About Migrating the On-Premises PCE to Illumio Cloud with pcemigrate and venmigrate
Illumio provides the pcemigrate and venmigrate tools to facilitate migrating from the On-Premises PCE to the SaaS PCE. This guide describes how to use these tools to migrate, the steps involved, and the limitations of using these tools.
The pcemigrate and venmigrate tools together provide the following functionality:
They orchestrate the initial replication of policy objects and some selected management objects from the on-premises PCE to the Illumio SaaS instance.
They migrate VENs by batches from the on-premises PCE to the Illumio Cloud instance.
They synchronize policy changes and workload changes between the on-premises PCE and Illumio Cloud during the VEN migration.
You can run the pcemigrate tool on a machine running Linux, windows or MacOS. You must be able to access both the on-premises PCE and Illumio Cloud from the machine using the Illumio public API. You can also run pcemigrate directly from the on-premises PCE if you can access Illumio Cloud from the on-premises PCE. pcemigrate migrates the policy objects and synchronizes the changes. It uses the Illumio public API, which allows it to perform the following operations:
Export managed workload metadata and apply metadata to managed workloads.
Generate and encrypt VEN migration parameters (port, FQDN, pairing profile id, proxy, activation key, migration type (activation or pair), enforcement mode, and so on). The parameters are saved in a yaml file. You can encrpyt this yaml file before you deploy it on VEN hosts.
Create a set of unmanaged workloads with the same hostnames, labels, and interfaces as a set of managed workloads.
Delete a subset of unmanaged workloads specified by filters on names, hostnames, external data sets, and labels.
Unpair a subset of managed workloads specified by filters on names, hostnames, external data sets, labels and hours since reception of the last heartbeat and the connectivity state (online or offline).
Persistently store migration information and resume operations at the last point of failure or start over.
You must deploy the venmigrate tool on VEN hosts. It is available for Windows, Linux, macOS, and AIX and migrates the VEN. It deactivates/unpairs the VEN from the on-premises PCE and activates/pairs to the Illumio Cloud with a minimum amount of disruption. It provides the following functionality:
It reads the encrypted and non-encrypted migration parameters.
If the front-end management port of Illumio Cloud is open to VEN hosts:
Applies custom labels to the managed workload after pairing the VEN to Illumio Cloud.
Deletes the unmanaged workload on Illumio Cloud after activating/pairing the VEN.
If the front-end management port of the on-premises PCE is open to VEN hosts:
Creates the unmanaged workload on the on-premises PCE before deactivating/unpairing the VEN.
Retrieves the managed workload metadata from the on-premises PCE before deactivating/unpairing the VEN.
Here is the workflow for migrating the on-premises PCE to Illumio Cloud:
Setting up the organization on Illumio Cloud: Org owner user, API keys, S3 buckets, and so forth.
Replicating policy objects from the on-premises PCE to Illumio Cloud and optionally replicating some management objects (users, auth security principals, permissions, and so on). This includes creating unmanaged workloads that correspond to workloads on the on-premises PCE in Illumio Cloud.
Migrating the VENs in batches.
Synchronizing policy object changes on the on-premises PCE to Illumio Cloud and changes to managed workloads between the on-premises PCE and Illumio Cloud.