Changes During the Standard VEN Migration
During the VEN migration process, you can continue to make necessary policy object changes and sync them for consistency.
Synchronization Limitations
Policy object changes should be made on the on-prem PCE to account for potential version differences between on-prem and SaaS releases.
Changes to managed workloads on either PCE are mirrored on the other.
New unmanaged workloads on the on-prem PCE are being replicated to the Illumio SaaS.
New unmanaged workloads in Illumio SaaS are not replicated to the on-prem PCE.
Manual invocation of
pcemigratesync is required to synchronize policy object changes. It does not trigger automatically.Specific settings, such as pairing profiles, local users, and RBAC settings, are not replicated after the initial replication.
Skipping workload syncing is possible if workloads are not linked to rulesets, which can expedite the completion of
pcemigrate sync. Skipping is recommended only if no workload changes are made (interface, label, and so forth).
For more information about available options, see pcemigrate sync --help.
Here's an example command for pcemigrate sync with the confirmation prompt disabled, replicating changes to policy objects.
pcemigrate sync --from-pce 4x2testvc10000 --to-pce mnctestvc26000 --no-prompt
Warning
The pcemigrate sync may fail to provision policy objects on the SaaS PCE if their content has not actually changed.
The update can be triggered by the object being provisioned on on-prem, or by the absence of a map file or an empty map file when there are objects on on-prem.