Workload Operations
The Public Stable API for workloads allows you to perform workload operations, such as create an unmanaged workload, update workload information, unpair a workload, and delete a workload.
Update Workload Information
This API allows you to update information about a workload. To make this call, you need the URI of the workload you want to update, which is returned in the form of an HREF path when you get either a single or a collection of workloads in an organization.
URI to Update an Individual Workload's Information
PUT [api_version][workload_href]
Request Properties
Property | Description | Type | Required |
---|---|---|---|
name
|
Short, friendly name of the workload. | String | Yes |
description
|
Long description of the workload. | String | No |
external_data_set
|
An external data set identifier. For example, if this workload information is stored in an external database. | String | No |
external_data_reference
|
An external data set reference path. For example, if this workload information is stored in an external database. | String | No |
hostname
|
The hostname reported by the workload. | String | Yes |
service_principal_name
|
The Kerberos Service Principal Name (SPN). This property is only relevant if you have configured Kerberos in your environment to authenticate VEN-to-PCE communication. | String | No |
distinguished_name
|
The X.509 Subject distinguished name, used if you want this workload to use machine authentication between VENs and other hosts. NOTE:
This property has an API exposure level of Public Experimental, which means it is not intended for production use and might change in future releases. For more information, see API Classification and Version. |
String | No |
public_ip
|
The public IP address of the workload. | String | No |
interfaces
|
List of all functioning network interfaces on the workload. Properties for workload network interfaces:
|
Array | No |
service_provider
|
Name of the service provider that is hosting the workload. | String | No |
data_center
|
The name of the data center where the workload is being hosted. | ||
data_center_zone
|
The zone inside the data center hosting the workload. | String | No |
os_id
|
Unique OS identifier given by Illumio to the workload. | String | No |
os_detail
|
Additional descriptive information about the workload OS | String | No |
online
|
Indicates whether the workload is online and can communicate with the PCE. | Boolean. | No |
labels
|
Labels that are attached to the workload. | Array. | No |
"agent " (VEN) properties hash: |
|||
mode
|
This property defines the policy state of the workload's VEN. There are three possible states:
|
String | No |
log_traffic (deprecated) |
If set to True, then traffic flows from the VEN are logged. | Boolean | No |
visibility_level
|
The amount of data the VEN collects and reports to the PCE from a workload in the enforced mode (policy state), so you can control resource demands on workloads. The higher levels of detail are useful for visualizing traffic flows in the Illumination map inside the PCE web console.
If this parameter is not set, then VEN visibility level is set to
|
Example Payload
This example shows what the JSON payload looks like for changing the policy state (called mode
in the API) of a workload from its current state to enforced.
{"agent":{"config":{"mode":"enforced","log_traffic":true}}}
Curl Command to Update Workload
A workload state can be build, test, or enforced. This example shows how to use curl to update a workload policy state from its current state to enforced.
This example assumes that you want to update the state of a single workload in an organization. You can obtain an organization ID when you use the Users API to log in a user to Illumio.
curl -i -X PUT https://pce.my-company.com/api/v2/orgs/3/workloads/043902c883d133fa -H "Content-Type:application/json" -u $KEY:$TOKEN -d '{"agent":{"config":{"mode":"enforced","log_traffic":true}}}'
Unpair Workloads
This API allows you to unpair workloads from the PCE by uninstalling the Illumio VEN from each workload. You can unpair up to 1,000 workloads at a time.
Pairing a workload installs the Illumio VEN on a workload. Unpairing a workload uninstalls the VEN from the workload so that the workload no longer reports any information to the PCE, and the workload can no longer receive any policy information.
When you unpair workloads with this API, you can set the state for the workloadʼs iptables (Linux) or WFP (Windows) configuration.
URI to Unpair Workloads
PUT [api_version][org_href]/workloads/unpair
Request Body
Property | Description | Type | Req |
---|---|---|---|
workloads
|
Defines the list of workloads you want to unpair. |
Array | Yes |
href
|
URI of the workload to unpair. | String | Yes |
firewall_restore
|
This property allows you to determine the state of the workload Options include:
|
String | Yes |
Example Payload for Unpairing Workloads
{
"workloads": [
{"href":"/orgs/7/workloads/XXXXXXXx-9611-44aa-ae06-fXXX8903db65"},
{"href":"/orgs/7/workloads/xxxxxxxx-9611-xxxx-ae06-f7bXXX03db71"}
],
"firewall_restore":"saved"
}
Curl Command for Unpairing Workload
curl -i -X PUT https://pce.my-company.com/api/v2/orgs/3/workloads/unpair -H "Content-Type:application/json" -u $KEY:$TOKEN -d '{"workloads": [{"href": "/orgs/7/workloads/xxxxxxxx-9611-44aa-ae06-fXXX8903db65", "href": "/orgs/7/workloads/xxxxxxxx-9611-xxxx-ae06-f7bXXX03db71"}], "firewall_restore": "default"}'
Mark Workload as Suspended
You can use this API to mark a workload VEN as either suspended or unsuspended.
