Skip to main content

Illumio Core 23.2 Install, Configure, Upgrade

VEN Migration Preparation Command

Generate VEN Migrate Parameters

The ven-migrate-config command allows you to specify various parameters that will be used to migrate VENs to the target PCE and subsequently apply custom labels after pairing the VEN with the target PCE. Some of the parameters include:

  • Target PCE FQDN

  • Front-end port

  • Front-end management port (Optional. Not needed if custom labels do not need to be applied.)

  • Proxy URL

  • Pairing Profile ID

  • Organization ID (Not needed if custom labels do not need to be applied.)

  • Activation code

  • Migration type.

    • Pair (Unpairing and then pairing with the target PCE.)

    • Activate (Deactivate and then activate with the target PCE.)

The following parameters are necessary if the venmigrate command must retrieve workload metadata from the source PCE or create the unmanaged workload prior to deactivating/unpairing the VEN:

  • Source PCE FQDN

  • Front-end port of the source PCE

  • Front-end port management port of the source PCE

  • Organization ID on the source PCE

  • API Key and API Key user on the source PCE

These parameters are saved in a YAML file by default. To migrate a VEN, you have to transfer three files on the workload node:

  • venmigrate: Tool in golang that handles the VEN pairing/activation and applying custom labels.

  • venmigrate.yaml: The YAML file containing the migration parameters.

  • workload-metadata.json: The JSON file containing the workloads metadata. If this file is not transfered, you will have to create this file on the workload or the venmigrate command will try to retrieve the information from the source PCE.

ven-migrate-config

% pcemigrate ven-migrate-config --help 

Generates the venmigrate yaml file. 

The default file name is venmigrate.yaml and it is stored in the current directory. Use the --ven-migrate-config flag to set a custom file. You also use the ILLUMIO_VEN_MIGRATE_CONFIG environment variable. 
The command can be automated (avoid prompt) by using flags or the following following environment variables:
PCE_NAME, PCE_FQDN, PCE_PORT, PCE_USER, PCE_PWD, PCE_DISABLE_TLS, PCE_PROXY. 

The --update-pce and --no-prompt flags are ignored for this command.   

 Usage:    
    pcemigrate ven-migrate-config [flags]   
 
 Flags:      
     --ven-migrate-config string   The VEN migration configuration yaml file. The default file is venmigrate.yaml    
     --source-name string          The name of the source PCE. The source PCE parameters are retrieved from pce.yaml  
     --target-name string          The name of the target PCE. The target PCE parameters are retrieved from pce.yaml   
     --pce string                  The FQDN of the target PCE.     
     --port int                    The front-end port of the target PCE.   
     --fe-mgmt-port int            The front-end management port of the target PCE.    
     --org-id int                  The API owner organization ID on the target PCE  
     --api-user string             The API user on the target PCE.     
     --api-key string              The API key on the target PCE.     
     --proxy string                The proxy URL to reach the target PCE    
     --src-pce string              The FQDN of the source PCE.     
     --src-port int                The front-end port of the source PCE.     
     --src-fe-mgmt-port int        The front-end management port of the source PCE.  
     --src-org-id int              The API owner organization ID on the source PCE     
     --src-api-user string         The API user on the source PCE.    
     --src-api-key string          The API key on the source PCE.   
     --src-proxy string            The proxy URL to reach the source PCE.     
     --pairing-profile-id int      The pairing profile id.     
     --api-version string          The API version.   
     --activation-code string      The activation code.     
     --migration-type string       The type of VEN migration planned: pair or activate.   
     --ven-dir string              The path of the VEN directory. The default path is: /opt/illumio_ven    
     --ven-data-dir string         The path of the VEN data directory. The default path is: /opt/illumio_ven_data     
     --no-label-assignment         Do not specify the label when pairing the VEN. Labels will be inherited from the profile.    
     --no-enforcement-mode         Do not specify the enforcement mode when pairing the VEN. It will be inherited from the profile. 
 -h, --help                        help for ven-migrate-config     
 Global Flags (not relevant for all commands):     
      --config-file string    The path for the pcemigrate pce.yaml file.     
      --debug                 Enables debug-level logging for troubleshooting.    
      --log-file string       The path for the pcemigrate log file. (default "pcemigrate.log") 
      --migrate-op            When migrate-op is set to true, the Import operation is interpreted as a copy of objects from a different PCE as part of a PCE migration operation. (default true) 
      --no-prompt             Removes the user prompt when used with update-pce.      
      --update-pce            This command will update the PCE after a single user prompt. The default will just log potential changes to workloads.   
      --verbose               When verbose is enabled, includes the raw API responses. This makes pcemigrate.log increase in size significantly.

