About NEN Installation and Architecture
This topic explains how the NEN is installed and the supported architectures.
PCE-based versus Standalone NEN Installation
Important
Beginning in NEN 2.3, the NEN is deployed as a standalone NEN installation only. New PCE-based installations are not supported.
In NEN 2.1.x, two types of NEN installations were supported:
PCE-based installation
You installed the NEN on one of the PCE data nodes so that the NEN ran as a service on the PCE. When you installed the NEN as a service on a PCE data node, you had the option of installing it on both data nodes (data node 0 and data node 1) so that the NEN operated as a high availability (HA) pair.
Standalone NEN installation
You installed the NEN on a separate Linux host. When you installed a standalone NEN in NEN 2.1.x, you did not have the option to configure the NEN deployment as an HA pair.
Beginning in NEN 2.3, you must install the NEN on a separate Linux host (standalone installation). Installing the NEN on a PCE data node isn't supported beginning with NEN 2.3. The new standalone installation has the following benefits:
Provides full (optional) HA support for Illumio On-Premises customers and Illumio Cloud customers.
Allows you to deploy NENs closer to your network devices, namely load balancers and switches.
Supports higher scale with multiple NEN HA pairs paired to a single PCE cluster.
Important
Because NEN releases from 2.3 and later don't support a PCE-based installation, customers with existing installations (NEN 1.0.1 through NEN 2.1.0) must upgrade to NEN 2.3 or later. For information, see Upgrade Standalone NEN 2.1.0 to Standalone NEN 2.3.x or Later.
NEN High Availability Support
Prior to NEN 2.1.0, when NENs had to be installed on a PCE data node, High Availability (HA) on NENs was achieved by using the PCE's HA capabilities. Beginning with the move to a standalone NEN installation in NEN 2.2.0, the NEN now features full HA support independently of the PCE.
The following diagram illustrates how to plan your NEN installation to provide full HA support by installing it on two Linux hosts (node 1 and node 2). In an HA configuration, the primary NEN performs the following actions:
Retrieves configuration information from the PCE and reconciles it with the PCE database.
Determines what work needs to go into the work queue for the NEN HA pair.
If the primary NEN (on node 1) loses connectivity to the PCE, the secondary NEN (on node 2) becomes the primary NEN until the NEN on node 1 re-establishes connectivity with the PCE.
Note
For hardware requirements in an HA Pair implementation, see CPU, Memory, and Storage Requirements in this topic.
When using the NEN for SLB integration, both NENs (primary and secondary) can program any load balancer because they share the work queue. Either NEN can accept the next job from the work queue depending on their available capacity. This capability is available when the primary NEN has connectivity with the PCE.
A PCE cluster supports multiple NENs per PCE, which can consist of multiple single node NENs, multiple NEN HA pairs, or a combination of both.
NEN Supercluster Support
In NEN 2.1.x (when installed as part of Illumio Core 20.2.0, 21.1.0, or 21.2.x), Illumio provided limited support for the NEN with PCE Supercluster deployments. For information see, Manage NEN on Supercluster Leader in “NEN 2.1.0 New Features.” NEN releases prior to 2.1.0 did not include Supercluster support.
NEN 2.3.10 extended support for installing a NEN within a PCE Supercluster as follows:
NEN Installation on Supercluster Members
You can pair the NEN to the other regions in the Supercluster; referred to as Supercluster “members.” Prior to NEN 2.3.10, you could only install the NEN on the Supercluster leader. For more information about PCE Supercluster deployment architecture, see “Design Supercluster Deployment” in the PCE Supercluster Deployment Guide.
Caution
Plan your NEN installation carefully when you install it as part of a PCE Supercluster deployment. Once installed, you cannot move NENs from one PCE Supercluster member to another member.
Multiple NEN HA Pairs in a Supercluster Member
Depending on your scale requirements and the location of your network devices (such as SLBs), you can connect multiple NEN HA pairs to any cluster in a PCE Supercluster deployment (not just the PCE Supercluster leader). This enhancement is necessary to support environments with large numbers of SLBs and virtual servers that are geographically distributed.
Note
At a minimum, you must install a primary and secondary NEN HA pair in one of the Supercluster regions.
The following diagram illustrates how to plan your NEN installation in a PCE Supercluster deployment:
Workload JSON File Upload
Beginning in NEN release 2.6.40, generic workload JSON files are uploaded as a single, parseable object. This format allows a program to use the JSON file to apply policy to a device customers want to protect.
CPU, Memory, and Storage Requirements
This section presents hardware requirements for supporting SLBs and switches.
Hardware requirements to support SLBs and VIPs
To install NEN(s) to support a given number of server load balancers and Virtual IPs, your hardware must meet the hardware requirements detailed in this section.
Hardware requirements to support switches
To install NEN(s) to support a given number of switches, your hardware must meet the hardware requirements detailed in this table.
Switches | Cores/Clock Speed1 | RAM per Node2 | Storage Device Size3 and IOPS4 | Network |
|---|---|---|---|---|
Up to 30 switches |
| 8 GB | A single node including both core and data:
| 1 Gb Ethernet |
More than 30 switches |
| 16 GB | A single node including both core and data:
| 1 Gb Ethernet |
Footnotes:
1 CPUs:
The recommended number of cores is based only on physical cores from allocated CPUs, irrespective of hyper-threading or virtual cores. For example, in AWS one vCPU is only a single hyper-thread running on a physical core, which is half a core. 16 physical cores equates to 32 vCPUs in AWS.
Full reservations for vCPU. No overcommit.
2 Full reservations for vRAM. No overcommit.
3 Additional disk notes:
Storage requirements for network traffic data can increase rapidly as the amount of network traffic increases. Allocating a separate, large storage device for traffic data can accommodate these rapid changes without potentially interrupting the service.
Network File Systems (NFS) is not supported.
4 Input/output operations per second (IOPS) are based on 8K random write operations. IOPS specified for an average of 300 flow summaries (80% unique src_ip, dest_ip, dest_port, proto) per workload every 10 minutes. Different traffic profiles might require higher IOPS.
Machine Resource Requirements for NEN VMs
Storage Device | Partition mount point | Size to Allocate |
|---|---|---|
Device 1, Partition A | / | 8 GB |
Device 1, Partition B | /var/log | 16 GB1 |
Device 1, Partition C | /var/lib/illumio-nen | Balance of Device 1 |
Footnote:
1 The size of this partition assumes that NEN application logs and system logs are both stored in /var/log/illumio-nen.