Configuring Google Cloud for Migrate for Compute Engine

Before migrating your applications using Google Cloud Migrate for Compute Engine (formerly Velostrata), you'll need to configure your Google Cloud organization. This configuration enables Migrate for Compute Engine to manage the migration and communicate with the other components involved.

Google Cloud configuration includes:

  1. Setting up a Google Cloud account, organization, and project, including organization-level permissions and a project that Migrate for Compute Engine will use for its own infrastructure.
  2. Setting up networks on Google Cloud so that components that are part of your migration (such as Migrate for Compute Engine, Google Cloud, and the source environment from which you're migrating) can communicate with one another through firewalls over Google Cloud Virtual Private Cloud.
  3. Creating Google Cloud roles and service accounts by using Cloud Shell to set permissions so that Migrate for Compute Engine can create resources and manage APIs used during the migration.

Before you begin

  • You'll need to have identified the Google Cloud organization administrator account which will execute Migrate for Compute Engine scripts that configure Google Cloud.
  • You'll need to have set up a Google Cloud Virtual Private Cloud. Migrate for Compute Engine uses Virtual Private Cloud to support communication between Google Cloud and your source environment.
  • Your Google Cloud organization is one of several components that are part of the migration. You'll perform configuration tasks for each. For the bigger picture, be sure to read the description of the Migrate for Compute Engine architecture.

Setting up a Google Cloud account, organization, and project

You need a Google Cloud organization to migrate into Google Cloud. Once you have an organization, you'll assign permissions that allow a Migrate for Compute Engine script to configure Google Cloud with roles and service accounts. You'll create a Migrate for Compute Engine infrastructure project that will host the Velostrata Manager.

  1. Go to the Google Cloud console and sign in. If you don't already have an account, sign-up to create one.
  2. To set up an organization, see Creating and managing organizations. For more information, see Decide a resource hierarchy for your Google Cloud landing zone.
  3. Assign the following permissions to your administrator who runs the account and role creation script:

    • Organization Role Administrator
    • Organization Administrator
    • Compute Admin
    • (Project) Owner

    For more information on IAM concepts such as Google Cloud accounts, service accounts, and roles, see the IAM Overview.

  4. Create a Google Cloud project to host Migrate for Compute Engine infrastructure on Google Cloud. In the rest of this document, we'll call this the infrastructure project.

Setting up networks on Google Cloud

Migrate for Compute Engine uses Google Cloud Virtual Private Cloud networks and VPN connectivity to your source environment, and requires specific networking rules set up before migrations can be completed. For detailed information on firewall, routing, and network tagging for your deployment, see network access requirements.

The network configuration tasks assume that you have Google Cloud Virtual Private Cloud and that you're already familiar with Virtual Private Cloud firewall rules. For more information, see Google Cloud Virtual Private Cloud.

Creating Google Cloud roles and service accounts by using Cloud Shell

You'll need to create Google Cloud roles and service accounts that Migrate for Compute Engine can use to create Google Cloud resources and manage the Cloud Storage API. Migrate for Compute Engine includes a Cloud Shell script for making these changes.

The script creates roles and service accounts in the infrastructure project except when you'll be migrating into multiple Google Cloud projects. In that case, the script will create the Velostrata Manager role at the organization level, creating the other role and service accounts in the infrastructure project.

The following table describes the roles and service accounts created by the Cloud Shell script.

Role Service account Permissions enabled
Velostrata Manager (velos_manager_deployment-name) velos-manager-deployment-name Ability to create all the resources for your migration (VMs, Cloud Storage buckets, and so on).
Migrate for Compute Engine Cloud Extension (velos_ce_deployment-name) velos-cloud-extension-deployment-name Ability to manage the Cloud Storage API for migrations.

The easiest way to create the required service accounts is by using a Cloud Shell} script available with Migrate for Compute Engine.

The script enables the following Google Cloud APIs:

  • Resource Manager API
  • Identity and Access Management (IAM) API
  • Compute Engine API
  • Cloud Storage API
  • Cloud Logging API
  • Cloud Monitoring API

Though it isn't recommended, you can instead configure Google Cloud manually.

Prerequisites

If you want to migrate to multiple projects within your organization, you need your numeric Organization ID.

Running the configuration script

To run the configuration script:

  1. Open Cloud Shell
  2. Change to the directory containing the Migrate for Compute Engine script:
    cd /google/migrate/gce
    
  3. Choose a deployment name that will be appended to your service account and role IDs, for example main.
  4. Run the script:

      python3 velostrata_sa_roles.py -p project-ID -d deployment-name [-o organization]
    

    For more information, see the Configuration script reference below.

Single-project configuration example

In this example, you will configure Google Cloud with roles and service accounts in the velostrata infrastructure project and with the deployment name main.

python3 velostrata_sa_roles.py -p velostrata -d main

This command creates:

  • The velos_manager_main and velos_ce_main roles in the velostrata project.
  • The velos-manager-main@velostrata.iam.gserviceaccount.com and velos-cloud-extension-main@velostrata.iam.gserviceaccount.com service accounts in the velostrata project.

Multiple-project configuration example

In this example, you will configure Google Cloud with roles and service accounts to handle migrations into multiple projects. The script will use the velostrata infrastructure project.

Running the script with the -o flag will create the manager role at the organization level, allowing you to migrate VMs to multiple projects.

python3 velostrata_sa_roles.py -p velostrata -d main -o 12345678

This command creates:

  • The velos_manager_main role in the organization with ID 12345678.
  • The velos_ce_main role in the velostrata project.
  • The velos-manager-main@velostrata.iam.gserviceaccount.com and velos-cloud-extension-main@velostrata.iam.gserviceaccount.com service accounts in the velostrata project.

Configuration script reference

Use the velostrata_sa_roles.py script to create Google Cloud roles and service accounts that give Migrate for Compute Engine permission to create resources and manage the Cloud Storage API.

The script creates roles and service accounts in the infrastructure project except when you'll be migrating into multiple Google Cloud projects. In that case, the script creates the Velostrata Manager role at the organization level, creating the other role and service accounts in the infrastructure project.

Note that in order for this script to complete successfully, you'll need to have assigned (to the administrator running the script) the roles described in Setting up a Google Cloud account, organization, and project.

python3 velostrata_sa_roles.py -p project-ID -d deployment-name [-o organization-ID]

Parameters

Parameter Description Required
-d or --deployment-name Specifies the deployment name. This is appended to service account and role names. Must be less than 8 characters and can only contain lowercase letters and numbers. Yes.
-p or --project-id Specifies the ID of the Google Cloud project that will host your migration. Yes.
-o or --org-id Specifies the numeric Google Cloud organization ID. Use this when you'll be migrating into multiple Google Cloud projects. No.

Next Steps