URI to Mark a Workload VEN as Suspended or Unsuspended
PUT [api_version][workload_href]
Example Payload
This example shows what the JSON payload looks like for marking a workload VEN as suspended, with the status property for the agent
(the VEN) set to suspended
.
To mark a workload VEN as unsuspended, use the same JSON body but replace suspend
with unsuspend
.
{
"agent": {
"status": {
"status": "suspended"
}
}
}
Curl Command to Mark Workload as Suspended
This example shows you how to use curl to mark a workload VEN as suspended.
This example assumes that you want to mark a single workload VEN as suspended. You can obtain an organization ID when you use the Users API to log in a user to Illumio.
curl -i -X PUT https://pce.my-company.com/api/v2/orgs/3/workloads/043902c883d133 -H "Content-Type:application/json" -u $KEY:$TOKEN -d '{"agent":{"status":{"status":"suspended"}}}'
Create an Unmanaged Workload
The Unmanaged Workload API enables you to create a workload without installing the VEN on it. This API is commonly used if you are using Kerberos authentication between the VEN and the PCE.
URI to Create an Unmanaged Workload
POST [api_version][org_href]/workloads
Request Body
Property | Description | Type | Required |
---|---|---|---|
name
|
Short, friendly name of the workload. | String | Yes |
description
|
Long description of the workload. | String | No |
external_data_set
|
An external data set identifier. For example, if this workload information is stored in an external database. | String | No |
external_data_reference
|
An external data set reference path. For example, if this workload information is stored in an external database. | String | No |
hostname
|
The hostname reported by the workload. | String | Yes |
service_principal_name
|
The Kerberos Service Principal Name (SPN). This property is only relevant if you have configured Kerberos in your environment to authenticate VEN-to-PCE communication. | String | No |
distinguished_name
|
The X.509 Subject distinguished name, used if you want this workload to use machine authentication between VENs and other hosts. NOTE:
This property has an API exposure level of Public Experimental, which means it is not intended for production use and might change in future releases. For more information, see API Classification and Version. |
String | No |
public_ip
|
The public IP address of the workload. | String | No |
interfaces
|
List of all functioning network interfaces on the workload. Properties for workload network interfaces:
|
Array | No |
service_provider
|
Name of the service provider that is hosting the workload. | String | No |
data_center
|
The name of the data center where the workload is being hosted. | ||
data_center_zone
|
The zone inside the data center hosting the workload. | String | No |
os_id
|
Unique OS identifier given by Illumio to the workload. | String | No |
os_detail
|
Additional descriptive information about the workload OS | String | No |
online
|
Indicates whether the workload is online and can communicate with the PCE. | Boolean. | No |
labels
|
Labels that are attached to the workload. | Array. | No |
"agent " (VEN) properties hash: |
|||
mode
|
This property defines the policy state of the workload's VEN. There are three possible states:
|
String | No |
log_traffic (deprecated) |
If set to True, then traffic flows from the VEN are logged. | Boolean | No |
visibility_level
|
The amount of data the VEN collects and reports to the PCE from a workload in the enforced mode (policy state), so you can control resource demands on workloads. The higher levels of detail are useful for visualizing traffic flows in the Illumination map inside the PCE web console.
If this parameter is not set, then VEN visibility level is set to
|
Example Payload
For example, to create an unmanaged workload by providing a name, hostname, public IP address, and its Kerberos Service Principal Name, construct the JSON payload as follows:
{
"name":"web_tier1",
"hostname":"web_workload1.example.com",
"public_ip":"10.10.10.10",
"service_principal_name":"my_company-device-auth/web_workload1.example.com",
}
Curl Command to Create Unmanaged Workload
curl -i -X POST https://pce.my-company.com:8443/api/v2/orgs/4/workloads -H "Content-Type: application/json" -u $KEY:$TOKEN -d '{"name":"web_tier1", "hostname":"web_workload1.example.com","public_ip": "10.10.10.10","service_principal_name":"my_company-device-auth/web_workload1.example.com"}'
Delete a Workload Record
If you have unpaired a workload, you can use this API to delete the workload's record from the PCE.
URI to Delete a Workload Record
DELETE [api_version][workload_href]