Workloads and VENs
The Workloads navigation menu includes Workloads, Container Workloads, and VENs. You can see all your workloads, container workloads, and VENs on separate tabs. You can view their configuration, do workload or VEN-specific actions, and find the related VENs and workloads.
An idle workload does not program a firewall; therefore, the Rules page of an idle workload does not show its rules.
The VENs are listed on a new page separate from workloads. The VEN-related actions are not available under the Workloads tab.
Manage Workloads and VENs
Note
Users with the Workload Manager role can manage workloads and Virtual Enterprise Networks (VENs).
You can select VENs to unpair, refresh, and generate support reports. Container workloads (if any) are displayed under the Container Workloads tab.
Unpair a workload
Click Unpair to unpair a VEN.
On the Unpair VEN page, select the appropriate radio button to define the Final Firewall Status:
Firewall Status | Description |
|---|---|
Remove Illumio Policy | This is the default option. Linux: Removes Illumio policy and retains the coexistent firewall rules. AIX/Solaris: Removes Illumio policy and reverts firewall rules to the pre-pairing state. Windows: Removes firewall WFP filters and activates Windows firewall |
Open all ports | All OS systems: leave all ports open |
Close all ports except remote management | Linux/AIX/Solaris: temporarily allows only SSH/22 until the system is rebooted Windows: allows only RDP/3389 and WinRM/5985, 5986 |
Proceed with unpairing as follows:
Pairing Method | Policy Mode | Unpair Action |
|---|---|---|
Pairing Key | Visibility only/Enforced |
|
Pairing Key | Idle |
|
PKI Certificate or Kerberos | Visibility only/Enforced |
|
PKI Certificate or Kerberos | Idle |
|
Delete a workload from the PCE
You cannot directly delete workloads from the PCE, as the workload represents an entity that the PCE does not control. You can unpair the VEN on that workload from the VENs tab on the Servers & Endpoints/Workloads menu, which will remove the workload from the workloads table.
Enhanced Data Collection
When enhanced data collection is enabled, the PCE reports the amount of data transferred in and out of workloads and applications in a data center. The number of bytes sent and received by an application provider is provided separately. These values can be seen in traffic flow summaries streamed from the PCE. You can enable this capability on a per-workload basis on the Workload page. You can also enable it in the pairing profile to directly pair workloads into this mode.
Note
In pre-24.4.x releases, a license is required to enable Enhanced Data Collection. For information about obtaining the license, contact Illumio Customer Support.
In 24.4 and later releases, no license is required to enable Enhanced Data Collection.
Select Visibility -> Enhanced Data Collection.
You can also enable Enhanced Data Collection as a Visibility option on the Pairing Profile page by selecting the radio button Enhanced Data Collection.
After the VEN's visibility level is set to enhanced data collection, it reports the number of bytes transferred over the connections. The PCE collects this data, adds relevant information, such as labels, and sends the traffic flow summaries out of the PCE.
The direction reported in the flow summary is from the viewpoint of the source of the flow.
Destination Total Bytes Out (dst_tbo): Number of bytes transferred out of the source (Connection Responder)
Destination Total Bytes In (dst_tbi): Number of bytes transferred into the source (Connection Responder)
The number of bytes includes:
L3 and L4 header sizes of each packet (IP Header and TCP Header)
Sizes of multiple headers that may be included in communication (when SecureConnect is enabled)
Re-transmitted packets.
The bytes transferred in the packets of a connection are included in the measurement. This is similar to various networking products, such as firewalls, span-port measurement tools, and other network traffic measurement tools that measure network traffic.
Term | Description |
|---|---|
dst_tbi | Destination Total Bytes In In total, the bytes received till now by the destination over the flows are included in this flow summary in the latest sampled interval. This is the same as the bytes sent by the source. Present in 'A', 'C', and 'T' flow summaries. source = client = connection initiator, destination = server = connection responder. |
dst_tbo | Destination Total Bytes Out Out total bytes sent till now by the destination over the flows included in this flow summary in the latest sampled interval. This is the same as the bytes received by the source. Present in 'A,' 'C,' and 'T' flow summaries. source = client = connection initiator, destination = server = connection responder. |
dst_dbi | Destination Delta Bytes In The number of bytes the destination received in the latest sampled interval over the flows included in this flow summary. This is the same as the bytes sent by the source. Present in 'A', 'C', and 'T' flow-summaries. source = client = connection initiator, destination = server = connection responder. |
dst_dbo | Destination Delta Bytes Out Out number of bytes sent by the destination in the latest sampled interval, over the flows included in this flow summary. This is the same as the bytes received by the source. Present in 'A', 'C', and 'T' flow-summaries. source = client = connection initiator, destination = server = connection responder. |
interval_sec T | Time Interval in Seconds Duration of the latest sampled interval over which the above metrics are valid. |
Connection State | Description |
|---|---|
A | Active: The connection was still active when the record was posted. Typically observed with long-lived flows on the source and destination side of communication. |
T | Timed Out: Flow does not exist anymore. It has timed out. Typically observed on the destination side of communication. |
C | Closed: Flow does not exist anymore. It has been closed. Typically observed on the source side of communication. |
S | Snapshot: The connection was active at the time VEN sampled the flow. Typically observed when the VEN is in an Idle state. |
Container Workloads
The Container Workloads page lists the containers that exist on the PCE.
The page contains this information:
Column | Description |
|---|---|
Summary | General: Information about the container's Name, namespace/project, policy state, and so on. Labels: Information such as Role, Application, Environment, Location Attributes: Information about Interfaces and Workloads |
Containers | Information about a specific container. |
Rules | Information about rules. |
VEN Administration on Workloads
You can monitor the connectivity, policy sync, and health status of the VEN from the PCE web console. To view VEN health status, see the VEN list page for your managed environment. From the PCE web console menu, choose Workloads and VENs > VENs. The VEN list page appears.
VEN Suspension
You can mark a workload as suspended by using the PCE web console.
Choose Workloads > VENs from the PCE web console.
Click on the VEN link to get to the VEN details page.
Click Mark as Suspended.
Pairing Profiles
Pairing Profiles allow you to apply specific properties to workloads as the key pair with the PCE, such as applying labels and setting workload enforcement.
See "Pairing Profiles and Scripts" in VEN Installation and Upgrade Guide for more details.