PCE Installation Overview

This overview introduces some essential concepts that you'll need to understand before installing the PCE.

Nodes and Clusters

A PCE node is a single host (server or VM) that runs the PCE. Each node in the cluster is configured by its node type, which defines its services:

  • Core node, known as core0, core1, core2, and core3
  • Data node, known as data0 and data1
  • Single node in an single-node cluster (SNC), which combines core and data nodes in one

The total collection of nodes is a PCE cluster. In production, the PCE is typically deployed as a multiple-node cluster (MNC).

  • For smaller deployments where high availability is not necessary, you can deploy a PCE SNC.
  • In a typical PCE deployment, for redundancy, you deploy two instances of each node type in a PCE 2x2 cluster.
  • For larger deployments, you can expand the PCE cluster to four core nodes and two data nodes in a PCE 4x2 cluster.
  • To construct a single administrative domain that spans two or more replicating PCE clusters, deploy a PCE supercluster. See PCE Supercluster Deployment.

Single-node Clusters

In an SNC, some special considerations apply.

Because it contains only a single node, an SNC does not provide high availability (HA) features. The SNC is a single point of failure. Therefore, Illumio recommends taking some additional precautionary steps:

  • Set up periodic, automated backups.
  • Practice restoring from backup to a separate machine (physical or virtual) before putting the SNC into production use.
  • Store a copy of the PCE software installation packages, the PCE database backup, and the runtime_env.yml file, which stores the PCE's configuration. Store them on a separate physical machine, preferably in a different datacenter, using fault tolerant storage.
  • If you are running the SNC as a virtual machine, you can make use of the hypervisor's high availability and disaster recovery (HA/DR) features.

To prepare for PCE installation on an SNC:

  • Have a reserved virtual machine or physical machine ready for the backups of the PCE software, database, and runtime_env.yml.
  • This machine must be able to use the existing IP address of the PCE. Alternatively, you can reserve a new IP address for the backup machine, and configure this IP address in the PCE.

Software Distribution: PCE and UI Packages

Illumio distributes PCE software as two packages: PCE and UI. The PCE package contains the software for the Policy Compute Engine (PCE), and the UI package contains the PCE web console A central web interface to the Illumio Core. Illumio users access the PCE web console to create security policy and visualize the workloads and traffic flows in your organization. The PCE web console is installed as part of the PCE software; although it can be upgraded independently. Additionally, Illumio administrators can use the PCE web console to configure features and behavior of the PCE.. You can choose to install these packages separately or together:

  • PCE package plus UI package: This choice is the most common installation scenario. See Installing the PCE and UI.
  • PCE package alone: The PCE still serves responses to API calls, but there is no graphical user interface for display in a browser.
  • UI package alone: With this separate package, you can upgrade the UI whenever you want more recent UI fixes and features, without having to upgrade the entire PCE. The UI-only installation procedure is much simpler than the full installation. For the UI to work, a compatible version of the PCE must already be installed. See UI-Only Upgrade.