Skip to main content

Illumio Core 25.2.10 Install, Configure, Upgrade

Start Your Custom VEN Migration

Note

Workloads migrated using the database backup are transplanted and don't need venmigrate installed.

Any workloads paired after the database is restored require venmigrate to be installed, and they are not transplanted. They are unpaired and re-paired.

For more information about workload migration, see Changes During the Standard VEN Migration in the Standard Migration Guide.

1. Enable VEN Migration on the on-prem and SaaS PCE

  1. Upgrade all your PCE nodes with the RPM and UI packages available on the Illumio Support portal.

  2. Enable and set the following runtime data in runtime.yml across all nodes of all the on-prem PCEs.

    inter_pce_ven_migration_enabled: true
workload_update_allow_list_org_ids:
- <org-id>
skip_agent_info_timed_work_checks_org_ids:
- <org-id>

  3. Restart the PCE to sync runtime_env.yml.

    illumio-pce-ctl cluster-restart

2. Set up the PCEs

  • Set up the dedicated workstation with the pcemigrate tool by establishing connections to two PCEs. 

    If it's a supercluster, add connections to each member PCE and the leader.

    pcemigrate pce-add --name <name> --fqdn <pce-fqdn> --port <port> --ev-fqdn <ev-service-fqdn> --ev-port <port> --sb-port <port> --api-user <api_username> --api-key <api_password> --org <orgid>

    where

    <pce-fqdn> is FQDN of the PCE.

    <ev-service-fqdn> is FQDN of the Event Service.

    --ev-port is Event Service port. This information can also be found in the runtime.yaml file. If it's not available here, the defaults are: event-service-port: 8444; north-bound-port: 8443.

    --sb-port is Southbound API port (8444)

    pce-add is performed by FQDN,. For example, for PCEmycompany.com, you will add pce1-.mycompany.com and not the individual nodes under it. You need to add it only once.

3. Create the Policy Object Map

  • Build the initial policy object map between the source (only the leader in a supercluster) and the target.

    Note

    This may take several hours, depending on the size of your deployment.

    pcemigrate create-config-map --from-pce <source-leader-pce> --to-pce <target-pce>

    where

    create-config-map creates a “map” of the VENs to be transplanted and their associated objects to be used during the migration.

4. Transplant VENs from the on-prem PCE to SaaS

  • Execute migrations with a single source PCE at a time.

    Any batch of VENs to be migrated should be owned by the same PCE. If you have multiple PCEs within your on-prem environment, identify VENs from each PCE and migrate them in separate batches.

    For example, if you have three PCEs within your Supercluster, there should be three separate migration batches, one for each PCE.

    Important

    Mixing VENs from multiple regions (different PCEs) in a single migration batch can lead to inconsistent states. This may require manual fixes such as unpairing and re-pairing.

    pcemigrate transplant-vens --from-pce <source-pce-name> --to-pce <destination-pce-name> --href_file /path/to/href_file.json

    The href_file uses the following format.

    [
 {
   "href": "/orgs/1/vens/6f408598-8963-44fd-9afb-72c909b100a6"
 },
 {
   "href": "/orgs/1/vens/b8fc4e13-34de-49a8-9ff6-42ce0ac70951"
 }
]

Note

You need to create the file href.json manually.

5. Check the VEN transplant status

  1. Run the following command to check the VEN transplant status.

    pcemigrate transplant-vens-status --from-pce <source-pce-name> --to-pce <destination-pce-name> --href_file /path/to/href_file.json --csv_output_file_dir /path/to/directory_where_file_should_be_saved

    The href_file uses the following format.

    [
 {
   "href": "/orgs/1/vens/6f408598-8963-44fd-9afb-72c909b100a6"
 },
 {
   "href": "/orgs/1/vens/b8fc4e13-34de-49a8-9ff6-42ce0ac70951"
 }
]

  2. Verify that the transplant has succeeded by reviewing the .csv file.

    Caution

    If migration status indicates that it is underway or unsuccessful after six heartbeats, it will be considered Unsuccessful. Review the VEN status before you do another migration.

    Table 12. csv_file

    ven_href

    Name

    Host_Name

    Status

    /orgs/1/vens/7a9b501f-c03e-40ef-ab57-ccbf4f1f537 

    test1

    vm1

    Migration is underway or unsuccessful.

    /orgs/1/vens/76f408598-8963-44fd-9afb-72c909b100a6 

    test2

    vm2

    Success

    /orgs/1/vens/b8fc4e13-34de-49a8-9ff6-42ce0ac70951 

    test3

    vm3

    Migration is underway or unsuccessful.



6. Synchronize the PCEs

Note

Make sure that the syncs happen before and after the VEN transplant.

  • Synchronize the changes between the source (only the leader in a supercluster) and the target after every batch you migrate.

    pcemigrate sync --from-pce <src-pce-name> --to-pce <destination-pce-name>

7. Repeat these steps for additional batches of VENs

  1. Make sure that the pcemigrate sync is complete.

  2. Repeat Steps 4 through 6 till all VENs are migrated to SaaS.