Skip to main content

Illumio Core 25.2.10 Install, Configure, Upgrade

VEN Migration in Batches

After the initial replication of policy objects and workloads to the Illumio SaaS is complete, migrate VENs from the on-prem PCE to the Illumio SaaS in batches.

Step 1: Create unmanaged workloads on the on-prem PCE

During this step, unmanaged workloads are created to mirror the names, hostnames, labels, and interfaces of the managed workloads designated for migration. The mirrored unmanaged workloads on-prem will remain as a copy of the migrated workload to SaaS. This allows policies to remain consistent for any communications between VENs that are on-prem and VENs that have moved to SaaS.

Important

Skip steps 1 through 3 if the on-prem PCE front-end port is accessible to VEN hosts. In such instances, the venmigrate tool creates unmanaged workloads before deactivating and unpairing the VEN.

  • Define the subset of managed workloads using a workload filter YAML file, specifying criteria such as names, hostnames, hrefs, external data sets, and labels.

    Workload criteria can be an exhaustive list or specified using regular expressions. See the pcemigrate create-unmanaged-workload --help for available options.

    Here's an example of filter file content and the command to create unmanaged workloads with the confirmation prompt disabled.

    create-unmanaged-workload

    > cat workloads.yaml
hostnames:
- vm1
- vm2
> pcemigrate create-unmanaged-workload --pce 4x2testvc10000 --workload-filter-file workloads.yaml --update-pce --no-prompt

Step 2: Export the managed workload metadata to a JSON file

  • During this step, metadata for the managed workloads linked to VENs earmarked for migration is exported to a JSON file.

    This file serves as input for pcemigrate or venmigrate (if the Illumio SaaS front-end management port is accessible to VEN hosts) to apply custom labels to managed workloads post-pairing with Illumio SaaS.

    The workload filters used for unmanaged workload creation can specify the managed workload subset.

    See the pcemigrate wkld-metadata-export --help for additional options.

    Here's an example of the filter file content and the command to export metadata to the JSON file 4x2testvc10000-workloads-set1-metadata.json:

    wkld-metadata-export

    > cat workloads.yaml
hostnames:
- vm1
- vm2
 
> pcemigrate wkld-metadata-export --pce 4x2testvc10000 --workload-filter-file workloads.yaml --metadata-json-file 4x2testvc10000-workloads-set1-metadata.json

Step 3: Generate and encrypt the VEN migration parameters

The VEN migration parameter file is created.

If the same pairing profile and activation keys are used during VEN migration, they can be generated once and reused. However, the file must be regenerated whenever the pairing profile or activation key changes.

The parameters include:

  • Illumio SaaS FQDN

  • VEN pairing port for connecting to Illumio SaaS

  • Organization ID

  • Activation key

  • Pairing profile ID

  • Migration type: activate or pair

  • Proxy server, if required

  1. Specify additional parameters if the front-end management port of Illumio SaaS or on-premise PCE is open to VEN hosts, including the front-end management port and API key for each.

  2. For available options, run pcemigrate ven-migrate-config --help.

    Here's an example command to save VEN migration parameters to the YAML file 4x2testvc10000-to-mnctstvc26000-01.yaml and the command to save the encrypted content to 4x2testvc10000-to-mnctstvc26000-01.enc.

    > pcemigrate ven-migrate-config --ven-migrate-config  4x2testvc10000-to-mnctestvc26000-01.yaml --pce mnctestvc26000.testlabs.io --port 8443 --fe-mgmt-port 8443 org-id 655362 --pairing-profile-id 2814749767106564 --api-version v25 --activation-code 192a15577805e7bdd044a7efd685da01816c6c7a4d6d25c7c3feeae46baf65b5f2a7fda8fa40959c3 --migration-type activate
 
> cat 4x2testvc10000-to-mnctestvc26000-01.yaml
pce: mnctestvc26000.testlabs.io
port: 8443
fe_mgmt_port: 8443
pairing_profile_id: 2814749767106564
api_version: v25
activation_code: 192a15577805e7bdd044a7efd685da01816c6c7a4d6d25c7c3feeae46baf65b5f2a7fda8fa40959c3
migration_type: activate
ven_migrate_config_file: 4x2testvc10000-to-mnctestvc26000-01.yaml
 