venmigrate-yaml

pce: mnctestvc13.ilabs.io
port: 8443
fe_mgmt_port: 8443
pairing_profile_id: 3
api_version: v25
org_id: 655363
api_key: 4f766fdddf92455345a5463d344f56272e87af1f085a6868c699d42a190a5587
api_user: api_1250c9b3b1ce17a6c
activation_code: 1bdd5740c4986c5998505098f566a5ea51c9526807538405faf327761b9dfbd5c008239c1a4757ae1
migration_type: activate
ven_migrate_config_file: venmigrate.yaml
src_pce: 4x2testvc49.ilabs.io
src_port: 8443
src_fe_mgmt_port: 8443
src_org_id: 1
src_api_key: 28b287a455cd03feb4ba467024e4cf28f2a7278558fd4158cef218058a0646c5
src_api_user: api_155bb81f30f1ef859
Generate an Encrypted Version of the venmigrate Configuration File

The venmigrate.yaml configuration file might contain sensitive information like API keys or an activation code. To protect this information, you can generate an encrypted version of the file. The venmigrate command will read the file and decode the information without revealing it. By default, the encrypted configuration file name is venmigrate.enc.

enc-ven-migrate-conf

% pcemigrate enc-ven-migrate-conf --help 

Generates an encrypted version of the venmigrate yaml file. 
The default migration yaml file name is venmigrate.yaml and it is stored in the current directory. The default encrypted version file name is venmigrate.enc.
Use the --ven-migrate-config and --enc-ven-migrate-config flags respectively to set custom file names.
You can also use ILLUMIO_VEN_MIGRATE_CONFIG and ILLUMIO_ENC_VEN_MIGRATE_CONFIG environment variables.

 The --update-pce and --no-prompt flags are ignored for this command.  
  
Usage:    
   pcemigrate enc-ven-migrate-conf [flags]    

Flags:     
   --ven-migrate-config string       The VEN migration configuration yaml file. The default file is venmigrate.yaml   
   --enc-ven-migrate-config string   The encrypted VEN migration configuration file. The default file is venmigrate.enc.

  -h, --help                         The help for enc-ven-migrate-conf     

Global Flags (not relevant for all commands):      
     --config-file string            The path for the pcemigrate pce.yaml file.      
     --debug                         Enables debug-level logging for troubleshooting.    
     --log-file string               The path for the pcemigrate log file. (default "pcemigrate.log")   
     --migrate-op                    When migrate-op is set to true, the Import operation is interpreted as a copy of objects from a different PCE as part of a PCE migration operation. 
     --no-prompt                     Removes the user prompt when used with update-pce.    
     --pce string                    The PCE to use in the command if not using the default PCE.      
     --update-pce                    This command will update the PCE after a single user prompt. The default will just log potential changes to workloads.      
     --verbose                       When verbose is enabled, includes the raw API responses. This makes pcemigrate.log increase in size significantly.  

Sample of venmigrate.enc Content

 data % ~/pcemigrate/bin/pcemigrate  enc-ven-migrate-conf --ven-migrate-config venmigrate.yaml
2025-02-04 13:59:15  [INFO] - Ven migration configuration file venmigrate.yaml encrypted successfully and saved as venmigrate.enc.
2025-02-04 13:59:15  [INFO] - enc-ven-migrate-conf completed data % cat venmigrate.encw14dgeoF0wRlzWUgHkdGFDoxVQKg0qDyG39fOOAB7wB0AiQbnrMo3bSIMmhoBQ6klab7qfCrtHq8Er1fNRiILl3a2JeHw6Wa89rCyvIIlJMtigFbjM6IblL3BaTzkqI1XB/jKgcAcUk9gfgVDfYlIzPQVEWtWYt4NGC6FSSpkar9/OfG7Yq+4CKMW6rFXssiYsvTt0Nd6rqacSPOKHpbBuGJNVTkySAf0nvmXga9jdc+tnGmEmdY3UTAazaJ09rVTNIRNC44WqiRDv3lZ
Limitations of the pcemigrate Tool
Migration of Some Policy Objects Is Not Handled

The set of policy and management objects handled corresponds to The following policy objects are not handled by the current implementation:

  • Virtual services

  • Load balancers, NEN, virtual servers

  • Kubernetes and C-VEN. However, you can export and import container clusters and container workload profiles.

Scalability Not Yet Determined

During the migration, the tool loads most of the objects of the source or target PCE in memory. If you have a hundred thousand workloads, the memory usage might be significant. Loading and uploading objects might take a toll on the network.

Metadata for all of the managed workloads is saved in a JSON file that is used during the VEN migration. You must load it to a hash data structure and extract the information for the host entry that corresponds to the VEN.