Sync Policy Object Changes During VEN Migration
It can take from a few days to a few months to migrate all of the VENs. Usually VENs are migrated by batches. While some VENs are paired with the on-premises PCE and others with SaaS, you can continue to make necessary changes to policy objects and to sync these changes to maintain consistency. The synchronization of changes has the following limitations:
Policy object changes must be performed on the on-premises PCE because the on-premises PCE release is usually lower than the SaaS release.
Changes to managed workloads either on the on-premises PCE or on SaaS are replicated on the other PCE.
New unmanaged workloads on the on-premises PCE are replicated on Illumio SaaS, but new unmanaged workloads in lllumio Cloud are not replicated on the on-premises PCE.
Changing policy objects does not trigger a call to pcemigrate sync to sync the changes. pcemigrate sync has to be invoked either manually, through a cron job or other automation tool.
By default, policy changes are replicated as a draft version. You must specify the provision option if you want pcemigrate sync to provision the replicated changes.
Changes to pairing profiles, local users, RBAC settings, cluster container, and cluster container workload profiles after the initial replication are not replicated to the SaaS instance.
pcemigrate sync may take up to 90 minutes or more to complete a configuration with tens of thousands of workloads even if there are minimal changes or no changes.
If workloads are not bound to rulesets, you can skip syncing workloads to speed up the completion of pcemigrate sync.
Run pcemigrate sync --help for more information about the available options.
The following command shows an example of the pcemigrate sync command with the confirmation prompt disabled. Changes to policy objects and policies are replicated in draft versions.
pcemigrate sync --from-pce 4x2testvc10000 --to-pce mnctestvc26000 --no-prompt