing your workloads with a Supercluster leader or member.
Pairing workloads with the leader or member follows nearly the same process as a standalone PCE cluster:
You create a pairing profile in the Supercluster leader's PCE web console.
Member PCEs can be offline when this profile is created.
Pairing profiles must always be created on the Supercluster leader.
This pairing profile is propagated to all members.
With this pairing profile, you generate a pairing script.
The pairing script can be configured to pair either with the Supercluster leader or with a member PCE:
A pairing script generated on the leader includes the FQDN of the leader.
A pairing script generated on a member includes the FQDN of that member.
The pairing script includes the option
--management-serverwith the domain name and port of the leader or the member.The paring script includes a pairing key (
--activation-codeoption) that can be used to pair with any member.Members can create new pairing keys from pairing profiles replicated from the leader.
Members can be isolated from the Supercluster but continue to pair with workloads.
You run the pairing script on the workload to pair.
Pairing Script Examples for Supercluster
Pairing Script to Pair with Leader
The leader's FQDN is supercluster-pce-LEADER.BigCo.com:8443.
rm -fr /opt/illumio/scripts && umask 026 && mkdir -p /opt/illumio/scripts && curl https://repo.illum.io/sPl1tOExo0FIEphoewIujIucrLaTOAS3/pair.sh -o /opt/illumio/scripts/pair.sh && chmod +x /opt/illumio/scripts/pair.sh && /opt/illumio/scripts/pair.sh --management-server supercluster-pce-LEADER.BigCo.com:8443 --activation-code xxyyzzyywwxx654321
Pairing Script to Pair with Member
The member's FQDN is supercluster-pce-MEMBER.BigCo.com:8443.
rm -fr /opt/illumio/scripts && umask 026 && mkdir -p /opt/illumio/scripts && curl https://repo.illum.io/sPl1tOExo0FIEphoewIujIucrLaTOAS3/pair.sh -o /opt/illumio/scripts/pair.sh && chmod +x /opt/illumio/scripts/pair.sh && /opt/illumio/scripts/pair.sh --management-server supercluster-pce-MEMBER.BigCo.com:8443 --activation-code xxyyzzyywwxx654321
Run Pairing Script on Workloads
As with the standalone PCE configuration, you run the Supercluster-generated pairing script directly on the workload itself.
Linux environment variables and Windows command-line variables allow you to specify the management server to pair with.
For more information about pairing, see VEN Installation and Upgrade Guide.
Pair Workloads with GSLB PCE
When you rely on a Global Services Load Balancer (GSLB) to control which specific PCE a workload communicates with or to pair workloads to a generic name for the Supercluster, set the FQDN value of the supercluster_fqdn parameter in each PCE's runtime_env.yml file.
This value is used as the argument to the pairing script's --management-server option, which is the name of FQDN you define.
Note
Do not put the port number at the end of the supercluster_fqdn value. The system itself adds the port number to the pairing script.
Example
This example from the generated pairing script shows how the supercluster_fqdn parameter is set.
... --management-server MyBigSuperclusterFQDN-from-supercluster-fqdn-parameter.BigCo.com:8444 ...
VEN Failover After PCE Failure
In rare cases, when you pair workloads with a Supercluster PCEs and that PCE fails immediately after you run the workload pairing script, the information about that workload's pairing is not replicated to the other PCEs in the Supercluster. When that workload's VEN tries to retrieve a policy from the PCE or sends a heartbeat, the VEN receives an HTTP 401 Unauthorized error and is eventually moved into the Lost Agent state.
To recover from this situation, you can perform one of these actions:
Uninstall the VEN completely from the workload and repair it with a functioning PCE.
Recover the affected PCE so that it is fully functional and online. After the VEN successfully heartbeats to the recovered PCE, it automatically comes out of the Lost Agent state.
This second option to recover the PCE only works when the affected PCE had information about that VEN before the failure. When you recover the PCE from a backup taken before the VEN was paired, the VEN will have to be uninstalled and the workload repaired.
Pairing Container Clusters
You can pair workloads as part of a container cluster on supercluster member regions. Container clusters can be managed in a member region as well as all the resources attached to this container cluster: container workloads (pods), virtual services (services), and workloads (nodes).