Skip to main content

Illumio Core 23.2 Install, Configure, Upgrade

Migrate the VEN in Batches

After the initial replication of policy objects and workloads on Illumio Cloud is completed, the next step is to migrate VENs from the On-Premises PCE to the Illumio Cloud in batches. This includes the following steps:

  1. Creating unmanaged workloads on the on-premises PCE.

  2. Exporting metadata for the managed workloads corresponding to the subset of VENs to migrate to a JSON file.

  3. Generating VEN migration parameters and and encrypt the content of the parameter file.

  4. Deploying the (encrypted) VEN migration parameter file and the venmigrate binaries to the hosts of VENs you are migrating.

  5. Migrating VENs by running the venmigrate tool on the hosts of the VENs you are migrating.

  6. If necessary, applying (custom) labels and other metadata (enforcement mode, visibility level, and so forth).

  7. Removing unnecessary unmanaged workloads.

  8. Syncing the policy object changes and the managed workload changes.

Create Unmanaged Workloads on the On-Premises PCE

You need to create unmanaged workloads with the same names, hostnames, labels and interfaces as the managed workloads of the VENs to migrate. Note the following:

  • Ensure that the object limits allow the additional unmanaged workloads.

  • You can skip this step if the front-end port of the on-premises PCE is open to VEN hosts. In this case, the venmigrate creates the unmanaged workloads before deactivating/unpairing the VEN.

  • You can specify the subset of managed workloads in a workload filter yaml file. The filter criteria include names, hostnames, hrefs, external data sets, and labels. Workloads criteria can fully enumerate the list of workloads for the subset or can be specified as regular expressions. Run pcemigrate create-unmanaged-workload --help for additional information about available options.

Run pcemigrate create-unmanaged-workload --help for more information about the available options.

The following example shows the content of the filter file and the command to create the unmanaged workloads with the confirmation prompt disabled.

> cat workloads.yaml
hostnames:
- vm1
- vm2

> pcemigrate create-unmanaged-workload --pce 4x2testvc10000 --workload-filter-file workloads.yaml --update-pce --no-prompt
Export Managed Workload Metadata to a JSON File

This step exports to a JSON file metadata of the set of managed workloads corresponding to VENs to migrate. This file is used as input for pcemigrate or venmigrate (if the Illumio Cloud front-end management port is opened to VEN hosts), to apply custom labels to managed workloads after pairing with Illumio Cloud. You can use the workload filters specified for creating unmanaged workloads to specify the subset of managed workloads.

Run pcemigrate wkld-metadata-export --help for more information about available options.

The following shows the content of the filter file and the command to export metadata to the 4x2testvc10000-workloads-set1-metadata.json JSON file.

> cat workloads.yaml
hostnames:
- vm1
- vm2

> pcemigrate wkld-metadata-export --pce 4x2testvc10000 --workload-filter-file workloads.yaml --metadata-json-file 4x2testvc10000-workloads-set1-metadata.json
Generate and Encrypt VEN Migration Parameters

If you will use the same pairing profile and activation key throughout the migration of the VENs, you can generate the VEN migration parameter file once. You can reuse the same VEN migration parameter file. However, you must regenerate the VEN migration parameter file each time the pairing profile or the activation key change. The set of parameters includes:

  • The SaaS FQDN

  • The port used by VEN for pairing to SaaS

  • Org id

  • Activation key

  • Pairing profile id

  • Type of migration: activate or pair

  • Proxy server if necessary

If the Illumio Cloud front-end management port is open to VEN hosts, you can specify the following additional parameters:

  • The Illumio Cloud front-end management port, which is 443 for SaaS and which defaults to 8443 for the On-Premises PCE.

  • API key

If the on-premises PCE front-end management port is open to VEN hosts, you can specify the following additional parameters:

  • On-premises PCE front-end management port

  • API key

Run pcemigrate ven-migrate-config --help for more information about available options.

The following shows an example of the command to save VEN migration parameters to the 4x2testvc10000-to-mnctstvc26000-01.yaml file and the command that saves the encrypted content to 4x2testvc10000-to-mnctstvc26000-01.enc.

