HOW TO

Technology Blog –
Virtual Machine Migration

Introduction

With Migrate to Virtual Machines, you can transfer EC2 instances from your AWS account to Google Compute Engine instances. This process allows for seamless migration of workloads, enabling you to leverage Google Cloud’s infrastructure.

Prerequisites

Before you begin the migration, please ensure you have reviewed the documentation on using Migrate to Virtual Machines. This resource provides an overview of the migration structure, key terminology, concepts, and reference information to help you efficiently move your workloads.

  • Enable the VM Migration API on your host project by visiting Google Cloud Console.
  • Check the supported operating systems for migrating virtual machines from AWS to Google Cloud.

Migrating Workloads from AWS Source

To set up your AWS environment before initiating the migration using AWS as the source, complete the following tasks:

  1. Create AWS IAM Policies.
  2. Create IAM Users for Migrate to Virtual Machines service access.
  3. Optional: Tag EC2 instances for migration.
  4. Use Google Cloud to create the source.

Creating AWS IAM Policies

Before creating IAM users, establish policies that define the required permissions for your workloads. For detailed instructions, refer to the AWS IAM documentation on creating IAM policies.

Use the provided JSON template to grant migration permissions:

{
     “Version”: “2012-10-17”,
     “Statement”: [
         {
             “Effect”: “Allow”,
             “Action”: [
                 “ec2:DescribeInstances”,
                 “ec2:DescribeVolumes”,
                 “ec2:DescribeInstanceTypes”,
                 “ec2:DescribeSnapshots”,
                 “ec2:CreateTags”,
                 “ec2:CreateSnapshots”,
                 “ec2:StopInstances”
             ],
             “Resource”: “*”
         },
         {
             “Effect”: “Allow”,
             “Action”: [
                 “ebs:ListSnapshotBlocks”,
                 “ebs:ListChangedBlocks”,
                 “ebs:GetSnapshotBlock”,
                 “ec2:DeleteSnapshot”,
                 “ec2:DeleteTags”
             ],
             “Resource”: “*”,
             “Condition”: {
                 “StringEquals”: {
                     “aws:ResourceTag/m2vm-resource”: “snapshot”
                 }
             }
         }
     ]
}

If your EC2 instances use encrypted volumes and non-AWS-managed keys, add the following statement to the policy to grant the created user access to the encryption keys:

{
     “Effect”: “Allow”,
     “Action”: [
         “kms:Decrypt”,
         “kms:DescribeKey”
     ],
     “Resource”: “<KMS key ARN>”
}

For more details on the permissions specified in the JSON template, refer to the Permission Details.

Creating AWS IAM Policies

To migrate AWS workloads, create an IAM user for Migrate to Virtual Machines. This user allows Migrate to Virtual Machines to interact with your AWS account using public APIs.

To configure IAM user permissions for using AWS as the migration source, create an API user in AWS IAM.

Note: Alternatively, you can use AWS Security Token Service (STS) tokens to configure AWS sources with temporary credentials. For more details, refer to AwsSourceDetails.

During the user creation process, ensure to:

  1. Create a user with programmatic access.
  2. Attach the IAM policy you created in the previous section to the new user.
  3. Save the Access Key ID and Secret Access Key generated in this step, as you will need them when creating the source in Migrate to Virtual Machines.

Optional: Tagging EC2 Instances to Migrate

It is recommended to tag instances that you wish to migrate. For example, you might use tags like wantToMigrate=true.

For detailed information on how to tag EC2 instances, refer to the AWS IAM documentation.

Creating AWS Source

After creating the IAM user and attaching the user to the new IAM policy for Migrate to Virtual Machines, you need to create the AWS source before you can start the migration process.

To create an AWS source, follow these steps:

  1. In the Google Cloud Console, navigate to the Migrate to Virtual Machines page.
  2. Select the Sources tab.
  3. Open the Add Source dropdown and select + Add AWS Source.
  4. In the Create AWS Source panel, enter the source details.

Note: After creating the source, you cannot modify the GCP region or AWS region fields. However, you can modify the Access Key ID and Secret Access Key fields after creation. Changes to credentials may interrupt ongoing replication cycles. It’s recommended to wait 24 hours before revoking the previous credentials.

 
AWS Source Details Parameters

Names -> A string that identifies the source. This must conform to the Compute Engine naming conventions. This field cannot be updated after the source is created.

GCP Region (Required) -> The Google Cloud region to which you want to migrate the instances. This field cannot be updated after the source is created.

AWS Region (Required) -> The AWS region from which to migrate EC2 instances (e.g., eu-west-1). The Migrate to Virtual Machines console will only display EC2 instances in this region. This field cannot be updated after the source is created. Note: It’s recommended to copy the region from the AWS console to avoid spelling errors, which can invalidate the source. If this happens, you’ll need to create a new source.

Access Key ID (Required) -> Part of the IAM user’s credentials.

Secret Access Key (Required) -> Part of the IAM user’s credentials.

Customer-managed encryption key -> The key you want to use to protect data in Google Cloud. By default, Google Cloud will automatically encrypt static data using Google-managed encryption keys. If you have specific compliance or regulatory requirements, you can use Customer Managed Encryption Keys (CMEK) for static data encryption and decryption. These keys are created, managed, and owned by you.

Optional: Filter by security group -> Filter the visible EC2 instances in the Migrate to Virtual Machines list by security group names. You can specify multiple group names, and Migrate to Virtual Machines will display instances that belong to any of these groups.

Optional: Filter by VM tags (recommended) -> Specify tags to filter the inventory. We strongly recommend this approach, as it allows you to focus on a subset of EC2 instances tagged for migration. If you specify multiple VM tags, Migrate to Virtual Machines will only display instances that have all these tags.

Optional: User tags for migrated resources -> Migrate to Virtual Machines will create snapshots of the EC2 disks for migration to Google Cloud. If you want custom tags associated with these resources, specify them here. This helps you identify all resources created by Migrate to Virtual Machines in your AWS environment. The snapshots will already have the tags outlined in the snapshots documentation.

  1. Click the Create button. A notification will appear detailing the new source.
  2. Wait (up to 15 minutes, but usually shorter) for the Source Status to indicate Active.
  3. Verify your list to ensure instances corresponding to the tags and/or security groups specified during source creation are present.

As part of the source creation, your project will automatically be added as a target project.

Next Steps: Starting the Migration

Once the AWS source is established, you can proceed with the migration. The remaining steps for migrating workloads from the AWS source follow the same process as for other sources in Migrate to Virtual Machines.

For detailed instructions on how to begin the migration process, please refer to Migrating a Single Virtual Machine.