IBM Cloud Docs
Migrating to independent instances

Migrating to independent instances

Currently, you can run IBM Cloud® Monitoring and Workload Protection (also known as Sysdig Secure) concurrently on the same compute node by using an instance of IBM Cloud Monitoring that has the Graduated Tier - Sysdig Secure + Monitor plan (sometimes referred to as the combined plan). Workload Protection is now available as a standalone service as IBM Cloud Security and Compliance Center Workload Protection, and the IBM Cloud Monitoring combined plan will be retired soon.

The Graduated Tier - Sysdig Secure + Monitor plan is now deprecated. All new IBM Cloud Monitoring instances where IBM Cloud Security and Compliance Center Workload Protection functionality is also required should provision an IBM Cloud Monitoring instance with a connected IBM Cloud Security and Compliance Center Workload Protection instance.

Consider migrating to the standalone service as soon as possible.

Why migrate?

The combined plan is planned to be deprecated in the coming months.

In addition, IBM Cloud Security and Compliance Center Workload Protection is less expensive than the IBM Cloud Monitoring combined plan. Migration should only take a few minutes, and can be done with no loss of existing data and no downtime in your monitoring process.

How do I migrate?

Complete the following steps:

  1. If you do not have the latest IBM Cloud CLI, download and install it.

  2. Ensure you or someone on your team has the correct access level to do the migration. You will need to have an IAM role at the IBM Cloud platform level and another role at the service level.

    • The IBM Cloud platform Editor role is required for the person who will downgrade the existing IBM Cloud Monitoring plan and create a new Workload Protection instance.

    • The IBM Cloud platform Administrator role is required for the person who will assign access to the new Workload Protection instance. Note the Administrator can also perform all Editor tasks.

    • The Workload Protection service Manager role for the person who will configure the new Workload Protection instance.

    For more information about managing access, see the Workload Protection documentation.

  3. From your terminal, log in to the account containing the IBM Cloud Monitoring instance you would like to migrate.

  4. Downgrade your IBM Cloud Monitoring instance to the Graduated Tier plan by running the following command: ibmcloud resource service-instance-update "<monitoring instance name>" --service-plan-id 231bb072-1b2f-4d7e-ae9e-9574d382be32

    The service-plan-id 231bb072-1b2f-4d7e-ae9e-9574d382be32 is plan ID for Graduated Tier and is the same for everyone.

    You can find your Monitoring instance name in your Resource List found in the IBM Cloud console, or in the upper left corner of your IBM Cloud Monitoring dashboard. Next to the instance name on the Monitoring dashboard, you will find the region in parentheses. You will need this in the next step.

  5. Create a new Workload Protection instance that is associated with the Monitoring instance you downgraded in the previous step:

    1. Designate a resource group for the new Workload Protection instance by running the following command: ibmcloud target -g <resource group name>

    You can target any resource group, but to make the instances easier to manage, you can target the group that contains your Monitoring instance.

    1. To create the new instance, run the following command: ibmcloud resource service-instance-create <new instance name> "sysdig-secure" "graduated-tier" "<region>" -p '{"cloud_monitoring_connected_instance": "<monitoring instanceID>"}'

      The new instance name can be any string.

      The region for your new Workload Protection instance should be the same as your Monitoring instance region. The region will be an abbreviation such as “us-south”, “eu-de”, or “jp-tok”. You can find the region in your Monitoring dashboard in parentheses next to the instance name.

      The parameter cloud_monitoring_connected_instance is required to make the connection between your new Workload Protection instance and the existing IBM Cloud Monitoring instance. This parameter allows you to run Monitoring and Monitoring on the same target node. You can find the instanceID in the GUID field in of the response to the service-instance-update command, or as the last string in the URL for your Monitoring dashboard.

    Access privileges will not be migrated to the new Workload Protection instance. Your IBM Cloud platform administrator will need to assign access for the new Workload Protection instance.

    Existing agent configurations will continue to work after the migration of instances has been completed.

After performing these steps, the migration process is complete and you should see a new IBM Cloud Security and Compliance Center Workload Protection instance in the Security section of your Resource List in the IBM Cloud Console. You can access the new instance directly from the Resource List, or from the dashboard of the downgraded Monitoring instance.

Who do I contact if I have problems migrating?

If you encounter problems in the migration process, go to IBM Cloud Support and open a case against “Security and Compliance Center Workload Protection”.