Skip to main content

Illumio Core 25.2.10 Install, Configure, Upgrade (On-Prem)

  • Illumio Core 25.2.10 Install, Configure, Upgrade (On-Prem)
  • Custom Migration Guide
  • Custom Migration Considerations and Limitations

Custom Migration Considerations and Limitations

Review these considerations and limitations before you begin the migration.

  • You must clean your data before you start the migration.

    Make sure that you don't have any inconsistencies in VENs, such as duplicate VEN names, stopped VENs, or suspended VENs. Other potential issues include rulesets that reference workloads directly. Such references will be pruned or removed from the rulesets.

  • You must upgrade your on-prem PCE to a version that supports migration based on your base image.

  • Illumio recommends avoiding any changes to the on-prem PCE while it validates your data and restores it to your SaaS instance.

  • Workloads migrated using database backups are transplanted and don't require installing venmigrate. Any workloads that are paired after the database dump and require venmigrate to be installed are not transplanted. They are unpaired and re-paired.

  • Illumio recommends that you don't use SaaS for anything other than applying VEN configuration-related updates that have been migrated.

  • Ensure VENs can connect to the target SaaS PCE. This may require actions such as whitelisting PCE IPs, updating firewall rules, or adjusting deny policies. To complete the migration, VENs must establish a successful connection to the target PCE.

  • Ensure the authentication mechanism between the PCE and VEN is token-based. Certificate or Kerberos-based authentication is not supported during the migration.

  • Policy or workload changes are synchronized with the SaaS PCE only when the pcemigrate tool sync step is executed. The SaaS environment operates as an eventually consistent system with updates dependent on the sync frequency.

  • Offline timers will be disabled on both on-prem and SaaS PCEs during the migration, which may cause some policy inconsistencies.

  • Metadata indicating who created or modified objects (for example, created_by or updated_by) will not be preserved.

  • The on-prem PCE can contain containers and container workload profiles. However, these objects cannot be migrated and must remain static for the duration of the migration.

    The objects owned by container clusters cannot be changed during the migration process as this can cause pcemigrate sync to fail.

Limitations

  • The current implementation does not handle migration for load balancers, NEN, virtual servers, Kubernetes, Flowlink, and C-VEN.

  • Container clusters and workload profiles can be exported or imported.

  • The migration tool cannot move a VEN that cannot communicate with both the on-prem PCE and the SaaS instance.

  • Draft policies are not part of the sync process. These policies must be resolved before you back up your database. Either provision them or delete these. You can back up these using the export function found on the policy page.

    Caution

    None of these draft policies will be synced to SaaS after the database restore or for as long as you transplant VENs.