Migrating to independent instances
Currently, you can run IBM Cloud® Monitoring and Workload Protection (also known as Sysdig Secure) concurrently on the same compute node by using an instance of IBM Cloud Monitoring that has the Graduated Tier - Sysdig Secure + Monitor
plan (sometimes referred to as the combined plan
). Workload Protection is now available as a standalone service as IBM Cloud Security and Compliance Center Workload Protection, and the IBM Cloud Monitoring combined plan will be
retired soon.
The Graduated Tier - Sysdig Secure + Monitor plan is now deprecated. All new IBM Cloud Monitoring instances where IBM Cloud Security and Compliance Center Workload Protection functionality is also required should provision an IBM Cloud Monitoring instance with a connected IBM Cloud Security and Compliance Center Workload Protection instance.
Consider migrating to the standalone service as soon as possible.
Why migrate?
The combined plan is planned to be deprecated in the coming months.
In addition, IBM Cloud Security and Compliance Center Workload Protection is less expensive than the IBM Cloud Monitoring combined plan. Migration should only take a few minutes, and can be done with no loss of existing data and no downtime in your monitoring process.
How do I migrate?
Complete the following steps:
-
If you do not have the latest IBM Cloud CLI, download and install it.
-
Ensure you or someone on your team has the correct access level to do the migration. You will need to have an IAM role at the IBM Cloud platform level and another role at the service level.
-
The IBM Cloud platform
Editor
role is required for the person who will downgrade the existing IBM Cloud Monitoring plan and create a new Workload Protection instance. -
The IBM Cloud platform
Administrator
role is required for the person who will assign access to the new Workload Protection instance. Note theAdministrator
can also perform allEditor
tasks. -
The Workload Protection service
Manager
role for the person who will configure the new Workload Protection instance.
For more information about managing access, see the Workload Protection documentation.
-
-
From your terminal, log in to the account containing the IBM Cloud Monitoring instance you would like to migrate.
-
Downgrade your IBM Cloud Monitoring instance to the
Graduated Tier
plan by running the following command:ibmcloud resource service-instance-update "<monitoring instance name>" --service-plan-id 231bb072-1b2f-4d7e-ae9e-9574d382be32
The service-plan-id
231bb072-1b2f-4d7e-ae9e-9574d382be32
is plan ID forGraduated Tier
and is the same for everyone.You can find your Monitoring instance name in your Resource List found in the IBM Cloud console, or in the upper left corner of your IBM Cloud Monitoring dashboard. Next to the instance name on the Monitoring dashboard, you will find the region in parentheses. You will need this in the next step.
-
Create a new Workload Protection instance that is associated with the Monitoring instance you downgraded in the previous step:
- Designate a resource group for the new Workload Protection instance by running the following command:
ibmcloud target -g <resource group name>
You can target any resource group, but to make the instances easier to manage, you can target the group that contains your Monitoring instance.
-
To create the new instance, run the following command:
ibmcloud resource service-instance-create <new instance name> "sysdig-secure" "graduated-tier" "<region>" -p '{"cloud_monitoring_connected_instance": "<monitoring instanceID>"}'
The new instance name can be any string.
The region for your new Workload Protection instance should be the same as your Monitoring instance region. The region will be an abbreviation such as “us-south”, “eu-de”, or “jp-tok”. You can find the region in your Monitoring dashboard in parentheses next to the instance name.
The parameter
cloud_monitoring_connected_instance
is required to make the connection between your new Workload Protection instance and the existing IBM Cloud Monitoring instance. This parameter allows you to run Monitoring and Monitoring on the same target node. You can find the instanceID in the GUID field in of the response to theservice-instance-update
command, or as the last string in the URL for your Monitoring dashboard.
Access privileges will not be migrated to the new Workload Protection instance. Your IBM Cloud platform administrator will need to assign access for the new Workload Protection instance.
Existing agent configurations will continue to work after the migration of instances has been completed.
- Designate a resource group for the new Workload Protection instance by running the following command:
After performing these steps, the migration process is complete and you should see a new IBM Cloud Security and Compliance Center Workload Protection instance in the Security section of your Resource List in the IBM Cloud Console. You can access the new instance directly from the Resource List, or from the dashboard of the downgraded Monitoring instance.
Who do I contact if I have problems migrating?
If you encounter problems in the migration process, go to IBM Cloud Support and open a case against “Security and Compliance Center Workload Protection”.