Configuring a processing cluster on AWS

This topic describes how to set up Anthos clusters on AWS as a processing cluster for migrating Linux VMs. You use the processing cluster to generate migrated container artifacts, operate, and monitor the migration.

Before you begin

Before creating Anthos clusters on AWS, you need:

Creating Anthos clusters on AWS

Because of the many options you have when installing Anthos clusters on AWS, see the installation information in the Anthos clusters on AWS documentation to install your cluster.

Your cluster must:

Connecting to Anthos clusters on AWS

Many procedures used to migrate a VM require that you run the migctl CLI on your cluster. Depending on your workstation's connectivity to the cluster, you might have to open a tunnel to the bastion host to use migctl. See Connecting to the management service for more.

Configuring AWS IAM groups and instance roles

As part of performing a migration, Migrate for Anthos writes information to different data repositories:

  1. Docker image files representing a migrated Linux VM are written to a Docker registry.

    These Docker image files represent the files and directories of the migrated Linux VM.

  2. Migration artifacts that represent the migrated workload are written to a second repository.

    Artifacts include the configuration YAML files that you can use to deploy the migrated workloads, and other files.

See Defining data repositories for more.

You must satisfy the following prerequisites in preparation for migrating your AWS VMs so that your Anthos clusters on AWS can access these repositories:

  • An AWS account and EC2 instances to migrate.

  • Migrate for Anthos IAM Roles, IAM users, and Access Policies deployed on the AWS account.

About AWS Accounts - IAM roles and access policies

The Amazon IAM service enables the creation and enforcement of access policies. Migrate for Anthos uses AWS IAM groups and instance roles to define and enable these permissions.

At minimum, we recommend the following setup:

  • An IAM group (named MigrateForAnthos) for use by Migrate for Anthos user account on AWS.

    This group enforces an access policy with the minimum privileges required by Migrate for Anthos to access the required data repositories and EC2 instances. See Defining data repositories for more.

  • An IAM user account in the MigrateForAnthos IAM Group.

    The recommended permissions are described in the CloudFormation stack template file.

Creating the Migrate for Anthos IAM group

  1. Download and extract the CloudFormation stack template file, IAMGroupForAnthosOnAws_CloudFormation.json.

  2. Sign in to the AWS Console and select Cloud Formation.

  3. Click Create Stack.

  4. Click Choose File, upload the CloudFormation file, and then click Next.

  5. Enter a Name for the CloudFormation stack.

  6. From the Options page, click Next, then click Create. A group named MigrateForAnthos is created.

Creating the AWS IAM user for Migrate for Anthos

  1. In the AWS console, click your account name in the top-right corner of the page and then select Security Credentials.

    Screenshot of AWS Security Credentials menu command (click to enlarge)
  2. From the left pane, select Users and then click Create New Users.

  3. For Access type, select Programmatic access.

  4. Download the CSV file with the user credentials (Keys).

    You need that CSV file when configuring the repositories used by Anthos clusters on AWS and when creating a migration source. See Defining data repositories and Adding a migration source for more.

    Screenshot of Add User dialog box (click to enlarge)
  5. Add the IAM user to the group created by the CloudFormation script.

    Screenshot of Add User dialog box (click to enlarge)

About AWS workload identity

Workload identity for Anthos clusters on AWS lets you bind Kubernetes service accounts to AWS IAM accounts with specific permissions. Workload identity uses AWS IAM permissions to block unwanted access to cloud resources.

With workload identity, you can assign different IAM roles to each workload. This fine-grained control of permissions lets you follow the principle of least privilege.

Using workload identity with Migrate for Anthos

Migrate for Anthos lets you deploy your migrated workloads to Anthos clusters on AWS. In some cases, you might use the same cluster as both the processing cluster and the deployment cluster. If you have enabled workload identity on your deployment cluster, then you have to ensure that you configure your deployment environment correctly to support Migrate for Anthos.

Additionally, you must ensure that any services started as part of the init process are configured correctly for workload identity. The steps you perform depend on the service manager for your cluster. See Deploying a Linux workload to a target cluster for the configuration steps.

Next Steps