VEN Migration Scenarios

VEN Migration steps can be performed in two scenarios, depending on whether the PCE's front-end management ports are opened to the VEN host system.

VEN migration can be performed in one or multiple batches, with multiple batches taking longer.

Typically, PCE on-prem default ports are 8443

In this case, the same steps 1-5 can be performed automatically by the venmigrate tool.

Specify the API key information for both PCEs in the VEN migration parameter file, which must be encrypted before deployment on the VEN hosts.

The migration of VENs from on-premises to Illumio SaaS may take an extended period of time and will be done in batches.

Review these sync limitations before migrating the VEN.

Policy object changes must occur on the on-prem PCE.
Managed workload changes sync between on-prem PCE and SaaS.
New unmanaged workloads on the on-prem PCE are replicated on SaaS.
Pairing profiles, users, and cluster containers changes are not synced after initial replication.

For VEN migration, sync policy changes.

This overview outlines the migration of VENs, whether it occurs over a short or extended period.

In this case, policy objects are not modified until all VENs have been migrated to the SaaS platform.

Migration of VENS must be carried out one on-premises PCE at a time and include the following steps:

Replicate on-premise policy objects to SaaS using the pcemigrate migrate command, affecting only new objects without altering existing ones on SaaS.
Migrate all VENs from on-premise PCE to SaaS with the venmigrate command on each VEN host.
Clean up unnecessary unmanaged workloads and retire the on-premise PCE.

VENs are migrated in batches over an extended period.

If you have more than 1,000 VENs, Illumio recommends that you do multiple batches of migration.

Policy objects may change on the on-premise PCE during VEN migration and must be synchronized with Illumio SaaS.

For details on migrating VENs in batches, see VEN Migration in Batches.

Illumio Core 25.2.10 Install, Configure, Upgrade