Skip to main content

Illumio Administration Guide 25.4

Remove inactive VENs

Some PCE Segmentation environments may have a number of inactive VENs that have stopped sending heartbeats to the PCE. This commonly occurs in organizations that deliver Illumio VEN-protected Virtual Desktop Infrastructure (VDI) to end-users who may only use the VDI for a short time. Eventually, the VDI is turned off, abandoned, or destroyed. This can also occur when an organization decommissions a server or when a user's VEN-protected laptop is retired. Although the PCE in these cases can't receive heartbeats from the installed VEN (assuming it still exists), a VEN object representing the actual VEN still resides in the PCE database, unnecessarily consuming VEN licenses and possibly leading to unnecessary costs to the customer.

This feature allows you to automate the cleanup of inactive VENs based on easily configurable rules. Matching criteria includes:

  • Label(s) assigned to VENs

  • Inactivity Threshold (the time since the PCE last received a heartbeat from the inactive VENs you want to remove (minimum 1 day; maximum 90 days))

Specifications

  • Maximum daily VEN cleanup limit: 5k VENs

  • Performs a query for VENs that match Inactive VEN Cleanup rules every four hours

  • You can create a maximum of 10 Inactive VEN Cleanup rules

Events and Notifications

The Inactive VEN Cleanup feature generates the following events and notification:

  • inactive_ven_cleanup_schedule.create

  • inactive_ven_cleanup_schedule.delete

  • inactive_ven_cleanup_schedule_.cleanup lists all the resources that were affected by the cleanup

  • Settings > Events > Notifications: Object creation soft limit exceeded

Create an Inactive VEN cleanup rule

Warning

Inactive VEN cleanup rules are executed from the shortest to the longest inactivity threshold defined in your rules.

To avoid unintended data removal, Illumio strongly recommends that make sure your scheduled VEN cleanup rules are up-to-date.

  1. Go to Settings > VEN Operations.

  2. Click Add under Inactive VENs Cleanup Schedules.

  3. Define up to 10 rules:

    1. Enter a name.

    2. Specify the labels assigned to the inactive VENs you want to cleanup.

    3. Inactivity Threshold: Time since the PCE last received a heartbeat from the inactive VENs you want to cleanup. (Minimum 1 day, maximum 90 days.)

    4. Toggle the schedule to On.

    5. Click Save.

About Overlapping VEN Cleanup Rules

If multiple rules specify one or more of the same labels and the query finds one or more VENs that match the rules, which rule to apply is resolved using the following logic:

  1. Shortest Inactivity Threshold wins.

    The rule with the shortest threshold is applied.

  2. Tie-breaker: Evaluation order.

    If Inactivity Thresholds are equal, the rule evaluated first is applied.