Skip to main content

Illumio Core 23.2 Install, Configure, Upgrade

Orchestrate the Changes to Policy Objects and Managed Workloads During the VEN Migration Phase

Migrating the VENs from the source PCE to the target PCE might take some time. VENs will typically be migrated in batches, so there will be a period of time when some VENs are paired with one PCE and others are paired with the other PCE. You should be able to make changes to policy objects and managed workloads during that period. You need to decide which of the PCEs you will make policy changes to until all of the VENs are migrated to the target PCE. It is recommended that you make policy changes on the older version of the PCE or that you upgrade all of the PCEs to versions with a compatible objects schema to avoid problems with converting newer schemas to older schemas. For an on-premises to SaaS migration, the on-premises PCE is typically an older version of the PCE, so it is recommended that you make any changes on the on-premises PCE while the VEN migration is ongoing.

The sync command replicates policy object changes to the other PCE and managed workload changes on either PCE to the other. It can synchronize changes to the following policy objects:

  • Label dimensions

  • Label groups

  • Services

  • IP Lists

  • AD Group Users

  • Enforcement boundaries

  • Rulesets

It also synchronizes changes to the managed workloads on either PCE. The following rules apply:

  • Changes to managed workloads are applied to corresponding unmanaged workloads on the other PCE. The inverse process does not occur.

  • For each new managed workload detected on one PCE, a new unmanaged workload is created on the other PCE unless the managed workload is already associated to an unmanaged workload on the other PCE (same external data set and external data reference).

  • New unmanaged workloads already detecetd on the migration source PCE are replicated on the target PCE.

The synchronization is performed according to the following workflow. The source PCE and destination PCE are with respect to the sync command.When the concurrency level is higher than sequential, the following will be executed concurrently for different types of objects:

  1. Export policy objects and workloads from the source PCE.

  2. Analyze object changes to identify objects and unmanaged workloads to delete, add, or update on the destination PCE. Only changes to managed workloads or new unmanaged workloads not created by pcemigrate are considered on the source PCE. Updates are determined based on the updated_at field of the object.

  3. Delete objects on the destination PCE.

  4. Update/create policy objects and unmanaged workloads on the destination PCE.

  5. Update/create unmanaged workloads on the source PCE based on changes to managed workloads on the destination PCE.

sync

% pcemigrate sync --help   

Handles syncing of policy objects changes made on the source PCE (--from-pce) to the target PCE (--to-pce) and syncs changes to managed workloads on either side to the other side.  
  
Usage:    
  pcemigrate sync [flags]    

Flags:     
    --from-pce string                   Source PCE to sync from.    
    --to-pce string                     Destination PCE to sync to.    
    --forced-restart                    Restart from the beginning of the previously failed sync.   
    --provision                         Provision changes.    
    --provision-comments string         Provision comments.  
    --data-base-dir string              Base working directory.   
    --ignore-case                       Ignore case when matching name, hostname, or external data set and external data reference.
    --max-create int                    The maximum number of unmanaged workloads that can be created. -1 is unlimited. (default -1)   
    --skip-workload-sync                Skip syncing the workload change.   
    --ignore-workload-update-failures   Continue the sync operation even if creation/update of some unmanaged workloads failed in Bulk Api calls.  
    --concurrency-level string          Concurrency level. Sequential: No concurrency; Moderate: Main ops on different objects of the same PCE; Normal: Main ops on different objects across PCEs; Advanced: More ops. (default "normal")   
    --profiling-level int               Profiling level. 1: Overall execution, 2: Down to specific type of operations, 3: Down to operation on object types. (default 1)      -
    -cpu-profile-filename string        The name of the file where to save the pprof CPU profile date.     
    --mem-profile-filename string       The name of the file where to save the pprof memory profile date.     
    --stop-at-step string               This command wil end after the step specified: none|export-src.|analyze-src|delete-tgt|update-tgt|analyze-tgt|delete-src|update-src (default "none")  
-h, --help                              The help for sync    

Global Flags (not relevant for all commands):   
     --config-file string    The path for the pcemigrate pce.yaml file.   
     --debug                 Enables debug-level logging for troubleshooting.     
     --log-file string       The path for the pcemigrate log file. (default "pcemigrate.log")     
     --migrate-op            When migrate-op is set to true, the Import operation is interpreted as a copy of objects from a different PCE as part of a PCE migration operation.     
     --no-prompt             Removes the user prompt when used with update-pce.    
     --pce string            The PCE to use in the command if not using the default PCE.    
     --update-pce            This command will update the PCE after a single user prompt. The default will just log potential changes to workloads.   
     --verbose               When verbose is enabled, includes the raw API responses. This makes pcemigrate.log increase in size significantly.