VEN Operations

Overview of VEN Suspension

The VEN Update API (PUT [api-version][ven-href]) allows you to mark a VEN as either suspended or unsuspended in the PCE. It does not, however, actually suspend or unsuspend the VEN.

To suspend a VEN, use the illumio-ven-ctl command-line tool, which isolates a VEN on a workload so that you can troubleshoot issues and determine if the VEN is the cause of any anomalous behavior.

When you suspend a VEN, the VEN informs the PCE that it is in suspended mode.

However, if the PCE does not receive this notification, you must mark the VEN as "Suspended" in the PCE web console (select the VEN and click Edit), or you can use this API to mark the VEN as suspended.

When you don't mark the VEN as suspended in the PCE, after one hour, the PCE assumes that the workload is offline and removes it from the policy. When you mark the VEN as suspended, that VEN’s workload is still included in the policy of other workloads.

When a VEN is suspended:

The VEN still appears in the PCE in the VEN list page.
The VEN's host cannot be unpaired.
An organization event (server_suspended) is logged. This event is exportable to CEF/LEEF and has the severity of WARNING.
Heartbeats or other communications are not expected, but when received, all communications are logged by the PCE.
If the PCE is rebooted, the VEN remains suspended.
Any custom iptables rules are removed, and you need to reconfigure them manually.

When a VEN is unsuspended:

The PCE is informed that the VEN is no longer suspended and is able to receive policy from the PCE. If existing rules affect the unsuspended workload, the PCE reprograms those rules.
An organization event (server_unsuspended) is logged. This event is exportable to CEF/LEEF and has the severity of WARNING.
The workload reverts to the policy state it had before it was suspended.
Custom iptables rules are configured back into the iptables.

VEN upgrade APIs allow you to specify an array of VEN hrefs to upgrade to a specific version instead of a list of agent ID's.

Rules when validating with the VEN upgrade APIs are as follows:

No downgrades are allowed
Users cannot upgrade to a VEN version higher than the PCE version
No AIX, Solaris, or C-VEN are allowed
Users can only upgrade VENs paired to the same region
Only workload managers can upgrade VENs, and they can only upgrade VENs within their scope.

VEN API Methods

In addition to the page in the PCE web console that lists all VENs and shows the details of a single VEN, there is a Public Experimental API for getting VEN collections and VEN instances. Other new APIs support VEN filtering in the PCE web console, and update and unpair VENs.

VEN Methods	HTTP	URI
Get the collection of all VENs	`GET`	`[api_version][org_href]/vens/`
Get details on a VEN instance	`GET`	`[api_version][org_href]/vens/ven_id`
Use to get the default release without iterating through the whole collection.	`GET`	`[api_version[org_href]/software/vens/default`
Support VEN filtering in the PCE web console	`GET`	`[api_version][org_href]/vens/autocomplete` `[api_version][org_href]/vens/facets`
To set the `target_pce_fqdn` on a VEN	`PUT`	`[api_version][org_href]/vens/ven_id`
Update a VEN	`PUT`	`[api_version][org_href]/vens/update`
Upgrade a VEN. This API accepts a list of `hrefs` instead of `agent_ids`. The upgrade endpoint falls under the `/vens/resource` instead of the `/software/resource`.	`PUT`	`[api_version][org_href]vens/upgrade`
List VEN releases	`GET`	`[api_version]/software/ven/releases`
Unpair a VEN: trigger the unpairing of one or more VENs. NOTE: This endpoint replaces /workloads/unpair, which is deprecated.	`PUT`	`[api_version][org_href]/vens/unpair`
Provided so that users can set the default version for VEN pairing.	`PUT`	`[api_version][org_href]/software/vens/default`

Query Parameters

Parameter	Description	Type	Required
`target_pce_fqdn`	Cluster FQDN for the target PCE	String	No
`name`	Friendly name for the VEN	String, NULL	No
`status`	The current status of the VEN. Options are: "active", "suspended", "uninstalled"	String	No
`hostname`	Hostname of VEN(s) to return. Supports partial matches.	String	No
`os_id`	Operating System of VEN(s) to return. Supports partial matches.	String
`uid`	The unique ID of the host managed by the VEN	String	No
`os_detail`	Additional OS details from the host managed by the VEN	String
`os_platform`	OS platform of the host managed by the VEN	String	No
`version`	Software version of the VEN. Two parameters are used: `version[gte]`: Greater than or equal to value for version `version[lte]:` Less than or equal to value for version	String
`status`
`activation_type`	The method in which the VEN was activated. Options are: "pairing_key", "kerberos", "certificate"	String	No
`active_pce_fqdn`	The FQDN of the PCE that the VEN last connected to	String	No
`labels`	Labels assigned to the host managed by the VEN.	String
`interfaces`
`container_clusters`	Array of container cluster URIs, encoded as a JSON string	String	No
`org_id`	Organization	Integer	Yes
`authentication_recovery`	Return VENs in or not in authentication recovery	Boolean	No
`condition`	A specific error condition to filter by	String	No
`disconnected_before`	Return VENs that have been disconnected since the given time	date/time
`ip_address`	IP address of VEN(s) to return. Supports partial matches	String
`last_goodbye_at`	The time (rfc3339 timestamp) of the last goodbye from the VEN. There are two parameters: last_goodbye_at[gte]: Greater than or equal to value for last goodbye at timestamp last_goodbye_at[lte]: Less than or equal to value for last goodbye at timestamp	Bollean
`last_heartbeat_at`	The last time (rfc3339 timestamp) a heartbeat was received from this VEN. There are two parameters: last_heartbeat_at[gte]: Greater than or equal to value for last heartbeat timestamp last_heartbeat_at[lte]: Less than or equal to value for last heartbeat timestamp	Boolean
`upgrade_pending`	Only return VENs with/without a pending upgrade	Boolean	No
`ven_type`	The `ven_type` property is introduced through the reference to a common schema `ven_type.schema.json`: { "properties": { "ven_type": { "$ref": "../common/ven_type.schema.json" }	String	No