> pcemigrate enc-ven-migrate-conf --ven-migrate-config  4x2testvc10000-to-mnctestvc26000-01.yaml --enc-ven-migrate-config 4x2testvc10000-to-mnctestvc26000-01.enc
 
> cat 4x2testvc10000-to-mnctestvc26000-01.enc
TWtfOO68DaxoeC3uamoLqGJDdvV2c8IudbyZdlcMkiov+/eCWtOB70KxqBJM15UE6Q/g300caKGkAE1LUsMM8VvkFR0yeqMcKC9I/jIwvVESH+dKnOOMH7/0HWU6N9r+kHSNzZu2ayth3l+l9/9F3dOAmcEi5Xb/RvfXzGiUZds0O43aCehMrygqF3wKaKkpxNZSGfPDCFIz7BxmLDSwxqwUiEeHDeSxLuLv6XQIW3471QLjvMnw00kkv2/CWzG+8xM12rMuQdbpZwU9uAs2nIgYaEDj524fOxWyM6eNFftdl7IUSiMcxykGeGKO9WDhHjOjIDHoxqizmeQDcqQWLo6ZWrmfqe61u3sLeRgF795bFvlA3KroUaEp1T2Px1J7hKpiQhnHiyPVv2zFu+y4oSp6JQCurJMzUx9y90Q0qa1Uhw==%

Step 4: Deploy the encrypted VEN parameter file and venmigrate binaries

  1. Copy the encrypted VEN parameter file and the venmigrate tool binaries tailored to the VEN hosts' OS to the host.

  2. Use tools like Secure Copy Protocol (SCP) or deployment platforms like Chef for the transfer.

Note

Deploy the workload metadata JSON file if the Illumio SaaS front-end management port is accessible, enabling the venmigrate tool to apply custom labels after VEN pairing.

Here's an example of deployment using scp.

> scp ~/pcemigrate/bin/venmigrate-linux 4x2testvc10000-to-mnctestvc26000-01.enc [email protected]:~/
 
> scp ~/pcemigrate/bin/venmigrate-linux 4x2testvc10000-to-mnctestvc26000-01.enc [email protected]:~/

Step 5: Migrate the VENs

  1. On each VEN host, run the venmigrate tool to migrate the VEN from the on-prem PCE to the Illumio SaaS.

    Note

    If the Illumio SaaS front-end management port is accessible, venmigrate will:

    • Set built-in labels (role, application, environment, and location) during VEN activation/pairing to Illumio SaaS. The activation key should allow label overrides.

    • Apply custom labels post VEN activation/pairing to Illumio SaaS.Remove unnecessary unmanaged workloads after VEN activation/pairing to Illumio SaaS.

    If the on-premise PCE front-end port is open, venmigrate will:

    • Create an unmanaged workload if needed before deactivating/unpairing the VEN.

    • Retrieve managed workload metadata unless a metadata file is specified.

  2. Run venmigrate migrate --help for more information about available options.

    This assumes the binary file corresponding to the host OS has been renamed to venmigrate or a symbolic link with the same name has been created.

    The following example illustrates a migration command. This example assumes that front-end management ports are not open and the labels are locked.

    > venmigrate migrate --enc-ven-migrate-conf-file 4x2testvc10000-to-mnctestvc26000-01.enc --do-not-apply-custom-labels --no-label-assignment

Step 6: Apply custom labels and metadata

  1. Apply custom labels and metadata to VENs paired with the Illumio SaaS if needed.

  2. This step is crucial when the Illumio SaaS front-end management port (443 TCP) is inaccessible to VEN hosts and custom labels have been assigned to certain workloads on the on-premises PCE.

Note

You can specify a workload input JSON file to avoid retrieving all managed workloads from the Illumio SaaS.

This is achievable, for example, after running pcemigrate sync.

This command demonstrates applying custom labels and metadata to two managed workloads on the Illumio SaaS.

> pcemigrate wkld-sync-label 4x2testvc10000-workloads-set1-metadata.json --pce mnctestvc26000 --update-pce --no-prompt

Step 7: Remove unnecessary unmanaged workloads

  • After migrating a set of VENs, remove unnecessary unmanaged workloads by running the pcemigrate sync command.