About NEN Installation and Architecture

This topic explains how the NEN is installed and the supported architectures.

PCE-based versus Standalone NEN Installation

Important

Beginning in NEN 2.3, the NEN is deployed as a standalone installation only. New PCE-based installations are not supported.

In NEN 2.1.x, you had the choice of two types of NEN installations:

PCE-based installation
You installed the NEN on one of the PCE data nodes so that the NEN ran as a service on the PCE. When you installed the NEN as a service on a PCE data node, you had the option of installing it on both data nodes (data node 0 and data node 1) so that the NEN operated as a high availability (HA) pair.
Standalone NEN installation
You installed the NEN on a separate Linux host. When you installed a standalone NEN in NEN 2.1.x, you did not have the option to configure the NEN deployment as an HA pair.

Beginning in NEN 2.3, you must install the NEN on a separate Linux host (standalone installation). This release does not support installing the NEN on a PCE data node. The new standalone installation in NEN 2.3.10 has the following benefits:

Provides full (optional) HA support for Illumio On-Premises customers and Illumio Cloud customers.
Allows you to deploy NENs closer to your network devices, namely load balancers and switches.
Supports higher scale with multiple NEN HA pairs paired to a single PCE cluster.

Important

Because NEN 2.3.10 does not support a PCE-based installation, customers with existing installations (NEN 1.0.1 through NEN 2.1.0) must upgrade to NEN 2.3.10 or later.

NEN High Availability Support

Prior to NEN 2.1.0, when NENs had to be installed on a PCE data node, High Availability (HA) on NENs was achieved by using the PCE's HA capabilities. Beginning with the move to a standalone NEN installation in NEN 2.2.0, the NEN now features full HA support independently of the PCE.

The following diagram illustrates how to plan your NEN installation to provide full HA support by installing it on two Linux hosts (node 1 and node 2). In an HA configuration, the primary NEN performs the following actions:

Retrieves configuration information from the PCE and reconciles it with the PCE database.
Determines what work needs to go into the work queue for the NEN HA pair.

If the primary NEN (on node 1) loses connectivity to the PCE, the secondary NEN (on node 2) becomes the primary NEN until the NEN on node 1 re-establishes connectivity with the PCE.

Note

For hardware requirements in an HA Pair implementation, see CPU, Memory, and Storage Requirements in this topic.

When using the NEN for SLB integration, both NENs (primary and secondary) can program any load balancer because they share the work queue. Either NEN can accept the next job from the work queue depending on their available capacity. This capability is available when the primary NEN has connectivity with the PCE.

A PCE cluster supports multiple NENs per PCE, which can consist of multiple single node NENs, multiple NEN HA pairs, or a combination of both.

NEN Supercluster Support

In NEN 2.1.x (when installed as part of Illumio Core 20.2.0, 21.1.0, or 21.2.x), Illumio provided limited support for the NEN with PCE Supercluster deployments. For information see, Manage NEN on Supercluster Leader in “NEN 2.1.0 New Features.” NEN releases prior to 2.1.0 did not include Supercluster support.

NEN 2.3.10 extended support for installing a NEN within a PCE Supercluster as follows:

NEN Installation on Supercluster Members
You can pair the NEN to the other regions in the Supercluster; referred to as Supercluster “members.” Prior to NEN 2.3.10, you could only install the NEN on the Supercluster leader. For more information about PCE Supercluster deployment architecture, see “Design Supercluster Deployment” in the PCE Supercluster Deployment Guide.
Caution
Plan your NEN installation carefully when you install it as part of a PCE Supercluster deployment. Once installed, you cannot move NENs from one PCE Supercluster member to another member.
Multiple NEN Pairs in a Supercluster Member
Depending on your scale requirements and the location of your network devices (such as SLBs), you can connect multiple NEN HA pairs to any cluster in a PCE Supercluster deployment (not just the PCE Supercluster leader). This enhancement is necessary to support environments with large numbers of SLBs and virtual servers that are geographically distributed.
Note
At a minimum, you must install a primary and secondary NEN HA pair in one of the Supercluster regions.

The following diagram illustrates how to plan your NEN installation in a PCE Supercluster deployment:

CPU, Memory, and Storage Requirements

To install NEN(s) to support a given number of Server Load Balancers and Virtual IPs, your hardware must meet the hardware requirements detailed in this section.

Server Load Balancers (SLBs)	Virtual IPs (VIPs)	Cores/Clock Speed¹	RAM per Node²	Storage Device Size³ and IOPS⁴	Network
Up to 6 SLBs	Max 1,000 VIPs per SLB Max 3,000 VIPs across all SLBs	2 cores Intel® Xeon(R) CPU E5-2695 v4 at 2.10GHz or equivalent	8 GB	A single node including both core and data: 1 x 50 GB 100 IOPS per device	1 Gb Ethernet
Up to 50 SLBs	Max 1,000 VIPs per SLB Max 12,000 VIPs across all SLBs	4 cores Intel® Xeon(R) CPU E5-2695 v4 at 2.10GHz or equivalent	16 GB	A single node including both core and data: 1 x 50 GB 100 IOPS per device	1 Gb Ethernet
NEN HA implementation considerations: The two nodes in an HA pair must match the size specified in this table. This is necessary because in the event of a failover, a single node must be able to manage the entire load. For an HA Pair for up to 3000 VIPs, use the sizing detailed in the first row. For an HA pair for 3000+ VIPs, use the sizing detailed in the second row.

Server Load Balancers (SLBs)

Virtual IPs (VIPs)

Cores/Clock Speed¹

RAM per Node²

Storage Device Size³ and IOPS⁴

Network

Up to 6 SLBs

Max 1,000 VIPs per SLB
Max 3,000 VIPs across all SLBs

2 cores
Intel® Xeon(R) CPU E5-2695 v4 at 2.10GHz or equivalent

8 GB

A single node including both core and data:

1 x 50 GB
100 IOPS per device

1 Gb Ethernet

Up to 50 SLBs

Max 1,000 VIPs per SLB
Max 12,000 VIPs across all SLBs

4 cores
Intel® Xeon(R) CPU E5-2695 v4 at 2.10GHz or equivalent

16 GB

A single node including both core and data:

1 x 50 GB
100 IOPS per device

1 Gb Ethernet

NEN HA implementation considerations:

The two nodes in an HA pair must match the size specified in this table. This is necessary because in the event of a failover, a single node must be able to manage the entire load.

For an HA Pair for up to 3000 VIPs, use the sizing detailed in the first row.
For an HA pair for 3000+ VIPs, use the sizing detailed in the second row.

Footnotes:

¹ CPUs:

The recommended number of cores is based only on physical cores from allocated CPUs, irrespective of hyper-threading or virtual cores. For example, in AWS one vCPU is only a single hyper-thread running on a physical core, which is half a core. 16 physical cores equates to 32 vCPUs in AWS.
Full reservations for vCPU. No overcommit.

² Full reservations for vRAM. No overcommit.

³ Additional disk notes:

Storage requirements for network traffic data can increase rapidly as the amount of network traffic increases. Allocating a separate, large storage device for traffic data can accommodate these rapid changes without potentially interrupting the service.
Network File Systems (NFS) is not supported.

⁴ Input/output operations per second (IOPS) are based on 8K random write operations. IOPS specified for an average of 300 flow summaries (80% unique src_ip, dest_ip, dest_port, proto) per workload every 10 minutes. Different traffic profiles might require higher IOPS.

Illumio Core 22.2 Install, Configure, Upgrade