Response Properties

Property	Description	Type	Required
`href`	URI of the VEN	Stgring
`hostname`	The hostname of the host managed by the VEN	String	Yes
`name`	Friendly name for the VEN	String
`uid`	The unique ID of the host managed by the VEN	String
`os_id`	OS identifier of the host managed by the VEN	String
`os_detail`	Additional OS details from the host managed by the VEN	Sring
`os_platform`	OS platform of the host managed by the VEN	String
`version`	Software version of the VEN. Two parameters are used: `version[gte]`: Greater than or equal to value for version `version[lte]:` Less than or equal to value for version	String
`interfaces`	Network interfaces of the workload, only present in expanded representations	Array
`workloads`	The only required property is `HREF`, the others are optional: `name`, `managed`, `hostname`, `instance_id`, `data_center`, `data_center_zone`, `service_principal_name`, etc.	Array
`secure_connect`	Property: `matching_issuer_name`. Issuer name match criteria for certificate used during establishing secure connections. `matching_issuer_name`: Issuer name match criteria for certificate used while establishing secure connections.	Object String
`security_policy_applied_at`	Last reported time when policy was applied to the workload (UTC), only present in expanded representations.	`date-time`
`security_policy_received_at`	Last reported time when policy was received by the workload (UTC), only present in expanded representations.	`date-time`
`enforcement_mode`	Policy enforcement mode, only present in expanded representations. Reference to `common/workload_enforcement_mode.schema.json`	String
`visibility_level`	Visibility level of the workload, only present in expanded representations	String

Network Enforcement Node Reassignment

`network_enforcement_nodes_put`

This new API is used to change the target PCE FQDN of an agent.

It updates the target_pce_fqdn property so that the NEN can be managed by a different PCE in a Supercluster.

Change Target PCE

When you have the NEN HREF, you can update the target PCE with the PCE FQDN the NEN will use. In your JSON request body, pass the following data:

	"target_pce_fqdn": "new-pce-fqdn.example.com"
}

The URI for this operation is:

PUT [api_version][nen_href]/update

This curl example shows how you can pass the target_pce_fqdn property containing the FQDN of the new PCE:

curl -u api_xxxxxxx64fcee809:'xxxxxxx5048a6a85ce846a706e134ef1d4bf2ac1f253b84c1bf8df6b83c70d95' -H "Accept: application/json" -H "Content-Type:application/json" -X PUT -d '{"target_pce_fqdn":"new-pce-fqdn.example.com"}' https://my.pce.supercluster:443/api/v1/orgs/3/network_enforcement_nodes/f67d35d5-ea71-42da-b40d-8dcc3b1420c2/update

GET VENs

To get a collection of VENs that have a specific label applied to them, take a label string that was returned when you got a collection of VENs, and then add a query parameter to GET all VENs with that specific label.

Curl Command to Get VENs with a Specific Label

curl -i -X GET https://pce.my-company.com:8443/api/v2/orgs/2/vens?labels="[[/orgs/2/labels/1642]]" -H "Accept: application/json" -u $KEY:$TOKEN

To restrict the type of VENs you want returned and set a limit on how many results you want returned, use the relevant query parameters. For example, you might want to get a collection of no more than 50 VENs running CentOS 6.3 that have an active status.

Curl Command to Get VENs using other Query Parameters

curl -i -X GET https://pce.my-company.com:8443/api/v2/orgs/2/vens?os_id=centos-x86_64-6.3&max_results=50&status=active -H "Accept: application/json"-u $KEY:$TOKEN

Unpairing and Suspending VENs

Instead of unpairing and suspending workloads, use the new VEN APIs to unpair and suspend VENs.

Note

The endpoint workloads/unpair is DEPRECATED. Use /vens/unpair instead.

Curl Command for Unpairing VENs

curl -i -X PUT https://pce.my-company.com/api/v2/orgs/3/vens/unpair -H "Content -Type:application/json" -u $KEY:$TOKEN -d '{"vens": [{"href": "/orgs/7/vens/xxxxxxxx-9611-44aa-ae06-fXXX8903db65"}, {"href": "/orgs/7/vens/xxxxxxxx-9611-xxxx-ae06-f7bXXX03db71"}], "firewall_restore": "default"}'

Curl Command to Mark VEN as Suspended

curl -i -X PUT https://pce.my-company.com/api/v2/orgs/3/vens/xxxxxxxx-9611-xxxx-ae06-f7bXXX03db71 -H "Content-Type:application/json" -u $KEY:$TOKEN -d'{"status":"suspended"}'

REST APIs for 22.5