Illumio Core 25.2.10 Install, Configure, Upgrade

You must clean your data before you start the migration. Make sure that you don't have any inconsistencies in VENs such as duplicate VEN names, stopped VENs, or suspended VENs.

You must upgrade your on-prem PCE to a version that supports migration based on your base image.

Illumio recommends that you avoid any changes to the on-prem PCE while it validates your data and restores it to your SaaS instance.

Workloads migrated using database backups are transplanted and don't need venmigrate installed. Any workloads that are paired after the database is restored and require venmigrate to be installed are not transplanted. They are unpaired and re-paired.

Illumio recommends that you don't use SaaS for anything other than to alter VEN configuration-related updates that are migrated.

Make sure that VENs can connect to the target SaaS PCE. This may require actions such as whitelisting PCE IPs, updating firewall rules, or adjusting deny policies. To complete the migration, VENs must establish a successful connection to the target PCE.

Ensure the authentication mechanism between the PCE and VEN is token-based. Certificate or Kerberos-based authentication is not supported during the migration.

Policy or workload changes are synchronized with the SaaS PCE only when the pcemigrate tool sync step is executed. The SaaS environment operates as an eventually consistent system with updates dependent on the sync frequency.

Offline timers will be disabled on both on-prem and SaaS PCEs during the migration, which may cause some policy inconsistencies.

Metadata indicating who created or modified objects (for example, created_by or updated_by) will not be preserved.