PCE Architecture and Components
This section describes how the PCE functions, and provides an overview of its components and how they function together.
About the PCE Architecture
The PCE has four main service tiers that are used by both the PCE Web Console UI and the VEN:
Description of PCE Components
Tier | PCE component | Description |
|---|---|---|
Front-end | Management interfaces: PCE web console and VEN | Management interfaces include:
|
VEN events | For information, see VEN Administration Guide. | |
App Router | Directs requests to the proper service. | |
App Gateway | Ensures that all communication between cluster nodes is encrypted and that only cluster nodes can connect to internal services. Most services connect via the application gateway. | |
Processing | Login | Central server for authentication. |
Agent Manager | Manages data in the policy domain, such as workload context and policy definitions. Also, manages data for all user and organization authentication and authorization, such as users, organizations, API keys, and roles. | |
Agent Traffic | Provides information about traffic to and from VENs. Serves as the service underlying Illumination. | |
Collector | Aggregates packet and traffic flow information sent from the VEN. Serves as the service underlying Illumination. | |
Audit Events | Creates an overview of auditable system events across the PCE and VENs. | |
Fluentd | Log forwarder service that forwards the flow log files received from VENs. | |
Executor | Backbone for asynchronous job execution, such as report generation and background jobs. | |
Fileserver | Central storage and retrieval for large data files. | |
Search Index | Supports auto-completion in the PCE web console. | |
Traffic Query | API for traffic explorer | |
Flow Analytics Daemon | Flow analytics daemon | |
Network Device | Manages network devices such as switches and server load balancers that are managed by the PCE. | |
Service | memcached | Open source component: in-memory cache. |
Background Jobs | Backbone for asynchronous job execution, such as report generation and background jobs. | |
Set Server | In-memory cache to aid in policy calculations. | |
Agent Traffic cache | Stores the traffic flow data and graphs for Illumination. See Agent Traffic. In the PCE architecture diagram, labeled “AT Cache.” | |
Data Job Queue (Redis + workers) | Data job queue | |
Persistence | Fluentd data | Flow files |
Policy primary database and replica | Postgres database contains all policy- and agent-related data. The primary and replica databases run on separate data nodes. | |
Traffic database primary and replica | Postgres database that contains all the historical traffic flow data. Traffic Explorer is backed by this data store. The primary and replica databases run on separate data nodes. |
Management Interfaces for PCE and VEN
The following diagram illustrates the logical view of the management interfaces to the PCE and VEN.
This guide focuses on the use of the illumio-pce-ctl control script and related administrative programs on the PCE itself.
Interface | Notes |
|---|---|
PCE web console | With the PCE web console, you can perform many common tasks for managing the Illumio Core. |
PCE command line | Use of the command line directly on the PCE. The |
REST API | With the Illumio Core REST API, you can perform many common management tasks, such as automating the management of large groups of workloads rather than each workload individually. The endpoint for REST API requests is the PCE itself, not the workload. The REST API does not communicate directly with the VEN. |
VEN command line | The |