> pcemigrate ven-migrate-config --ven-migrate-config  4x2testvc10000-to-mnctestvc26000-01.yaml --pce mnctestvc26000.testlabs.io --port 8443 --fe-mgmt-port 8443 org-id 655362 --pairing-profile-id 2814749767106564 --api-version v25 --activation-code 192a15577805e7bdd044a7efd685da01816c6c7a4d6d25c7c3feeae46baf65b5f2a7fda8fa40959c3 --migration-type activate

> cat 4x2testvc10000-to-mnctestvc26000-01.yaml
pce: mnctestvc26000.testlabs.io
port: 8443
fe_mgmt_port: 8443
pairing_profile_id: 2814749767106564
api_version: v25
activation_code: 192a15577805e7bdd044a7efd685da01816c6c7a4d6d25c7c3feeae46baf65b5f2a7fda8fa40959c3
migration_type: activate
ven_migrate_config_file: 4x2testvc10000-to-mnctestvc26000-01.yaml

> pcemigrate enc-ven-migrate-conf --ven-migrate-config  4x2testvc10000-to-mnctestvc26000-01.yaml --enc-ven-migrate-config 4x2testvc10000-to-mnctestvc26000-01.enc

> cat 4x2testvc10000-to-mnctestvc26000-01.enc
TWtfOO68DaxoeC3uamoLqGJDdvV2c8IudbyZdlcMkiov+/eCWtOB70KxqBJM15UE6Q/g300caKGkAE1LUsMM8VvkFR0yeqMcKC9I/jIwvVESH+dKnOOMH7/0HWU6N9r+kHSNzZu2ayth3l+l9/9F3dOAmcEi5Xb/RvfXzGiUZds0O43aCehMrygqF3wKaKkpxNZSGfPDCFIz7BxmLDSwxqwUiEeHDeSxLuLv6XQIW3471QLjvMnw00kkv2/CWzG+8xM12rMuQdbpZwU9uAs2nIgYaEDj524fOxWyM6eNFftdl7IUSiMcxykGeGKO9WDhHjOjIDHoxqizmeQDcqQWLo6ZWrmfqe61u3sLeRgF795bFvlA3KroUaEp1T2Px1J7hKpiQhnHiyPVv2zFu+y4oSp6JQCurJMzUx9y90Q0qa1Uhw==%
Deploy the Encrypted VEN Parameter File and venmigrate Binaries to the VEN Hosts

Copy the encrypted VEN parameter file and the venmigrate tool binaries corresponding to the OS of the VEN hosts to the host. Use Secure Copy Protocol (SCP) for the transfer or other deployment tools, such as chef.

Note

You can also deploy the workload metadata JSON file if the Illumio Cloud front-end management port is open and you want venmigrate to automatically apply custom labels after it pairs the VEN with Illumio Cloud.

The following shows an example of deployment using SCP:

> scp ~/pcemigrate/bin/venmigrate-linux 4x2testvc10000-to-mnctestvc26000-01.enc [email protected]:~/

> scp ~/pcemigrate/bin/venmigrate-linux 4x2testvc10000-to-mnctestvc26000-01.enc [email protected]:~/
Migrate the VENs

Run the venmigrate tool on each VEN to migrate the VEN from the on-premises PCE to SaaS.

Note the following:

  • If the SaaS front-end management port is open, venmigrate will attempt to perform the following unless disabled:

    • Set built-in labels (role, application, environment, and location) when activating/pairing the VEN to SaaS. It is important that the activation key used allows labels to be overridden.

    • Apply custom labels after activating/pairing the VEN to Illumio Cloud.

    • Delete the unnecessary unmanaged workload after activating/pairing to Illumio Cloud.

  • If the on-premises PCE front-end port is open, venmigrate will attempt to perform the following unless disabled:

    • If necessary, it will create an unmanaged workload before deactivating/unpairing the VEN.

    • Retrieve the managed workload metadata unless a workload metadata file is specified.

Run venmigrate migrate --help for more information about available options. This assumes that the binary file corresponding to the host OS has been renamed to venmigrate or that a symbolic link with the same name has been created.

The following shows a migration command. This example assumes that front-end management ports are not open and that the labels are locked.

> venmigrate migrate --enc-ven-migrate-conf-file 4x2testvc10000-to-mnctestvc26000-01.enc --do-not-apply-custom-labels --no-label-assignment
Apply Custom Labels

If necessary, you can apply custom labels and other metadata to the VEN that is paired with Illumio Cloud. You need to do this if the SaaS front-end management port is not open to VEN hosts and if custom labels were assigned to some workloads on the On-Premises PCE.

Note

You can specify a workload JSON file to avoid having to retrieve all of the managed workloads from the Illumio SaaS instance if the workload's JSON file is available after pcemigrate_sync is run.

The following command applies custom labels and other metadata information to two managed workloads on the SaaS instance:

> pcemigrate wkld-sync-label 4x2testvc10000-workloads-set1-metadata.json --pce mnctestvc26000 --update-pce --no-prompt
Remove Unnecessary Unmanaged Workloads

To remove unnecessary unmanaged workloads after migrating a set of VENs, run the pcemigrate sync command as indicated in Sync Policy Object Changes During VEN Migration.