Skip to main content

Illumio Install, Configure, and Upgrade Guide 25.4 (SaaS)

Configure Flowlink

This topic describes how to configure Flowlink.

You configure Flowlink using a YAML file that defines its runtime behavior, while an included JSON schema validates the configuration to ensure all parameters are complete, well‑formed, and supported. When FlowLink starts (or restarts), it automatically validates the YAML against the JSON schema.

If validation succeeds:

  • FlowLink parses flows according to the configured consumers.

  • Aggregates them on the defined interval.

  • Posts them to the PCE using the provided credentials.

If validation fails:

  • FlowLink logs explicit configuration errors.

  • No data is ingested or sent.

STEP 1: Install the Flowlink RPM

  1. Log in as a root user.

  2. Install the RPM.

    The default install location is: /usr/local/bin/

    Standard installation:

    sudo su
rpm -ivh illumio-flowlink-x.x.x-yy.x86_64.rpm

    Important

    Only the Install Flowlink RPM step requires root user login.

    Illumio users logged in with any role can perform the steps in STEP 2: Create a Service Account API Key, Create YAML Configuration File, and Run Flowlink.

In the following sections, /home/employee directory is used as an example. The api_info file should be in a directory writable by the user, for example in the /home/employee directory.

STEP 2: Create a Service Account API Key

  • There are two ways to create a Service Account API key for Flowlink:

    • Through the API. See API Keys.

    • Through the PCE Web Console (described in the procedure below).

  • The Org ID value is not shown when you create a Service Account API key.

  • Service accounts are always organization-based and specific to a PCE. While creating a service account, users create their permissions and an api_key is created implicitly. Deleting a service account removes its permissions and all associated API keys.

  1. In the PCE UI, go to Access > Service Accounts.

  2. Click Add and configure settings.

    • Name

    • Description (optional)

    • Access Restriction: None.

    • API Key expiration: Keep the default or choose a different option.

    • Roles and Scopes: Select Global Administrator. The All is chosen automatically and cannot be changed.

  3. Click Save.

  4. When the API Key Created dialog appears, preserve the credentials (make a note or download them).

    API-key-created.png

  5. Copy the values of the Authentication Username and Secret into to a text file on the Flowlink server.

    Use a space to separate the key and secret. For example:

    api_xxxxxxxxxxxxxx yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy

  6. Copy the absolute path of the file PCE API file /home/employee/api_info. You will need it in the Flowlink configuration file.

STEP 3: Configure HTTP/HTTPS Proxy (if needed)

Important

Perform this step only when FlowLink is isolated from the internet and needs to use a proxy to access the PCE.

Supported on Flowlink 1.3.0 and later.

When Flowlink is running behind a proxy or in a corporate network and the PCE is in the cloud, Flowlink can access the PCE via HTTP/HTTPS proxy configurations.

The following configuration parameters are available to define an HTTP/HTTPS proxy:

proxy_config:
  https_proxy: <HTTPS_PROXY>
  http_proxy: {} <HTTPS_PROXY>{}

The following is an example of a Flowlink YAML configuration file:

proxy_config:
  https_proxy: http://proxy.corporate.com:3128
  http_proxy: http://proxy.corporate.com:3128

In the example above, the HTTP/HTTPS proxy is running on FQDN proxy.corporate.com{{ port: 3128}}.

STEP 4: Configure a Flowlink YAML File

Configure Flowlink by defining its runtime parameters in a YAML file. The included JSON schema validates the configuration to ensure all parameters are complete, well‑formed, and supported.

Note

Refer to the /usr/local/illumio/flowlink_config_schema.json file provided with the Flowlink RPM for definitions of all the fields supported by the Flowlink YAML configuration file.

  1. In the /home/employee directory, create a YAML configuration file. You can find an example yml file at /usr/local/illumio/config.yml.example.

  2. Enter the parameters. (See Flowlink Key-Value Parameters for details).

Example configuration

The following configuration listens for NetFlow on UDP 2055 from any data source. The absolute path is: /home/employee/config.yaml.netflow

pce_addr: mypce.example.com:8443
api_key: $cat /home/employee/api_info
data_directory: /home/employee
aggregation_minutes: 10
consumers:
  - name: netflow
    parser:
      type: netflow
    connectors:
      - type: udp
        properties:
          ports: '2055'
Flowlink Key-Value Parameters

This table details the key-value parameters in Flowlink's YAML configuration file.

Parameter

Required/Optional

Description

aggregation_minutes

Optional

The interval (in minutes) in which flows are aggregated and sent to the PCE.

Default interval: 10

Minimum allowed interval: 5

Maximum allowed interval: 60

For example:

aggregation_minutes: 10

api_key

Required

API key and secret of the PCE. This allows Flowlink to POST flows to the PCE. The API key and secret can be copied into a file. You can run a script to cat the contents of that file. In the example below, a file called api_info is created which contains the PCE API key and secret.

For example:

api_key: $cat /home/employee/api_info

consumers

Required

A list of dictionaries. It requires a name, parser, and connector. Flowlink configuration supports one or many consumers (flow types).

For more details about configuring the ingested flow types, see Ingested Flow Types.

data_directory

Required

The pathname of a directory where Flowlink can store any unsent data flow files or any restart information.

For example:

data_directory: /home/employee/

data_directory_size_mb

Optional

The maximum size (in Megabytes) of data that can be stored in the data directory before being pruned.

Default: 500

Minimum value: 100

For example:

data_directory_size_mb: 200

file_retention_hours

Optional

The maximum number of hours unsent data flow files will be stored before being pruned.

Default: 24

Minimum: 4

For example:

file_retention_hours: 8

metrics_print_seconds

Optional

The frequency (in seconds) at which the metrics information is printed.

Default: 60

Minimum: 15

For example:

metrics_print_seconds: 60

org_id

Required for SaaS

Optional for on-premises

The org id to which the flow data will be posted. The default id is 1.

For example:

org_id: 1

pce_addr

Required

FQDN of the PCE and port.

For example:

pce_addr: https://mypce.example.com:8443

pce_kafka

Optional (unless you're configuring certain integrations (for example, Armis and the PCE)).

Allows you to stream flows to Azure Event Hub (instead of directly to the PCE) for use in Insights and Segmentation, and to configure the parameters included in flow headers.

Note

Currently, this feature is accessible to only a limited number of organizations.

Applies to Flowlink 2.0.0 and later: If you are configuring Flowlink as part of an integration with the PCE and Armis, make sure to add the following to your Flowlink YAML file at the root level:

  • pce_kafka:

    • installation_id: armis-site

For details, see About the Illumio and Netflow/sFlow Integration.